BitWarden - self hosted password manager using vaultwarden/server image

Docker BitWarden - self hosted password manager using vaultwarden/server image

Yes... I should use the term "vault". I select json, as it is the format KeePass (my "go to" password app, after Bitwarden) defaults to when importing Bitwarden accounts. Is it preferable? For me, yes.
Also, BW also advocates for json in their KB.
 
I saw on VW discourse that you’re able to view logs for VW by going into the data folder. In my docker folder I have a bitwarden folder, which contains the attachements & icon cache folder, the SQLite3 DB, and config.json file. Where does the VW instance installed thru synology keep VW’s logs,”?

 
I saw on VW discourse that you’re able to view logs for VW by going into the data folder. In my docker folder I have a bitwarden folder, which contains the attachements & icon cache folder, the SQLite3 DB, and config.json file. Where does the VW instance installed thru synology keep VW’s logs,”?

By default VW will not have a log generated unless you have not configured it.

Add the following as a variable: LOG_FILE=/data/vaultwarden.log and recreate the container.
 
By default VW will not have a log generated unless you have not configured it.

Add the following as a variable: LOG_FILE=/data/vaultwarden.log and recreate the container.

Can I turn the container off, add the variable and then turn the container back on? Or does this require actually deleting the existing container and creating a new one?
 
Can I turn the container off, add the variable and then turn the container back on? Or does this require actually deleting the existing container and creating a new one?
Personally, I just recreate the container from the compose that I update with various elements from time to time (or change them). That does indeed delete the old one and make a new one using the existing volume bind, but I think stopping should be enough as well.
 
Personally, I just recreate the container from the compose that I update with various elements from time to time (or change them). That does indeed delete the old one and make a new one using the existing volume bind, but I think stopping should be enough as well.

I stopped the container, edit, advance settings, and added the value as an environment variable…worked like a charm, thank you!
 
Last edited:
Back with another scratching my head moment 🤔. For about a month I’ve been attempting to figure out why by BW iOS app stopped showing vault icons. The iOS app was the only one affected, whereas the desktop app, web vault and chrome extension were working fine.

I’ve now linked the issue back to the TLS/SSL Profile level under dsm settings-security-advanced. In order for the vault icons to show in BW iOS, the profile needs to be intermediate profile whereas I had pushed it up to modern.

I had been running intermediate for a while, due to DS audio not liking the modern profile as well; the app would not login at all when I was outside of my network. A recent ds audio update had recently made it possible to now change this TLS/SSL Profile to modern and able to login with no problems.

Well now I discovered that the modern profile will not allow the Vaultwarden/bitwarden vault icons to show on BW iOS app.

Can anyone educate why this is? Or maybe something can be tweaked somewhere (such as new info since the original posted resource) that would make it possible to have a modern profile. I don’t know this area but I did a TLS Inspector app on the differences between when I had intermediate vs modern and saw intermediate (which dsm states is TLS 1.2/1.3) has some sort of HTTP headers, whereas modern (TLS 1.3) doesn’t. Could I add some sort of custom header entry into my reverse proxy entry (which is setup through Synology as well) to help pass the modern profile? 😬
 
Are we able to update/add to the resource regarding securing the admin token in Vaultwarden? A recent update now allows you to secure the admin token using a secure Argon 2 PHC sting. There is a link here to a wiki but after reading that I'm a little lost as to how I can do any of that in a Synology setup.

Link to wiki


1681391248209.png
 
I'm a little lost as to how I can do any of that in a Synology setup
Simply enter the running VW container using the attach command or maybe via Portainer and its console tool.

In any event once you land inside the container, you can then run hash command
 
Simply enter the running VW container using the attach command or maybe via Portainer and its console tool.

In any event once you land inside the container, you can then run hash command
Rusty, would you be willing to prepare simple/short step by step tutorial for it (what needs to be done in Portainer or in a VW container, inside the Syno Docker - which one you prefer)? I would like to make my VW more secure too by hashing the admin token, but I am not very confident to just try something without help of someone much more experienced than me... :)
I just don't want to lock or corrupt my whole bitwarden thing without possibility to revert.
Thanks a lot!
 
I'm using the VW container in the default docker app and not Portainer. For my needs I only have two containers, and try to keep the setups minimalized to so its less work in case of a total rebuild.
 
