** VIDEO GUIDE How to setup a Bitwarden Server to use as your Password manager **


Recommended Posts

So far everything seems to be working. LetEncrypt has the certs all setup. Routing from my subdomain through to Nginx seems to all work. However, when accessing from inside my network I cannot access the subdomain -- the browser never loads the page. When I access outside the network, the login page loads. If I then switch back to access from inside the network, the login page is displayed.

 

To me this suggests that some part of the login page is not available from inside my network, but is subsequently cached in the browser when accessed from outside the network. Which then allows internal access to function.

 

I'm using OpnSense as my firewall, and have NAT Reflection turned on for both port forwarding rules. However, OpnSense options here are a little different to pfSense, so perhaps an alternate option is required? Particular OpnSense auto creates a Filter Rule association.

image.png.c706b30980348c06232895e3a22960d6.png

 

Anyone have any suggestions for enabling access from within my internal network?

 

Link to comment
3 hours ago, Nepherim said:

I'm using OpnSense as my firewall, and have NAT Reflection turned on for both port forwarding rules. However, OpnSense options here are a little different to pfSense, so perhaps an alternate option is required? Particular OpnSense auto creates a Filter Rule association.

 

Anyone have any suggestions for enabling access from within my internal network?

Looks like this is a known thing with OpnSense. Implementing the changes recommended here appears to get things working. Basically in OpnSense, Firewall > Settings > Advanced enable:

  • Reflection for port forwarding
  • 1: 1 reflection
  • Automatic outbound NAT for reflection NAT

 

Then add your NAT Redirection rules, Firewall > NAT > Port Forwarding:

  • WAN TCP * * WAN address 443  (HTTPS) <<UNRAID SERVER IP>> 1443 (HTTPS) Name
  • WAN TCP * * WAN address 80 (HTTP) <<UNRAID SERVER IP>> 180 (HTTP) Name
Link to comment
  • 4 weeks later...

As always a great video. It made things so simple for me.

 

Recently I was trying to set up accounts for the rest of my family and when I sent ivites I get an error message saying "error inviting user, Smtp error"

 

I have deleted the invites and restarted bit warden without any luck

 

 

Edited by Beaker69
Link to comment

Update: while the "Sign Up" button is still there, after filling out the form, it says "signups disabled." So I guess that's all good.

 

Has anyone addressed these other setup issues I saw in the Bitwarden log file?

Quote

[WARNING] The following environment variables are being overriden by the config file,
[WARNING] please use the admin panel to make changes to them:
[WARNING] SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, ADMIN_TOKEN

Spaceinvader does talk about disabling Signups (?) in the video, but doesn't hit on these other things.

Edited by dkerlee
SOLVED issue
Link to comment

Hi all,

 

An odd issue; when accessing /admin and supplying the token, pressing submit redirects me to http://localhost/admin (that doesnt work!!!).

 

I can access Bitwarden locally via IP/port and externally via my domain.  In all instances, the site loads successfully, but the moment I hit enter after sticking in the token, bang, it redirects to localhost.

 

Any suggestions?

Link to comment
3 hours ago, faicec said:

Hi all,

 

An odd issue; when accessing /admin and supplying the token, pressing submit redirects me to http://localhost/admin (that doesnt work!!!).

 

I can access Bitwarden locally via IP/port and externally via my domain.  In all instances, the site loads successfully, but the moment I hit enter after sticking in the token, bang, it redirects to localhost.

 

Any suggestions?

After you press submit and get the page error, change the address in the browser tab to your http:// ip address /admin and hit enter. Don't open a new tab or anything, use the tab with the page error.

Link to comment
20 minutes ago, jonathanm said:

After you press submit and get the page error, change the address in the browser tab to your http:// ip address /admin and hit enter. Don't open a new tab or anything, use the tab with the page error.


Amazing, that did the trick!  Thanks for the pointer 👍

Link to comment
12 minutes ago, faicec said:


Amazing, that did the trick!  Thanks for the pointer 👍

I have something similar set up on purpose / accidentally.  Think of it as extra security through obscurity. I block the admin page from WAN access, so the only way I can open it is locally with the IP directly, but when I access the domain it redirects. So I do the same thing, hit submit, retype, go.

