[support] Vaultwarden (formerly Bitwarden_rs)


Recommended Posts

2 minutes ago, bclinton said:

Greetings folks! New unraid user and recently dropped lastpass and am trying to use bitwarden and swag in a docker container. I am able to run the chrome extension for bitwarden on the PC if I log in to the bitwarden server ahead of time with the browser. Otherwise I received the unable to fetch error. I assume once I get the extension working it will not need attention again. My current problem is getting the app on my phones (android) to connect. I am able to access my server through the browser on the phone but the app continues to refuse the connection. (Exception message:Hostname bitwarden.xxxx.duckdns.org not verfied) I followed Spaceinvaders youtube pretty much. Looking for a suggestion to help tackle the phone :)

Did you remember to add your subdomain to the  SWAG unraid containter config in docker? I often forget this step and get your error

Link to comment
5 minutes ago, Aceriz said:

Did you remember to add your subdomain to the  SWAG unraid containter config in docker? I often forget this step and get your error

I believe it is right. I used the one he provided but I kept all of my naming the same as his, thinking that it would be correct. Here is the one I am using. I am using bitwarden.XXXXXXX.duckdns.org to reach the container from the chrome browsers. One thing that is strange is I am getting the Not Secure warning in the browser address line but it lets me in after I click proceed. 

 

#BITWARDEN
# make sure that your domain has dns has a cname or a record set for the subdomain bitwarden 
# This config file will work as is when using a custom docker network the same as letesencrypt (proxynet).
# However the container name is expected to be "bitwardenrs" as it is by default the template as this name is used to resolve.  
# If you are not using the custom docker network for this container then change the line "server bitwardenrs:80;" to "server [YOUR_SERVER_IP]:8086;" Also remove line 7

resolver 127.0.0.11 valid=30s;
upstream bitwarden {
    server bitwardenrs:80;
}

server {
    listen 443 ssl;
    server_name bitwarden.*;
    include /config/nginx/ssl.conf;
  client_max_body_size 128M;

  location / {
   proxy_pass http://bitwarden;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
  
  location /notifications/hub {
   proxy_pass http://bitwarden;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  
  location /notifications/hub/negotiate {
    proxy_pass http://bitwarden;
  }
}

Edited by bclinton
Link to comment
5 hours ago, Roxedus said:

regex to catch failed attempts 

I was actually able to get it to work :) with much digging. .. I found the following https://pieterhollander.nl/post/bitwarden/   with some editing got the following to work 

 

to the jail.local 

 

[bitwarden-admin]


enabled = true
port     = http,https
filter     = bitwarden-admin
action     = iptables-allports[name=bitwarden]
logpath = /log/bitwarden.log
maxretry = 2
bantime = 14400
findtime = 14400

 

in the Filter.d folder added bitwarden-admin.conf

 

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
ignoreregex =

 

 

 

anything you might suggest to make it better.. I did test it... and it is working 

 

Link to comment

Another question....  I am wondering how I would go about creating a Docker Log rotation for the bitwarden.log used in the fail2ban setup

 

I have found this attached at the pieter hollander site  but am not sure where I would use such a thing within unraid.... or if it is even needed. 

 

image.png.156f768d890d49ecb56563b0cb4b9c89.png

Link to comment
4 minutes ago, bclinton said:

I followed the instructions that were outlined in the youtube video - How to Setup and Configure a Reverse Proxy on unRAID with LetsEncrypt & NGINX

 

 

Within the Bitwarden Docker template did  you enable websocket ? by default it is now set to disabled... with the SWAG nginx .config file need to enable this... 

 

 

Link to comment
6 minutes ago, bclinton said:

I followed the instructions that were outlined in the youtube video - How to Setup and Configure a Reverse Proxy on unRAID with LetsEncrypt & NGINX

 

you could also try using the SWAG .sample config file... but would need to ensure that you either remove the reverse proxy for /admin... as described in the pinned message on the top of this forum ..   additionally you may want to consider once your done with the reverse proxy setting up fail2ban which is what I have been working on and just got sorted out. . (instructions on first page (bottom) of this help thread). 

 

Link to comment
2 minutes ago, Aceriz said:

 

 

Within the Bitwarden Docker template did  you enable websocket ? by default it is now set to disabled... with the SWAG nginx .config file need to enable this... 