Rusty, would you be willing to prepare simple/short step by step tutorial for it (what needs to be done in Portainer or in a VW container, inside the Syno Docker - which one you prefer)? I would like to make my VW more secure too by hashing the admin token, but I am not very confident to just try something without help of someone much more experienced than me... :)
I just don't want to lock or corrupt my whole bitwarden thing without possibility to revert.
Thanks a lot!
Sure. Driving now and will be home later tonight. Will post an update when I get around to do it unless someone else beats me to it.
 
Just follow Enabling admin page

  1. Go to Docker
  2. Select > Container > vaultwarden
  3. Open "Details" > "Terminal" > "Create" > open bash Terminal
  4. run ./vaultwarden hash --preset owasp
  5. Enter a new password > copy created hash
  6. replace Token in your config.json with this hash (probably located at "docker/vaultwarden/" on your Synology)
    it should look something like
    Code:
    ADMIN_TOKEN="$argon2id$v=19$m=65540,t=3,p=4$MmeK....."
  7. restart docker
that's what I just did.
Enter Admin web interface using https://…vaultwarden…/admin and your choosen password.

all the best,
paradeiser
 
Last edited:
I'm getting a Socket closed, when clicking terminal; normal?

1681393566516.png

-- post merged: --

Got past socket closed, by accessing the NAS using its local ip rather than RP domain name.

Followed steps above on a test container I made for VW. I had the output ADMIN_TOKEN='$argon2id.... I took everything between the quotes ' ' since in the json config there already is a "admin_token": line item. I pasted into json config, now getting admin panel is disabled.

When I pasted into config file, I took the output copied and then in config file highlighted my existing plain text admin password and pasted. Do I need to remove the quotes around the newly argon output?
-- post merged: --

Initially when setting up the VW container, I did have an admin token environment variable, does this now need to be removed? Is this causing a conflict?
 
Figured it out, the docker terminal output creates a multi line output if you paste it into a notepad. You need to back out any spaces or line returns and make it one line.

Thank you,
 
One thing puzzling me about VW... When I launch/connect outgoing VPN on my laptop, and open my browser (Firefox), the Bitwarden extension is logged out, and I cannot log in again as my VPN is out-of-country.

The extension is not set to log out when the browser is closed, so this is somehow linked to the VPN. I thought that my VW data was cached, so it could be used without a 'net connection, but I'm missing something. I need the extension to remain logged in with access to my logins. Any ideas?
 
One thing puzzling me about VW... When I launch/connect outgoing VPN on my laptop, and open my browser (Firefox), the Bitwarden extension is logged out, and I cannot log in again as my VPN is out-of-country.

The extension is not set to log out when the browser is closed, so this is somehow linked to the VPN. I thought that my VW data was cached, so it could be used without a 'net connection, but I'm missing something. I need the extension to remain logged in with access to my logins. Any ideas?

I just somewhat tested this on a Google Chrome browser with the extension. I pulled the network cable out of the computer, closed the browser, opened the browser, found the extension to be locked (my setting is set to locked rather than logged out). I logged back in and all of my vault items were there.

Can you just test with the VPN using a chrome browser and extension? Wondering if this maybe a Firefox relating thing rather than having anything to do with the VPN. Essentially me pulling the network cable from the computer is similar to you being able to connect to the VPN.
 
Last edited:
I pulled the network cable out of the computer, closed the browser, opened the browser, found the extension to be locked (my setting is set to locked rather than logged out).
Thanks. I'm at my Desktop PC, but tried your flow using Firefox. Pulled Ethernet cable, closed and reopened Firefox, and the extension stayed active (not locked not logged out).

Desktop had the same VPN issue... Firefox open, make out of country VPN connection... I forgot to close browser first, so I closed it with VPN active, and reopened it. Upon reopening, extension logged out. Before I closed FF the icon was active (I didn't open the extension to see if it worked). FWIW my VW connection is via Cloudflare tunnel.

EDIT1:
This is somehow related to my Cloudflare country blocking. Here's what I did.
1. Opened FF with VW unlocked.
2. Opened domestic VPN. VM extension was functional. Closed and reopened FF and extension was unlocked/functional.
3. Changed to foreign VPN. Closed/reopened FF... and VW extension locked.

I'm unsure there is a way around this. Guess I'll need to figure out a means to log in to VW via LAN. I'm unsure how to do that since VW expects a cert.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top