BitWarden - self hosted password manager using vaultwarden/server image

Docker BitWarden - self hosted password manager using vaultwarden/server image

Currently reading
Docker BitWarden - self hosted password manager using vaultwarden/server image

Last edited:
If you run a caching dns resolver like PiHole or Unbound, you can add a dns override for the vw domain and resolve it to your Diskstation.

I have an OPNsense HA setup with carp ip (one for ipv4, one for ipv6) with Unbound on it. My lan router announces the carp ips as dns server via dhcp to the devices in the network. Speeds up name resolution and allows overriding name resolution for arbitrary domain names.
 
Isn’t the vault cached in the browser extension or browser? Telos if you can give it a shot to rule out a browser issue, can you try chrome browser with chrome extension. Configure the extension settings the same, set to lock not log out…connect thru vpn and do what you did as on Firefox.

I’ve tried again on my end this time going thru vpn and my vault stayed logged in, but locked and all items were there. The data is cached in the browser.
 
@Gerard is of course right, the vault should be cached.

@Telos I assume you can rewrite the returned a-record for a domain lookup here:
F6q3Knw.png


Have you checked if the browser's developer tools (point somewhere into the extension popup and "inspect") network tab provides clues about what's going on? Even though the extension id obfuscates the domain on many calls, you should still see a status code that might indicate what's going on.
 
Rusty updated BitWarden - self hosted password manager using vaultwarden/server image with a new update entry:

Securing the ADMIN_TOKEN

Previously the ADMIN_TOKEN could only be in a plain text format. You can now hash the ADMIN_TOKEN using Argon2 by generating a PHC string.

This can be generated by using a built-in hash command within Vaultwarden, or using the argon2 CLI tool.

Here are a few examples of how to start with the generation of the PHC string using the Vaultwarden 1.28.0 (or newer) version of the image.

Bash:
# Using...

Read the rest of this update entry...
 
can you try chrome browser with chrome extension
Same response. Open browser, icon initially comes up "blue" then after a few seconds, goes "gray" (logged out). This is region specific (non-domestic) on my OpenVPN app. Seems related to tunnel restrictions, but I don't understand how this is triggering logout (an unintended security "feature").
 
Same response. Open browser, icon initially comes up "blue" then after a few seconds, goes "gray" (logged out). This is region specific (non-domestic) on my OpenVPN app. Seems related to tunnel restrictions, but I don't understand how this is triggering logout (an unintended security "feature").

Ok good (but also bad) to hear same result. Yea this makes no sense.
 
I assume you can rewrite the returned a-record for a domain lookup
This doesn't seem to work since I use CF tunnel here, and there is no local RP to redirect the subdomain traffic to the proper Vaultwarden port. I suppose I need to create an RP entry which would redirect vault.domain.com to NAS_IP:VW_Port.

Is that correct? Or something else?
 
For whatever reason I assumed you use the syno rp and have a letsencrypt certificate there.

If you establish a connection from the CF tunnel to the DSM:VW_Port, and CF handles the TLS certificate,
then indeed you will need to create a rp rule for the same domain on port 443 on the syno + add a LE certificate

Also, It shouldn't be a redirect (as in rewrite the url and forward to the new url), it must be an override of the a-record response.
 
When I launch/connect outgoing VPN on my laptop, and open my browser (Firefox), the Bitwarden extension is logged out,
To bring pseudo-closure to this, I've withdrawn from CF tunnel for this application, recognizing that CF has unencrypted access to all tunnel traffic. Seems like a bad plan for use with Vaultwarden, or any "private" content. Using RP alone, and the VPN usage has no similar effect.

Overall I'm soured on CF tunnels... unless you are running a public web page or the like.
 
To bring pseudo-closure to this, I've withdrawn from CF tunnel for this application, recognizing that CF has unencrypted access to all tunnel traffic. Seems like a bad plan for use with Vaultwarden, or any "private" content. Using RP alone, and the VPN usage has no similar effect.

Overall I'm soured on CF tunnels... unless you are running a public web page or the like.

Wild that CF was the cause of this. Glad you have closure!
 
Hi @Rusty,

I would be thankful if you could post a little update how the latest release 1.29.0 affects your tutorial about
Bitwarden WebSocket LiveSync
as it seems obsolete now to configure a dedicated WebSocket port.
What does this mean for the proxy configuration?