 

 

 

I actually deleted everything and will try again from scratch in the morning. Can you recommend a youtube install video besides spaceinvaders? I have been trying to wrap my head around all of the settings and what I missed all day. I feel drunk :)

Link to comment
Just now, bclinton said:

 

I actually deleted everything and will try again from scratch in the morning. Can you recommend a youtube install video besides spaceinvaders? I have been trying to wrap my head around all of the settings and what I missed all day. I feel drunk :)

honestly Spaceinvaders  are the best video that I have found... and use.  Then alot of searching with the forums to find solutions...  

 

this is your first time setting up SWAG right?   have you checked the logs... to ensure that you are getting a server ready as per the spaceinvader video... do you have nginx connected with anything else for remote proxy?

 

Link to comment
Just now, Aceriz said:

honestly Spaceinvaders  are the best video that I have found... and use.  Then alot of searching with the forums to find solutions...  

 

this is your first time setting up SWAG right?   have you checked the logs... to ensure that you are getting a server ready as per the spaceinvader video... do you have nginx connected with anything else for remote proxy?

 

Yes. I did that first and it all appeared right. The logs showed success verifying the bclinton.duckdns.org host name. I think my problem is with me missing something with the certificates. Like I mentioned. After all was said and done I am able to log into the bitwarden container with bitwarden.bclinton.duckdns.org fine. The only issues I had was not able to get it installed on the phone (android) and I got the "unsafe site" http error in the address bar. I noticed on Spaceinvaders video he did not get that so I have to have missed something. I agree - Spaceinvader is the best. I am only a week with my unraid (came from synology) and have learned so much. 

Link to comment
15 minutes ago, bclinton said:

bitwarden.bclinton.duckdns.org

I do not claim to be an expert at all... but based on your site.. it  looks like a subdomain  i am not sure if having the extra "."  in between bitwarden.bclinton   makes a difference....  try setting up with just a single subdomain  like "bcclintonbitwarden "

 

again not an expert at all with this.. rather just a trouble shooting step to consider... 

 

 

 

Link to comment
4 minutes ago, Aceriz said:

I do not claim to be an expert at all... but based on your site.. it  looks like a subdomain  i am not sure if having the extra "."  in between bitwarden.bclinton   makes a difference....  try setting up with just a single subdomain  like "bcclintonbitwarden "

 

again not an expert at all with this.. rather just a trouble shooting step to consider... 

 

 

 

Will do. Thanks! I think tomorrow I will start fresh with Swag and get up according to SI's video again.

Link to comment
9 hours ago, Roxedus said:

the admin panel needs another regex to catch failed attempts 

 

Okay so I have been able to setup another regex... but it is having a weird  response.... 

 

When I try logging into the reversed proxy multiple times past the "maxretry"  amounts  I don't get banned...  but when i Reset the SWAG container then the bans take effect...   I am not sure why or even where to go from here...  any thoughts would be great

Link to comment
15 hours ago, Aceriz said:

I do not claim to be an expert at all... but based on your site.. it  looks like a subdomain  i am not sure if having the extra "."  in between bitwarden.bclinton   makes a difference....  try setting up with just a single subdomain  like "bcclintonbitwarden "

 

again not an expert at all with this.. rather just a trouble shooting step to consider... 

 

 

 

 

It looks like you were right. It was tied to my naming of the subdomain. An update though....I found out my domain provider (namecheap) has dynamic DNS included. After changing the dns settings for my domain and not using duckdns Swag works great. My first test container was sonarr and it works perfect. Now on to adding nextcloud. :) 

 

I must say Nextcloud is pretty slick! 

 

Thanks for the suggestions!

Edited by bclinton
Link to comment

Bitwarden and swag were setup and working correctly. But my network has changed slightly. For example it used to be:

Cable modem in bridge mode

      \/

PFsense

    \/

Unraid with bitwarden, duckdns and swag dockers

 

then I had to modify my network to this:

 

Cable modem in router mode

                    \/

PFsense                PFsense  configured in HA mode

                    \/

Unraid                   Unraid

 

Note only one Unraid has the original config with bitwarden, duckdns and swag.

 

now with the new network settings I can not sync bitwarden or access the vault via ****.duckdns.org

 

I dont know if its a setting im forgetting or if its something on the main router that I didnt do. I have the ports forward in PFsense and the firewall on the main router is turned off.

 

any help would be greatly appreciated.

Link to comment
On 2/17/2021 at 1:08 PM, Roxedus said:

I just use CA backup, then rclone that archive to the cloud. 

When you are using CA to back up what specifically are you pulling if you mind me asking... Mind posting like a screen shot of your setting.. (then I can and will figure out the rclone part :) 

 

thanks

 

Link to comment
  • Roxedus changed the title to [support] Vaultwarden (formerly Bitwarden_rs)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.