All manner of Vaultwarden Issues

Currently reading
All manner of Vaultwarden Issues

Last edited by a moderator:
I "had" a fully functional Vaultwarden install running on Docker on DSM 7.2.1

Then I tried to add SMTP functionality from Rusty's thread. Foolishly, I didn't read up first before trying it. I'm now stuck with a param "SMTP_SECURITY" "SSL/TLS" and I can't change the damned thing through the UI. It just keeps giving me the error: '
Code:
Unable to perform this operation possibly because the network connection is unstable or the system is busy
". I've tried rebooting the NAS with no joy. And of course, if I shut down Container Manager, I can't access it.

I've had a system-wide grep running for over an hour and a half now. Can someone PLEASE tell me which ***** file on the filesystem has the config, so I can just change it and move on?

On a related note, when configuring the container to connect to MailPlus Server on the same NAS, despite MailPlus being configured to accept both 587 and 465, Vaultwarden doesn't seem to connect using starttls. Am I missing something obvious there as well?


Second problem is: in creating some users in the installation, I can't see them in any organisation. I originally deleted them from an organisation and tried to recreate the users, but the system is now telling me either I can't create users or the user is already registered.
Can someone please tell me how to find these lost users in the system so I can either clear them or work out how to get them back?
 
Can't you edit the config.json?


Please moderate your language. The forum rules are here.
Apologies Fredbert.

Really did/do not see that common Aust. vernacular as being offensive.

I have now found the config.v2.json and modified that, and the container is at least running again.

Just need to now understand why the force_tls doesn't like it, nor starttls.

And if I can then find these lost users, all will be good.
 
Really did/do not see that common Aust. vernacular as being offensive.
It was probably a stronger word in UK, though now nearly anything goes on evening TV. Still this is an international forum where many have english as a second language, and it's just better to keep the emotional levels dialled down. There's always an emoji instead 🤬

I have now found the config.v2.json and modified that, and the container is at least running again.

Just need to now understand why the force_tls doesn't like it, nor starttls.
That's a goos start. I have a test Vaultwarden container where the hardest thing was to get the argon2id authentication working.

This is from my config.json for the SMTP variables. I use Mail Server as the SMTP server, with my personal domain internally hosted for LAN device on DNS Server.
Code:
"smtp_host": "smtp.mydomain.com",
"smtp_security": "starttls",
"smtp_port": 25,
"smtp_from": "[email protected]",
 
This is from my config.json for the SMTP variables. I use Mail Server as the SMTP server, with my personal domain internally hosted for LAN device on DNS Server.

Yeah, my config is much the same, albeit using 587 instead of 25 as that's how MPlus Server is config'd.

All that's coming through in the container log is "[vaultwarden::mail][ERROR] SMTP timeout error: Connection error".
NOT entirely helpful. Error is the same irrespective of force_tls:465 or starttls:587. That might indicate I have the firewall locked down too tight, but 465 and 587 are both open to "All interfaces". So, it couldn't be that.

I know the creds are good. Am I just supposed to have the password in plain text in the container params under "SMTP_PASSWORD"?

Is there another way to troubleshoot vaultwarden connecting to the MPlus Server?
 
What about SMTP authentication on MailPlus Server? Do you enforce it for LAN connections?
Yeah.

Just ticked the "Skip auth for local network ..." as a test. Same error.

Screen Shot 2024-04-10 at 01.40.48.png
 
While I specify SMTP port 25 with STARTTLS in the VaultWarden config, this in the Mail Server setup. The other SMTP config settings in VW are closed down (e.g. invalid certs and hosts are set to not allow).
1712678524492.png


Do you use MailPlus SMTP with the DSM notifications and other services and local apps? If you do then reusing the 'client' values in VW should work. The only other thing would be if VW container is somehow block or unable to access DSM itself via network means. You could connect onto terminal session on the VW container and check what ping/telnet/nc/curl/traceroute utilities there may be left in the image build.
 
Last edited:
Do you use MailPlus SMTP with the DSM notifications and other services and local apps? If you do then reusing the 'client' values in VW should work.

re MPlus & DSM notifications: yes, I do. And it is those creds I have been attempting to use for the container. And again, my settings are the same as yours for the mail server.

The other SMTP config settings in VW are closed down (e.g. invalid certs and hosts are set to not allow).

Don't follow this comment, sorry. Where to set these?