Major changes and New Features in 1.29.0
  • WebSocket notifications now work via the default HTTP port. No need for WEBSOCKET_ENABLED and a separate port anymore.
    The proxy examples still need to be updated for this. Support for the old websockets port 3012 will remain for the time being.
Also, the new Push Notification feature would be worth to mention ;)


Thank you very much,
paradeiser
 
Hi @Rusty,

I would be thankful if you could post a little update how the latest release 1.29.0 affects your tutorial about
Bitwarden WebSocket LiveSync
as it seems obsolete now to configure a dedicated WebSocket port.
What does this mean for the proxy configuration?

Major changes and New Features in 1.29.0
  • WebSocket notifications now work via the default HTTP port. No need for WEBSOCKET_ENABLED and a separate port anymore.
    The proxy examples still need to be updated for this. Support for the old websockets port 3012 will remain for the time being.
Also, the new Push Notification feature would be worth to mention ;)


Thank you very much,
paradeiser
Just update a few days ago and made the update on my site, just not here... will do it soon. tnx
 
Rusty updated BitWarden - self hosted password manager using vaultwarden/server image with a new update entry:

VaultWarden 1.29 changes

UPDATE 09/07/2023 - v 1.29 - Mobile client push​

With version 1.29, VaultWarden team has added new features for the mobile apps, push notification sync support.

feat: Implement Push Notifications sync by GeekCornerGH · Pull Request #3304 · dani-garcia/vaultwarden

With this feature active on your instance, any changes done inside the VaultWarden server will be instantly visible to the mobile...

Read the rest of this update entry...
 
Hi Rusty, I am not sure, so I'll rather ask: if I am running my Vaultvarden already in a Docker for a long time, should I request Hosting Installation Id & Key from bitwarden.com, or can/should I rather dig out it from my Vaultvarden installation (if yes, then what's the easiest way)? Docker? Portainer? Or will I have to do some ssh thing?
Thanks!
 
Hi Rusty, I am not sure, so I'll rather ask: if I am running my Vaultvarden already in a Docker for a long time, should I request Hosting Installation Id & Key from bitwarden.com, or can/should I rather dig out it from my Vaultvarden installation (if yes, then what's the easiest way)? Docker? Portainer? Or will I have to do some ssh thing?
Thanks!
You can use the official bitwarden.com (I have as its the same one I use for my Bitwarden Unified setup that I am planing migration to in the future). So just use the URL, and get the ID and Key and add the variables to your existing Vaultwarden compose.

Those are all the steps that I have done, and have been using it already for days with no issues. Sync works with 0 issues.
 
You can use the official bitwarden.com (I have as its the same one I use for my Bitwarden Unified setup that I am planing migration to in the future). So just use the URL, and get the ID and Key and add the variables to your existing Vaultwarden compose.

Those are all the steps that I have done, and have been using it already for days with no issues. Sync works with 0 issues.
Can I, instead of docker compose method, add these three variables (PUSH_ENABLED, PUSH_INSTALLATION_ID, PUSH_INSTALLATION_KEY) via Docker, in Environment section? I mean, stop the container, insert these three, start again?
Or do I need to recreate the container before I start it again (probably the Portainer way would be the fastest/easiest)?
 
Can I, instead of docker compose method, add these three variables (PUSH_ENABLED, PUSH_INSTALLATION_ID, PUSH_INSTALLATION_KEY) via Docker, in Environment section? I mean, stop the container, insert these three, start again?
Or do I need to recreate the container before I start it again (probably the Portainer way would be the fastest/easiest)?
Yes you can. Stop, edit, run.
 
Yes you can. Stop, edit, run.
hmmm, probably doing something wrong, or I need to do some more tweaks in vaultwarden configuration.
even that I did the changes, recreated container in Portainer - if I do some changes in any record, it does not push to my mobile app nor web browser extension. why?

1689082276880.png


1689082175662.png
 

Attachments

  • 1689082270738.png
    1689082270738.png
    10.9 KB · Views: 2

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

So this means that I can copy to its directory from another DiskStation directory and share (using File...
Replies
3
Views
1,450
I'll delete everything I can containers/images/etc, and start fresh over the weekend. While I really like...
Replies
48
Views
6,626
I use it with the Reeder app and wanted to have filtered feeds there. I'll play around with it a bit more.
Replies
61
Views
9,954
I ran across a very complete how-to-install-nextcloud on Docker using the Synology UI (just the UI, not...
Replies
28
Views
8,294
Hello, i just tried to follow these steps above, but all I get is a psql: could not connect to server...
Replies
43
Views
11,348
I discovered if you use fireflyiii/core:latest everything works just fine
Replies
35
Views
16,838

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top