[support] Vaultwarden (formerly Bitwarden_rs)

[Stubbs]

How do you disable the admin interface on the nginx config? I want to be able to access it locally, but not over the internet.

 

Also TOTP doesn't seem to be working for me, at least not with Aegis on Android.

[2023-06-18 16:20:50.585][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2023-06-18 06:20:50 UTC IP: my.phone.ip.address

 

Edited June 17, 2023 by Stubbs

[Archonw]

I'm blocking the admin page like this:
Copy this

location /admin {
return 404;
}

Under Advanced in NPM settings for the bitwarden proxy host.

This will block the admin page for the use over the internet.


To still access it from the LAN, I set up an additional DNS entry for bit.lan using my Pihole, which I also have as a proxy host in my NPM, allowing me to bypass the blockage.

In your case, you would do the opposite, but I strongly advise against it. Please refrain from making the admin panel accessible from the internet, especially if there are no other security layers in place, such as Fail2ban.

[yogy]

On 6/16/2023 at 6:00 PM, Gragorg said:

I recently changed my domain name on Vaultwarden.  I logged into the admin panel and changed it in the "domain URL" box to the new one.  After is saved the settings and logged out I restarted vaultwarden but the WEBUI option on the docker still goes to the old domain.  I logged back into Vaultwarden and confirmed that the new domain was saved.  The new domain is working fine.

Delete cookies and cache for this domain in your browser or try a different browser.

[yogy]

10 hours ago, Stubbs said:

How do you disable the admin interface on the nginx config? I want to be able to access it locally, but not over the internet.

 

Also TOTP doesn't seem to be working for me, at least not with Aegis on Android.

[2023-06-18 16:20:50.585][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2023-06-18 06:20:50 UTC IP: my.phone.ip.address

 

What reverse proxy are you using?

[Stubbs]

17 minutes ago, yogy said:

What reverse proxy are you using?

Swag, although I haven't tried the above solution provided yet. I'm sure that will work fine.

 

The thing I really want to know now is why TOTP isn't working for me. I thought it would be straight-forward but even with two different TOTP apps, this container refuses to accept the code. TOTP works with NextCloud but not vaultwarden.

[yogy]

Sorry, I'm not familiar with Swag. The above instructions are for Nginx Proxy Manager (NPM). If you are usin Cloudflare you can ditch self hosted reverse proxy and use this method.

Hmm, as for TOTP .... please explain your method for enabling it and what app are you using?

[Stubbs]

7 minutes ago, yogy said:

Hmm, as for TOTP .... please explain your method for enabling it and what app are you using?

 

In the Bitwarden WebUI, I just go to Account Settings > Security > Two Step Login > Authenticator App (Manage).

 

It generates a QR Code. I scan it with my phone using Aegis authenticator (also tried FreeTOP). Scanned fine, generated a code, but the Bitwarden WebUI refuses to accept it.

 

[2023-06-19 03:44:13.177][vaultwarden::api::core::two_factor::authenticator][ERROR] Invalid TOTP code! Server time: 2023-06-18 17:44:13 UTC IP: my.ip
[2023-06-19 03:44:13.177][response][INFO] (activate_authenticator_put) PUT /api/two-factor/authenticator => 400 Bad Request

 

[yogy]

Strange. Can you try Google Authenticator, just to try if it works with this one.

[Archonw]

Ist the time inside the Container correct?

[Stubbs]

17 hours ago, Archonw said:

Ist the time inside the Container correct?

That was it, thanks.

 

I forgot that Unraid has been problematic with NTP servers, at least for me it has.

[doesntaffect]

Is there are guide on how to setup the Vaultwarden container with a secure (non plain-text) token?

 

I downloaded the container through apps, started it and generated a token in the container CLI with ./vaultwarden hash. Then pasted the token into the container config in Unraid - still cannot login to the admin panel and get a "Error: Invalid admin token, please try again."

 

Any advise?

[mathgoy]

Hi everyone,

 

I've been running that docker for 2 years with no issue but this evening, for some reason, I can't login anymore.
My wife can't login neither with her own credentials.

 

we are 100% sure our credentials are right and yet, when we login, it will say our login and/or password are wrong.

 

Can't login from the WEBUI and the browser extension

Unlocking using Biometrics works on my macbook and my iphone. However, as soon as I made an actual logout on those apps, I couldn't login anymore using my credentials.

 

I can log into the admin page using my token tho. Also, there is nothing showing up in the log

 

Any idea how to solve that?

[mathgoy]

For testing purposes, I created a new account. It does work. I can login with it.

Then, I backed up my database, uninstalled my container, reinstalled it and restore the database.

I can still login with the new login I created but not with my main accounts. 

 

So I decided to checkout the list of users and... There is only my test account. All my other users are gone.

 

Is there anyway to fix te database?

 

Thanks!!!

