[support] Vaultwarden (formerly Bitwarden_rs)


Recommended Posts

I did consider that way when I did my post, and my conclusion is still that it should not be able be reached outside of the lan. I have the port mapped, so I can reach it outside of the reverse proxy, if that's not the case for you, doing a allow/deny is the next best option, outside of just disabling the admin panel in the container.

Link to comment
Hi everybody,
Did anyone already try to setup a full local selfhosted bitwarden (without any Let's Encrypt) and make it working with Android ?
 
I have bitwarde docker running on my Unraid, reachable on all web browser through https://tower:18443/bitwarden (including Web browsers on my phone) thanks to a self signed certificate with self CA. The only thing I can't have working is the bitwarden Android App which throw me a "Trust anchor for certification path not found" error even though i've imported the CA certificate.
 
Here is how I generate my stuff :
# >>>>> CA Keyopenssl genrsa -des3 -out towerrootCA.key 4096# >>>>> CA Certopenssl req -x509 -new -nodes -key towerrootCA.key -sha256 -extensions v3_ca -config conf.file -days 365 -out towerrootCA.crt# >>>>> Server Keyopenssl genrsa -out tower.key 2048# >>>>> Server csropenssl req -new -sha256 -key tower.key -subj "/C=FR/ST=FR/O=MyNas/CN=tower" -extensions v3_req -out tower.csr# >>>>> Server certopenssl x509 -req -in tower.csr -CA towerrootCA.crt -CAkey towerrootCA.key -CAcreateserial -out tower.crt -extensions v3_req -days 365 -sha256 -extfile conf.file cat tower.crt towerrootCA.crt > finalcertif.crt

 
With my config.file :

[req]distinguished_name = req_distinguished_namex509_extensions = v3_reqprompt = no[req_distinguished_name]C = FRST = FRL = LocalO = MyNasOU = MyNasCN = tower[ v3_ca ]subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid:always,issuerbasicConstraints = critical, CA:TRUE, pathlen:3keyUsage = critical, cRLSign, keyCertSignnsCertType = sslCA, emailCA[v3_req]keyUsage = nonRepudiation, digitalSignature, keyEnciphermentextendedKeyUsage = serverAuthsubjectAltName = u/alt_names[alt_names]DNS.1 = towerDNS.2 = tower.localDNS.3 = tower:18443

 
Thank you for help, have a good day,


If it is anything like the iOS app, if keeps its own chain of certs
Link to comment
Why? I currently am using the method recommended with the post at the top of every page, but if you convince me, I'll switch the recommendation, or recommend both posts.
 
I haven't taken the time to look at the differences, so don't be offended, I'm genuinely curious, just not curious enough to do the work myself.
 

They both do the work, and cater to different scenarios. My reasoning for my suggestion is that I dont want to be able to reach /admin at all with my reverse proxy.
Another thing to think about is the resulting error code, where my suggestion gives a 404, while the deny gives a 403. A 403 might say to a potential attacker that there is something there (you could have it respond with a 404 instead)
Link to comment
6 hours ago, Roxedus said:


If it is anything like the iOS app, if keeps its own chain of certs

Hello, What do you mean by that ? I do provide the concat of server cert + CA cert - my gut tells me that it is more an URL issue than a certificats problem.

 

Do you guys reach your bitwarden instance through the android app thanks to a simple domain or thanks to a domain with port or path like me ? (https://tower:18443/bitwarden)

Link to comment
8 hours ago, Roxedus said:


They both do the work, and cater to different scenarios. My reasoning for my suggestion is that I dont want to be able to reach /admin at all with my reverse proxy.
Another thing to think about is the resulting error code, where my suggestion gives a 404, while the deny gives a 403. A 403 might say to a potential attacker that there is something there (you could have it respond with a 404 instead)

 

The problem with the 404 method is that if you use a custom network (say PROXYNET for dockers that can be reached from outside), then you cannot (well, I couldn't!) reach the /admin endpoint from inside either.