Link to comment
  • 1 month later...

How do I enable AUTO-SYNC?

 

Thanks for guide. Very helpful. Got it all working.

It appears that Bitwarden (iOS, Mac, Firefox extensions) are NOT AUTO-syncing with db. I have to manually push "SYNC NOW" every time I want data to be updated. For example, when I input data onto BItwarden website (hosted on my server) - then I have to manually sync on iPhone to get all updates.

 

Is this a bug or is there a workaround?

 

(Btw for others who have issues, make sure your OS and all apps on all devices are up to date. That was major issue in my case. Also make sure you add bitwarden. subdomain to Letsencrypt's->edit docker-> "Subdomains" field.

Link to comment
On 7/18/2020 at 8:39 PM, emod said:

(Btw for others who have issues, make sure your OS and all apps on all devices are up to date. That was major issue in my case. Also make sure you add bitwarden. subdomain to Letsencrypt's->edit docker-> "Subdomains" field.

OH MAN! I could not figure out why I could not get Safari or the iOS app to work, and its all because the final sentence here. I forgot to add the subdomain into LE. THANK YOU!

Link to comment
  • 5 months later...

Hi,

I've got as far as being able to get to the admin page via my domain.

When trying to send a test email, I get the following error;

 

Error sending SMTP test email

SMTP IO error: incomplete

 

Anyone know what this means?

 

There seem to be some boxes which were not on the original video,

SMTP Auth mechanism

Server name sent during HELO

 

Not sure if these need something?

 

To add,

If I use;

Port for SSL: 465 it times out

Port for TLS: 587 it errors out saying my credentials are bad.

 

The other error message I seem to get with Force TLS and port 587 is;

Error sending SMTP test email

SMTP IO error: error:1408F10B:SSLroutine:ssl3_get-record:wrong version number:../ssl/record/ssl3_record.c:332:

Edited by daveo132
Link to comment
  • 2 weeks later...

It's been a while since I've looked at these settings. They're buried in the initial bitwarden setup page that has some real long text string in a json file maybe? 

 

Generally speaking, you can use Gmail for your email needs. Both sending and receiving stuff. When you give a weird little program access to send mail on your behalf, you need to change some specific settings inside Gmail. 

 

https://support.google.com/mail/answer/7126229?hl=en

 

Be sure to follow these 👆 directions to enable external access to smtp and imap for the Gmail account you're using. The default settings are OFF. 

  • Thanks 1
Link to comment
2 hours ago, dkerlee said:

Be sure to follow these 👆 directions to enable external access to smtp and imap for the Gmail account you're using. The default settings are OFF. 

Yup I encountered that. I got notifications that a login was detected that didn't meet their security standards. Perhaps I'll make a one off gmail account for this purpose. Thanks!

  • Like 1
Link to comment
  • 2 weeks later...
On 1/20/2021 at 6:04 AM, J05u said:

Can't access it with my subdomain :( don't know what is wrong

Can you list things you did? E.g.

  1. Your DNS provider
    1. Did you add CNAME to your DNS provider (SUBDOMAIN.mydomain.com points to mydomain.com)?
    2. Does "A" record point to your IP address?
  2. In SWAG/Letsencrypt did you:
    1. Modify file in appdata->swag->nginx->proxy-conf/bitwarden.subdomain.config? If so, what did you modify?
    2. UNRAID->swag docker->Edit -> Added SUBDOMAIN to "Subdomain(s)" field? If so, check log of swag. Does the log end with "Server ready" message? Does log contain any errors?
    3. Does container name within bitwarden.subdomain.config file match the docker name? Both names must match.
  3. Did you make any changes to UNRAID/appdata/bitwarden/config.json file? If yes, what changes?
  4. How did you try to access Bitwarden? via smartphone or browser?
    1. Smartphone,...your server address should start with https (not http).

 

Edited by tmor2
  • Like 1
Link to comment
15 hours ago, tmor2 said:

Can you list things you did? E.g.

