BitWarden - self hosted password manager using vaultwarden/server image

Docker BitWarden - self hosted password manager using vaultwarden/server image

Currently reading
Docker BitWarden - self hosted password manager using vaultwarden/server image

32
3
NAS
DS718+
OK, this image is a no go for me. It failed importing my bitwarden vault json, got an "unexpected error". So reverting back to the multi container version.
 

Rusty

Moderator
NAS Support
4,364
1,268
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
you might want to add this in the tutorial so docker noobs like myself won't be lost
Well this falls in a general Docker category so we will make this in a separate resource
 
32
3
NAS
DS718+
Last edited:
I also tried with the Biitwarden csv export and import and again got an error and only half of it was imported. This is really a showstopper when I cannot migrate my data from the multi container version of bitwarden to this version...

Are there any other options achieving this?

Pfff, even exporting from multi container bitwarden, then importing in Keepass, exporting from Keepass and importing keepas XML in Bitwarden RS gives an error. Seems something structurally wrong with the import. The log doesn't give any extra info either...
 
Did you try to add some entries in bitwardenrs/server, export them and check if the csv structure is any different?
I would be surprised as ultimately an official bitwarden client (the ui in the container is nothing else) is used to export/import the vault.
 
157
42
NAS
DS918+ (8GB RAM, 4x WD RED 4TB SHR) ; EATON Ellipse PRO 1200FR
Operating system
  1. Windows
Mobile operating system
  1. Android
exporting from Keepass and importing keepas XML in Bitwarden RS gives an error
I have migrated from keepass to BitWarden_RS without any issue.
If I remember right, I exported in csv from keepass and imported this csv in BitWarden_RS.
And also tried the import of a BitWarden_RS json export in Keepass and it also worked well.
Maybe you can try to export from your mutli container BitWarden in json and import this json in the BitWarden_RS server ? I see you already did this... sorry
 
32
3
NAS
DS718+
I maybe will try it category by category, there might be some weird field value in their that makes it fail. Or it's too big (which I would really doubt).
 
157
42
NAS
DS918+ (8GB RAM, 4x WD RED 4TB SHR) ; EATON Ellipse PRO 1200FR
Operating system
  1. Windows
Mobile operating system
  1. Android
Or it's too big (which I would really doubt)
How many entries do you have ?
My vault has 150+ entries with a few custom fields.
Most of the entries were already existing (even custom fields) in my keepass DB and everything was imported as intended. I also have nested directories to sort these entries.
Were you able to import your BW export into Keepass ?
 
32
3
NAS
DS718+
Thanks for the help. Tried most of the above.

Apparently it's a size thing. I have more than 300 records. I had to split it up in sets of around 100 entries to make the import work. Still a pretty lousy import algorithm if you ask me, that it simple quits with an unexpected error...

And I'm on a DS718+ with 8 GB RAM, you would say that's more than decent enough.
 

Rusty

Moderator
NAS Support
4,364
1,268
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Thanks for the help. Tried most of the above.

Apparently it's a size thing. I have more than 300 records. I had to split it up in sets of around 100 entries to make the import work. Still a pretty lousy import algorithm if you ask me, that it simple quits with an unexpected error...

And I'm on a DS718+ with 8 GB RAM, you would say that's more than decent enough.
Well at least you got it all imported. Definitely agree that this limit should be raised. Not like there is a huge amount of heavy data involved
 
2
1
NAS
DS218+
Operating system
  1. macOS
Mobile operating system
  1. iOS
Hi all, thank you so much for this fantastic thread and all the information that it had. It's amazing and I have learnt a lot. I have managed to configure bw in my syno and everything is working perfect. Still there is a voice in the back of my head telling me that exposing my NAS to Internet is risky. This are the countermeasures that I have in place.
  • Https connection to bw using a xxx.synology.me:xxxx domain with a non-standard port and a let’s encrypt ssl certificate
  • ISP router and google WiFi with port forwarding of only the needed port for bw
  • Reverse proxy set up in Syno
  • Docker bw is run by a user that only has access to docker local shared folder
  • Firewall rules to allow all lan traffic, allow traffic to bw port from only local country ips and deny everything else
  • Admin account disabled, ssh disabled.
How secure is my setup? I know that it cannot be 100% safe but is safe “enough”? Is something else that I can do?

thanks!
 