 

I have made some changes regarding the 403/401 error codes and now use this.... (based on an old bitwarden template)
 

#BITWARDEN
# make sure that your domain has dns has a cname or a record set for the subdomain bitwarden 
# This config file will work as is when using a custom docker network the same as letesencrypt (proxynet).
# However the container name is expected to be "bitwardenrs" as it is by default the template as this name is used to resolve.  
# If you are not using the custom docker network for this container then change the line "server bitwardenrs:80;" to "server [YOUR_SERVER_IP]:8086;" Also remove line 7

resolver 127.0.0.11 valid=30s;
upstream bitwarden {
    server bitwardenrs:80;
}


server {
  # return error code 404 if 401 or 403 would be returned to hide admin endpoint
  # no need to create the 404.html file unless you want to customise
  error_page 401 403 404 /404.html; 
    listen 443 ssl;
    server_name bitwarden.*;
    include /config/nginx/ssl.conf;
  client_max_body_size 128M;
  
  location /admin {
    # allow LAN access (match your IP range)
    allow 192.168.1.0/24;
    # allow VPN access (match your IP range)
    allow 10.0.10.0/24;
    # BLOCK all other access
    deny all;
    proxy_pass http://bitwarden;   
  }
  
  location / {
   proxy_pass http://bitwarden;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
  
  location /notifications/hub {
   proxy_pass http://bitwarden;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  
  location /notifications/hub/negotiate {
    proxy_pass http://bitwarden;
  }
}

 

Edited by spants
Link to comment
2 hours ago, spants said:

The problem with the 404 method is that if you use a custom network (say PROXYNET for dockers that can be reached from outside), then you cannot (well, I couldn't!) reach the /admin endpoint from inside either.

It really should work if you map the port.

Link to comment

Can someone explain to me, why am I forced to use https with Bitwardenrs (wasn't so with the old container). My server has no connection to the Internet whatsoever, all my Docker apps are also only allowed inside my net, my ISP is not able/willing to give me access from outside (this is a University thing, no DDNS, no port-forwarding, no nothing...), the only way, to reach all this from outside is via a Win-PC with Zerotier-VPN, from which I use my apps then. Bitwarden is mobile on my iPhone with cached credentials, if I need passwords on the move, so for me, it makes not the slightest sense being forced to this security, I don't need an Intranet-CA, certs, whatever... Is there any solution to this, is there any way to be able to login to admin web page from Bitwarden without all this hassle, or am I missing something? Thanks in advance.

Link to comment
Can someone explain to me, why am I forced to use https with Bitwardenrs (wasn't so with the old container). My server has no connection to the Internet whatsoever, all my Docker apps are also only allowed inside my net, my ISP is not able/willing to give me access from outside (this is a University thing, no DDNS, no port-forwarding, no nothing...), the only way, to reach all this from outside is via a Win-PC with Zerotier-VPN, from which I use my apps then. Bitwarden is mobile on my iPhone with cached credentials, if I need passwords on the move, so for me, it makes not the slightest sense being forced to this security, I don't need an Intranet-CA, certs, whatever... Is there any solution to this, is there any way to be able to login to admin web page from Bitwarden without all this hassle, or am I missing something? Thanks in advance.

It all boils down to security. For the webpage, it is a limitation set by the browser. And for the apps, Its a decision by bitwarden.
Link to comment
On 2/8/2021 at 11:32 PM, Roxedus said:


It all boils down to security. For the webpage, it is a limitation set by the browser. And for the apps, Its a decision by bitwarden.

That's clear to me. Is any Intranet-CA/cert solution then known, that doesn't cost a fortune? Which a noob like me can deploy, on UNRAID for Bitwarden, WordPress etc. dockers?

Link to comment
On 2/8/2021 at 4:47 PM, 40foot said:

this is a University thing

 

it makes not the slightest sense being forced to this security

 

So I would suggest to you that https security is rather important for you since you are on a university LAN... ANYONE on the network could intercept your traffic and potentially do whatever they wanted with it. 