  1. Your DNS provider
    1. Did you add CNAME to your DNS provider (SUBDOMAIN.mydomain.com points to mydomain.com)?
    2. Does "A" record point to your IP address?
  2. In SWAG/Letsencrypt did you:
    1. Modify file in appdata->swag->nginx->proxy-conf/bitwarden.subdomain.config? If so, what did you modify?
    2. UNRAID->swag docker->Edit -> Added SUBDOMAIN to "Subdomain(s)" field? If so, check log of swag. Does the log end with "Server ready" message? Does log contain any errors?
    3. Does container name within bitwarden.subdomain.config file match the docker name? Both names must match.
  3. Did you make any changes to UNRAID/appdata/bitwarden/config.json file? If yes, what changes?
  4. How did you try to access Bitwarden? via smartphone or browser?
    1. Smartphone,...your server address should start with https (not http).

 

as i said above, by some strange reasons it's working on my IOS devices only when i have vpn turned on, even Adguard vpn which is not changing my IP

Link to comment
5 hours ago, J05u said:

as i said above, by some strange reasons it's working on my IOS devices only when i have vpn turned on, even Adguard vpn which is not changing my IP

In your UNRAID/appdata/bitwarden/config.json file, 2nd line, "domain"...does your value start with http or https?

  • Like 1
Link to comment
13 hours ago, tmor2 said:

In your UNRAID/appdata/bitwarden/config.json file, 2nd line, "domain"...does your value start with http or https?

I don't know what was wrong, but at the moment it's start working without vpn. I haven't done any changes at all, and file was left default like in spaceinvader guide

Link to comment
On 1/27/2021 at 5:28 AM, J05u said:

I don't know what was wrong, but at the moment it's start working without vpn. I haven't done any changes at all, and file was left default like in spaceinvader guide

 

Good. Check the file UNRAID/appdata/bitwarden/config.json file, 2nd line, "domain"

If your domain doesn't start with https, change it so it does. Otherwise you won't be able to download to your smartphone/tablet/PC any uploaded attachements (to bitwarden identity or other sections).

Link to comment
  • 3 weeks later...

I setup my letsencrypt ages ago and it is in 'bridge' mode so i cannot change bitwarden to proxy mode. I think i will need to recreate my lets encrypt as external browsing to my bitwarden duckdns domain navigates to the default 'Welcome to our server' nginx splashpage.

 

EDIT - right i think i have broken it now! I now get this screen for nextcloud and bitwarden:

 

image.png.996f3f30ee733a3ed870fc52dde513d3.png

 

I have reconfigured my swag (letsencrypt) so that it now uses a proxy network. I have no errors in the logs for swag, nextcloud and bitwarden and the external urls all get the above screen but with their correct URL. So i think i must have my default apache or nginx configured incorrectly. Does anyone know how to factory reset this?

 

EDIT2 - OK ignore me it seems it is caching the URL (even though i am doing a CTRL+F5), and if i try in another browser it now works as intended.

 

EDIT3 - Does anyone know how to disable the email alerts for when someone logs into the vault?

Edited by showstopper
Link to comment
  • 3 weeks later...

Has anybody experienced an issue where SWAG (formerly "LetsEncrypt") will inexplicably stop resolving the secure connection when using duckdns?  I've been setting up Bitwarden using SWAG as my reverse proxy. I've properly forwarded my ports and I'm confident that I've correctly configured SWAG, BitWarden, and the necessary .conf files.  I will check the SWAG log and it will say "Server Ready" for all of my duckdn subdomains.  Life is good.  I can access BW from my internal computers, my phone, and my work computer. 

 

Then, things will just stop working... I can no longer access BW using the duckdns link.  The log file will start saying "Certificate Not Found, etc".  Nothing has changed in my config... I'll restart my router, the NAS, and restart the SWAG docker a few times.  Then - just as I'm pulling my hair out - I'll go for a run or walk the dog and come back to find that everything is working again.

 

Is duckdns not reliable?  Is anybody else experience this issue?

Edited by perfect
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.