Rusty

Moderator
NAS Support
4,364
1,268
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Hi all, thank you so much for this fantastic thread and all the information that it had. It's amazing and I have learnt a lot. I have managed to configure bw in my syno and everything is working perfect. Still there is a voice in the back of my head telling me that exposing my NAS to Internet is risky. This are the countermeasures that I have in place.
  • Https connection to bw using a xxx.synology.me:xxxx domain with a non-standard port and a let’s encrypt ssl certificate
  • ISP router and google WiFi with port forwarding of only the needed port for bw
  • Reverse proxy set up in Syno
  • Docker bw is run by a user that only has access to docker local shared folder
  • Firewall rules to allow all lan traffic, allow traffic to bw port from only local country ips and deny everything else
  • Admin account disabled, ssh disabled.
How secure is my setup? I know that it cannot be 100% safe but is safe “enough”? Is something else that I can do?

thanks!
Looks solid m8. Keep in mind that locking down your BW is also important. Have you locked down signups as well? Just in case if anyone stumbles upon your BW url that they can't signup and create a vault.
 
44
15
NAS
DS1618+, DS918+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Hi, I am using the mprasil-bitwarden version (which I installed couple months ago with help of your tutorial in my DSM Docker). Actually three persons (users) including me have their own local (DSM) accounts and personal bitwarden aults here, two of them hav the 2FA turned on.
Now I would like to install the bitwardenrs version. My questions are:
1) is there any easy way just to "update" from mprasil to bitwardenrs or will I have to do a completely new installation?
2) should I then first export the vault as a json file (every single file for every single user) and later import it again or not? My database is mapped to /volume1/docker/bitwarden (I can see there these files: db.sqlite3, db.sqlite3-shm, db.sqlite3-wal, rsa_key.der, rsa_key.pem, rsa_key.pub.der) - is this OK and when I will configure that new bitwardenrs in a same way as the previous one, will in automatically reconect to this database again?
3) should I first turn off (disable) the 2FA?

Thanks and sorry for my questions. I am not very familiar with Docker or Linux. But your tutorial is such a great donethat even someone like me was able to set everything to get to work without problems.
 

Rusty

Moderator
NAS Support
4,364
1,268
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Hi, I am using the mprasil-bitwarden version (which I installed couple months ago with help of your tutorial in my DSM Docker). Actually three persons (users) including me have their own local (DSM) accounts and personal bitwarden aults here, two of them hav the 2FA turned on.
Now I would like to install the bitwardenrs version. My questions are:
1) is there any easy way just to "update" from mprasil to bitwardenrs or will I have to do a completely new installation?
2) should I then first export the vault as a json file (every single file for every single user) and later import it again or not? My database is mapped to /volume1/docker/bitwarden (I can see there these files: db.sqlite3, db.sqlite3-shm, db.sqlite3-wal, rsa_key.der, rsa_key.pem, rsa_key.pub.der) - is this OK and when I will configure that new bitwardenrs in a same way as the previous one, will in automatically reconect to this database again?
3) should I first turn off (disable) the 2FA?

Thanks and sorry for my questions. I am not very familiar with Docker or Linux. But your tutorial is such a great donethat even someone like me was able to set everything to get to work without problems.
In short, you can use this tutorial the same way but with this new image. The point is that mprasil has moved its development to bitwardenrs image but underneath its the same code.

So, my proposition for you is this. Stop your current mprasil container but do NOT delete it. Download the new image, and follow the same steps in the tutorial only this time based on the new image. That also means that you will map the volume to the same destination as before on your local NAS (/volume1/docker/bitwarden). In the end, the new container will use the new image but connect to the "old" volume. As a result, you will pick up right where you left off.

Ofc, I also encourage you to export the vaults beforehand just in case. Turning 2FA off is not needed (at least I didn't do it and it was fine).

When you are sure that all is working well for everyone, delete the old mprasil container (and image).
 