Link to comment
On 2/10/2021 at 12:37 PM, Energen said:

 

So I would suggest to you that https security is rather important for you since you are on a university LAN... ANYONE on the network could intercept your traffic and potentially do whatever they wanted with it. 

no, my ISP is a University company - has nothing to do with the University network - not at all. But let's say this is of no concern for me anymore, because after updating to the newest Big Sur/Safari I can login again - without https... interestingly

Link to comment
On 2/11/2020 at 7:14 PM, kilobit said:

Ok, here is everything you need to do to get this working.

 

First edit bitwarden container then click on "advanced"
 

Extra Parameters:    


 -e LOG_FILE=/log/bitwarden.log -e LOG_LEVEL=warn -e EXTENDED_LOGGING=true

Then add path:
container path: /log
host path: /mnt/user/syslog (unraid share you want bitwarden to log to)
access mode: read/write

#apply/done

 

Next edit letsencrypt container

then add path:
container path: /log
host path: /mnt/user/syslog (unraid share you want bitwarden to log to)
access mode: read/write
#apply/done

 

Now edit ../appdata/letsencrypt/fail2ban/jail.local
* at the BOTTOM of the file add:


[bitwarden]
enabled = true
port = http,https
filter = bitwarden
action = iptables-allports[name=bitwarden]
logpath = /log/bitwarden.log
maxretry = 3
bantime = 14400
findtime = 14400

#save/close


Then create and edit ../appdata/letsencrypt/fail2ban/filter.d/bitwarden.conf and add:


[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =

#save and close

#restart letsencrypt container

 

***Testing
Use your phone or something outside your lan and once you fail 3 logins you will be banned.

 

To show banned ips and unban enter the letsencrypt console from the docker window.
Lists banned ips:     iptables -n -L --line-numbers

Unbans ip:     fail2ban-client set bitwarden unbanip 107.224.235.134
exit

-End

The Only issue I have had with this setup is that on SWAG restarting the .conf file reverts to normal... I was able to solve with creating a new .conf file that is listed as bitwarden2.conf..  ..  changing respective above. ..   I did try creating .local file as per swag but could not figure out where to put it... 

 

now to get emby and nextcloud setup with fail2ban... any suggestions?

Link to comment

I just migrated to this today from LastPass and it works great so far. What's a good practice for backing up my password database. It's just me, a single user. I like the idea of being able to keep a USB stick with the exported encrypted json. If my Unraid server craps the bed, can I spin up a new Bitwarden container and be fine as long as I have my master password and the encrypted json? The encryption key stuff on the bitwarden support page confused me.

Link to comment
1 minute ago, ChadwickTheCrab said:

I just migrated to this today from LastPass and it works great so far. What's a good practice for backing up my password database. It's just me, a single user. I like the idea of being able to keep a USB stick with the exported encrypted json. If my Unraid server craps the bed, can I spin up a new Bitwarden container and be fine as long as I have my master password and the encrypted json? The encryption key stuff on the bitwarden support page confused me.

Following :)  Also just switching over from lastpass  

 

Link to comment

Hi all... So I have read through all 11 pages here.   By the way thanks @Roxedus..  

 

My problem I am having is that within the Bitwarden  log I am getting the following error... .   Within the unraid docker container editor I do have the Signups_allowed set to FALSE...  I have tried to under the general setting select "Default:false" for allow new signups  saving..  but still get error...

 

My problem is that when I am on the reverse proxy page for bitwarden... I am still given the option to signup.. which I don't want. 

 

 

[WARNING] The following environment variables are being overriden by the config file,
[WARNING] please use the admin panel to make changes to them:
[WARNING] SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, ADMIN_TOKEN

 

Link to comment
13 hours ago, drugdoctor said:

How can I do this with DNS instead of port forwarding?  I tried to use spaceinvaders subdomain file but get the following error.

 

nginx: [emerg] host not found in upstream "bitwardenrs:80" in /config/nginx/proxy-confs/bitwarden.subdomain.conf:9

 

The bitwarden.subdomain.conf he provides in his video.

If you are using swag, use the sample in swag. 