Edited June 28, 2023 by mathgoy

[bluepoet]

having problems with vaultwarden as of late.  I have been having crashing on my unraid box since the last couple of updates.  I saw an post for dockers to change from macvlan to ipvlan if you have static IPs for dockers and that it will resolve the issue.  Since that change vaultwarden will not load up.  Any suggestions>

 

[2023-06-29 17:52:54.310][panic][ERROR] thread 'main' panicked at 'Failed to turn on WAL: DatabaseError(Unknown, "disk I/O error")': src/db/mod.rs:447

 

That is what I get in the logs 

[bluepoet]

49 minutes ago, bluepoet said:

having problems with vaultwarden as of late.  I have been having crashing on my unraid box since the last couple of updates.  I saw an post for dockers to change from macvlan to ipvlan if you have static IPs for dockers and that it will resolve the issue.  Since that change vaultwarden will not load up.  Any suggestions>

 

[2023-06-29 17:52:54.310][panic][ERROR] thread 'main' panicked at 'Failed to turn on WAL: DatabaseError(Unknown, "disk I/O error")': src/db/mod.rs:447

 

That is what I get in the logs 

So I thought it would try to uninstall it but leave the database on the raid box and then reinstall it - that got it come back online but now the database is set for default settings - grrr - guess ill start it over. 

 

[dianasta]

Hello,

 

Could you please update the container to include the following new feature? 

 

* Version 2023.7.0 Latest

Password Manager

 -  Login with device enabled for self-host

 

Thanks!

[nightpoison]

newbie here. I've been running unraid for about a year now, but haven't really dug too much into learning. One of the first things I did was install vaultwarden. I followed IBRACORPS tutorial originally. 

 

I currently have a few issues related to Vaultwarden

 

First:

 

Right now, I cannot access vault warden remotely. But I believe that is an issue related to my cloudflare/nginx configuation. I'm going to take that over to that thread

 

Second:

 

If I click on vaultwarden within my unraid apps draw, and proceed to the UI. I get 

 

I don't know what the admin-key I originally used is. I'm assuming that's what it is asking for. 

[yogy]

You can take a look for admin key in /mnt/user/appdata/vaultwarden/config.json. Use cat command in front of the path and you will see your admin token in plain text.

 

Just FYI. Don't use admin page over the internet. Block it. It should only be accessible via your LAN.

 

If you are using your own domain via Cloudflare, just take a look at my guide how to create Cloudflare tunnel (Zero Trust) for reverse proxy and how to secure your admin page via internet.

Edited July 17, 2023 by yogy

[yogy]

Here is a very quick guide how to use Argon2 hash for Vaultwarden. You can use different ways to enable access to admin page here but like I said, this is a very quick solution:

1. Go to https://argon2.online/
2. Enter a passphrase in Plain Text Input, click once on the Salt cogwheel and leave everything as default and click GENERATE HASH
3. Go to Vaultwarden Admin's Page >> General Settings and replace your current admin token in plain text with the generated hash value ($argon2i$v=19$m=16,t=2,p=1$YnJvYm1vSD...........)
4. Save and restart the vaultwarden container
5. To login to admin's page you must use your plain text value, not the hash

 

I hope you will find this very quick tutorial useful.

 

Edited July 17, 2023 by yogy

[Wolbaz]

FYI as of the latest version of this you can enable mobile client push notifications (basically live sync to your phone) 
 

https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification.

 

Add the variables to the docker template mentioned above, and restart the container. After that, re-install your phone app. Kind of a pain but well worth it to not have to sync manually any more.

Edited July 21, 2023 by Wolbaz
Added example photo

[blaine07]

59 minutes ago, Wolbaz said:

FYI as of the latest version of this you can enable mobile client push notifications (basically live sync to your phone) 
 

https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification.

 

Add the variables to the docker template mentioned above, and restart the container. After that, re-install your phone app. Kind of a pain but well worth it to not have to sync manually any more.

I have two instances of Vaultwarden on my Unraid. Both use same email as my login. Would I generate ID and KEY one time and use it in both places or "generate it twice"? Also, do we delete "Websocket Port" from container information? Delete the "port 3012" references from our reverse proxy, too?

Edited July 21, 2023 by blaine07

[Profezor]

I love Vaultwarden.
 

problem - it won’t save a new login properly.  If I open it and create manually it works, but it won’t create a new login automatically when I am at a new site. 
 

any ideas?

[yogy]

It doesn't save as of recently or ... Did you update the app recently?

Is "Ask to add login" checked under Settings? Just guessing ....

[Lucas319315]

My vault warden is not allowing me to do a dns lookup and it says they do not have access.

OS/Arch

linux / x86_64

Running within Docker

Yes (Base: Debian)

Environment settings overridden

Yes

Uses a reverse proxy

Yes

IP header Match

Config/Server: X-Real-IP

Internet access Error

No

Internet access via a proxy

No

DNS (github.com) Error

Unable to resolve domain name.

Date & Time (Local)

Server: 2023-07-31 17:28:27 -05:00

Date & Time (UTC) Server/Browser Ok

NTP: Unable to fetch NTP time.Server: 2023-07-31 22:28:27 UTCBrowser: 2023-07-31 22:28:27 UTC

Domain configuration Match HTTPS

I can access the app without a problem but it will not allow any dns lookups.

[GigaTech]

TLDR; How to update to the latest version of VaultWarden on UNRAID docker?

 

Hi All,

From the admin page

http://192.168.XXX.XXX:4743/admin/diagnostics

 

I think there is a 2023.7.0 version or at least a more up to date version than what I have installed.

below is an image from UNRAID > Apps > Installed Apps > VaultWarden

 

I have found this `https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image` but really am unsure if this is the correct way to go about an update to an UNRAID docker.

 

so the question is, How to update to the latest version of VaultWarden on UNRAID docker?

 

and if I am already on the latest version/release, this question is still valid for future updates and clarity of the process.

 

Thanks

Edited August 8, 2023 by GigaTech