5
0
NAS
DS1511+
Router
  1. RT2600ac
  2. MR2200ac
Mobile operating system
  1. iOS
I followed the update to enable LiveSync. However after removing the DSM Reverse Proxy config, modifying the custom reverse proxy .conf file, making changes to ports (outside i run it on port 4545) and copying the file over, restarting nginx, I lost any other connectivity to my DS1511+. I had to remove the custom reverse proxy config file and restart nginx. Wondering what I did wrong?
 

Rusty

Moderator
NAS Support
4,364
1,268
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
I followed the update to enable LiveSync. However after removing the DSM Reverse Proxy config, modifying the custom reverse proxy .conf file, making changes to ports (outside i run it on port 4545) and copying the file over, restarting nginx, I lost any other connectivity to my DS1511+. I had to remove the custom reverse proxy config file and restart nginx. Wondering what I did wrong?
Can you explain in detail what you did and where?
 
5
0
NAS
DS1511+
Router
  1. RT2600ac
  2. MR2200ac
Mobile operating system
  1. iOS
Can you explain in detail what you did and where?
This is my .conf file:
Code:
server {
    listen 4545 ssl;
    listen [::]:4545 ssl;

    server_name mydomain.net];

    ssl_certificate /usr/syno/etc/certificate/system/default/fullchain.pem;

    ssl_certificate_key /usr/syno/etc/certificate/system/default/privkey.pem;

    location / {

        proxy_connect_timeout 60;

        proxy_read_timeout 60;

        proxy_send_timeout 60;

        proxy_intercept_errors off;

        proxy_http_version 1.1;

        proxy_set_header        Host            $http_host;

        proxy_set_header        X-Real-IP            $remote_addr;

        proxy_set_header        X-Forwarded-For            $proxy_add_x_forwarded_for;

        proxy_set_header        X-Forwarded-Proto            $scheme;

        proxy_pass http://192.168.1.20:4545;

    }

    location /notifications/hub {
        proxy_pass http://192.168.1.20:3012;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /notifications/hub/negotiate {
        proxy_pass http://192.168.1.20:80;
    }

    error_page 403 404 500 502 503 504 @error_page;

    location @error_page {
        root /usr/syno/share/nginx;
        rewrite (.*) /error.html break;
        allow all;
    }

}

Screenshot of my outside/inside ports from DSM:
1587318906880.png


my outside SSL port is 4545 that I have configured now in the DSM Revers Proxy setup
 
157
42
NAS
DS918+ (8GB RAM, 4x WD RED 4TB SHR) ; EATON Ellipse PRO 1200FR
Operating system
  1. Windows
Mobile operating system
  1. Android
Hi,

If 192.168.1.20 is your Syno IP then you could put 127.0.0.1 instead and set the ports in your nginx conf file to match the local ports.
If it's an IP dedicated to your docker container, make sure you can ping it from the Syno SSH console and set the ports to the container port in your nginx conf file.

If it's a dedicated IP for the container and the Syno is not able to reach it, then nginx on the Syno will not be able to pass anything to that IP.
 
Also you might want to overthink proxy_pass http://192.168.1.20:4545; declaration in location /, as it will use itself as an upstream, but with http instead of https and thus cause a protocoll mismatch. The problem is not the protocoll, it is that you introduce a loop. This can't be correct.
 
157
42
NAS
DS918+ (8GB RAM, 4x WD RED 4TB SHR) ; EATON Ellipse PRO 1200FR
Operating system
  1. Windows
Mobile operating system
  1. Android
Good point here from @one-eyed-king, I did not notice you tried to pass http resquests to you https port in this declaration.
One more question : are you using the same domain name to access DSM and Bitwarden ?
If so, that may explain why you can't access DSM anymore once you have this custom config file activated.
It will redirect anything that has mydomain.net to what you have set in this file.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

I'll delete everything I can containers/images/etc, and start fresh over the weekend. While I really like...
Replies
48
Views
1,907
Note to self: Don't blindly go and download Docker ':latest' images especially for PostgreSQL. I started...
Replies
39
Views
3,490
I ran across a very complete how-to-install-nextcloud on Docker using the Synology UI (just the UI, not...
Replies
28
Views
4,609
Hello, i just tried to follow these steps above, but all I get is a psql: could not connect to server...
Replies
43
Views
5,349
I found a way to do this using portainer and stacks. DB Stack is a great source for all things docker.
Replies
33
Views
9,573

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Top