The only other thing would be if VW container is somehow block or unable to access DSM itself via network means. You could connect onto terminal session on the VW container and check what ping/telnet/nc/curl/traceroute utilities there may be left in the image build.

OK. You might be onto something.

Code:
curl telnet://<DSM Lan2 IP>:port (25, 465, 587, 80, <my custom DSM port>)
** I noticed in M+ server, I have the server running on Lan2 (i.e. internal interface.)

- All produce zero response from the container. Even with the firewall disabled in DSM.

Although I have established, it at least has a route to its own gateway (which makes sense obviously, else it couldn't serve up vaultwarden in the 1st place.)

I have noticed the Container Manager is set up to 'Bridge' network.
 
I have noticed the Container Manager is set up to 'Bridge' network.
That means that the VW container is has a NAT address towards the NAS as its host. If the DSM fw is down it still might be an issue of blocking traffic. Try and configure a rule that will allow docker subnet that VW is using access to your host LAN subnet.

Another option would be to try and run VW in "host network" if the ports that VW uses are not already occupied by other services on the NAS. See if that will make a difference.
 
Last edited:
Cheers Rusty
Try and configure a rule that will allow docker subnet that VW is using access to your host LAN subnet.
Do you mean here a FW rule to allow access to 465/587 from VW subnet to LAN(2) subnet? (Even though both ports are open to "All interfaces" w. no restrictions)?

Or do you mean a Static Route in Control Panel > Network? Or possibly even via a vSwitch?

Another option would be to try and run VW in "host network" if the ports that VW uses are not already occupied by other services on the NAS. See if that will make a difference.
Well, the container uses 80 for the VW UI (albeit, it's reverse proxied)? And of course, 80 is already used by (honestly can't remember which of the DSM apps it is now, but pretty damn certain it uses 80 for something) .....

Oh, the Certificate Manager wants 80 when renewing the LetsEncrypt certs every couple months.



On a different question, what are these "Capabilities" in the container settings? Do they make any difference?
 
Well, the container uses 80 for the VW UI?
So that's a no go for host network then.

Do you mean here a FW rule to allow access to 465/587 from VW subnet to LAN(2) subnet? (Even though both ports are open to "All interfaces" w. no restrictions)?
Yes. But from the conversation above there is no communication correct?
 
Don't follow this comment, sorry. Where to set these?
I was just completing the set of SMTP config.json setting that I overlooked (cos I was doing this while doing something else). I don't think they are important in this issue, but I'll mention them.

Code:
  "_enable_smtp": true,
  "use_sendmail": false,
  "smtp_host": "smtp.mydomain.com",
  "smtp_security": "starttls",
  "smtp_port": 25,
  "smtp_from": "[email protected]",
  "smtp_from_name": "My Name - Vaultwarden",
  "smtp_timeout": 15,
  "smtp_embed_images": true,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
 
Do you mean here a FW rule to allow access to 465/587 from VW subnet to LAN(2) subnet? (Even though both ports are open to "All interfaces" w. no restrictions)?
What’s the source ip on this rule? If it’s your local lan subnet that’s one thing, but you should add the docker subnet where vw is run as well.

As an example I have 192.168.1.0 as allow all and then my VW instance runs on some other local subnet of 172.168.1.0 (can’t recall if this is the actual subnet it uses) which I also have as a firewall rule of allow all. Without this second rule VW wouldn’t work or I wouldn’t be able to connect to VW. You have to allow the docker subnet access to talk to the nas.

Go to container manager then click on VW and check for what the ip subnet your container is using. Add that as an allow all firewall rule in the nas.
 
Just to clarify, the timeout error is only relating to the SMTP email config right? Or your whole instance of VW; you cannot get into VW?
That is correct. Otherwise the thing works. I don't appear have the full Admin page(s) I've seen people speak of, but one thing at a time.

Below is straight after a restart.

Screen Shot 2024-04-11 at 06.07.03.png
 
That is correct. Otherwise the thing works. I don't appear have the full Admin page(s) I've seen people speak of, but one thing at a time.

Below is straight after a restart.

View attachment 14939

A few things maybe to try, go to canyouseeme.org on the network your running this mail server and type in your mail ports to see if they're open. I know you probably have them open, but this will let you know if your isp has one or the other or both of them closed.

Can you put in the local ip of the mail server into the VW smtp settings? IDK if this is possible, but wondering if there's some sort of loopback issue with both of them being on the same network?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Sorry, I read your post late. You already did it. Thanks,
Replies
3
Views
945

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top