Link to comment
1 hour ago, ChadwickTheCrab said:

I just migrated to this today from LastPass and it works great so far. What's a good practice for backing up my password database. It's just me, a single user. I like the idea of being able to keep a USB stick with the exported encrypted json. If my Unraid server craps the bed, can I spin up a new Bitwarden container and be fine as long as I have my master password and the encrypted json? The encryption key stuff on the bitwarden support page confused me.

I just use CA backup, then rclone that archive to the cloud. 

Link to comment
12 minutes ago, Aceriz said:

Hi all... So I have read through all 11 pages here.   By the way thanks @Roxedus..  

 

My problem I am having is that within the Bitwarden  log I am getting the following error... .   Within the unraid docker container editor I do have the Signups_allowed set to FALSE...  I have tried to under the general setting select "Default:false" for allow new signups  saving..  but still get error...

 

My problem is that when I am on the reverse proxy page for bitwarden... I am still given the option to signup.. which I don't want. 

 

 

[WARNING] The following environment variables are being overriden by the config file,
[WARNING] please use the admin panel to make changes to them:
[WARNING] SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, ADMIN_TOKEN

 

And singup is disallowed in the admin panel?

Link to comment
7 minutes ago, Aceriz said:

I have tried having the box ticked and not ticked.... saved inbetween with reset of docker  each time without any difference...

 

image.png.e70ff582e597f120a08d3c654ff8378c.png

 

Just checked the wiki
 

Quote

Note that when SIGNUPS_ALLOWED=false, the Create Account button will still be shown in the web vault UI, but actually attempting to create an account will result in an error message. Upstream Bitwarden isn't designed to allow disabling signups, so this can't be worked around easily.

 

Link to comment
2 minutes ago, Roxedus said:

 

Just checked the wiki
 

 

Oh wow... So I thought that the fact that I could create account meant  it wasn't working...   I actually just did a test creation with the box unticked.... and got the error!!!

 

 

On another note...  for protecting the /admin page.... thought I would comment that i used the default SWAG config file with appropriate edits.. which does have the /admin exposed via reverse proxy. but then I  added and configured the fail2ban as per the last post on the 1st page of this forum.. which then appears to protect me  from brute force attacks.. 

Link to comment
3 minutes ago, Aceriz said:

On another note...  for protecting the /admin page.... thought I would comment that i used the default SWAG config file with appropriate edits.. which does have the /admin exposed via reverse proxy. but then I  added and configured the fail2ban as per the last post on the 1st page of this forum.. which then appears to protect me  from brute force attacks.. 

the admin panel needs another regex to catch failed attempts 

Link to comment
58 minutes ago, Roxedus said:

the admin panel needs another regex to catch failed attempts

do you think you could explain how to go about that?  .... still very new...

 

I am assuming that it will be the addition of soemthing within the bitwarden2.conf file within filter.d

 

currently trying to add something like this line 3 as the error in the bitwarden log is  "[2021-02-17 15:00:43.181][bitwarden_rs::api::admin][ERROR] Invalid admin token. IP: xxx.xxx.xxx.xxx"

 

# Fail2Ban filter for Bitwarden
# Detecting failed login attempts
# Logged in bwdata/logs/identity/Identity/log.txt

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
            ^\s*\[WRN\]\s+Failed login attempt(?:, 2FA invalid)?\. <HOST>$
            ^.*invalid admin token\. IP: <ADDR>\.
ignoreregex =

Edited by Aceriz
additional information
Link to comment

Greetings folks! New unraid user and recently dropped lastpass and am trying to use bitwarden and swag in a docker container. I am able to run the chrome extension for bitwarden on the PC if I log in to the bitwarden server ahead of time with the browser. Otherwise I received the unable to fetch error. I assume once I get the extension working it will not need attention again. My current problem is getting the app on my phones (android) to connect. I am able to access my server through the browser on the phone but the app continues to refuse the connection. (Exception message:Hostname bitwarden.xxxx.duckdns.org not verfied) I followed Spaceinvaders youtube pretty much. Looking for a suggestion to help tackle the phone :)

Edited by bclinton
Link to comment
  • Roxedus changed the title to [support] Vaultwarden (formerly Bitwarden_rs)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.