Docker BitWarden - self hosted password manager using vaultwarden/server image

[one-eyed-king]

If you run a caching dns resolver like PiHole or Unbound, you can add a dns override for the vw domain and resolve it to your Diskstation.

I have an OPNsense HA setup with carp ip (one for ipv4, one for ipv6) with Unbound on it. My lan router announces the carp ips as dns server via dhcp to the devices in the network. Speeds up name resolution and allows overriding name resolution for arbitrary domain names.

 

[Telos]

If you run a caching dns resolver like PiHole or Unbound

I'm using AdguardHome. Not sure if it has that ability, nor have I a clue about it, but it seems worth checking into. Thanks!

 

[Gerard]

Isn’t the vault cached in the browser extension or browser? Telos if you can give it a shot to rule out a browser issue, can you try chrome browser with chrome extension. Configure the extension settings the same, set to lock not log out…connect thru vpn and do what you did as on Firefox.

I’ve tried again on my end this time going thru vpn and my vault stayed logged in, but locked and all items were there. The data is cached in the browser.

 

[one-eyed-king]

@Gerard is of course right, the vault should be cached.

@Telos I assume you can rewrite the returned a-record for a domain lookup here:

Have you checked if the browser's developer tools (point somewhere into the extension popup and "inspect") network tab provides clues about what's going on? Even though the extension id obfuscates the domain on many calls, you should still see a status code that might indicate what's going on.

 

[Telos]

Have you checked if the browser's developer tools

I don't have access to the laptop at present, but I thought it odd that the issue only occurs with foreign VPNs, not domestic... Which, coincidentally conforms to my CF tunnel restrictions. For this reason, I less suspect the browser. But I'll check. Thanks.

 

[Rusty]

Rusty updated BitWarden - self hosted password manager using vaultwarden/server image with a new update entry:

Securing the ADMIN_TOKEN

Previously the ADMIN_TOKEN could only be in a plain text format. You can now hash the ADMIN_TOKEN using Argon2 by generating a PHC string.

This can be generated by using a built-in hash command within Vaultwarden, or using the argon2 CLI tool.

Here are a few examples of how to start with the generation of the PHC string using the Vaultwarden 1.28.0 (or newer) version of the image.

# Using...

Read the rest of this update entry...

 

[Telos]

can you try chrome browser with chrome extension

Same response. Open browser, icon initially comes up "blue" then after a few seconds, goes "gray" (logged out). This is region specific (non-domestic) on my OpenVPN app. Seems related to tunnel restrictions, but I don't understand how this is triggering logout (an unintended security "feature").

 

[Gerard]

Same response. Open browser, icon initially comes up "blue" then after a few seconds, goes "gray" (logged out). This is region specific (non-domestic) on my OpenVPN app. Seems related to tunnel restrictions, but I don't understand how this is triggering logout (an unintended security "feature").

Ok good (but also bad) to hear same result. Yea this makes no sense.

 

[Telos]

I assume you can rewrite the returned a-record for a domain lookup

This doesn't seem to work since I use CF tunnel here, and there is no local RP to redirect the subdomain traffic to the proper Vaultwarden port. I suppose I need to create an RP entry which would redirect vault.domain.com to NAS_IP:VW_Port.

Is that correct? Or something else?

 

[one-eyed-king]

For whatever reason I assumed you use the syno rp and have a letsencrypt certificate there.

If you establish a connection from the CF tunnel to the DSM:VW_Port, and CF handles the TLS certificate,
then indeed you will need to create a rp rule for the same domain on port 443 on the syno + add a LE certificate

Also, It shouldn't be a redirect (as in rewrite the url and forward to the new url), it must be an override of the a-record response.

 

[Telos]

When I launch/connect outgoing VPN on my laptop, and open my browser (Firefox), the Bitwarden extension is logged out,

To bring pseudo-closure to this, I've withdrawn from CF tunnel for this application, recognizing that CF has unencrypted access to all tunnel traffic. Seems like a bad plan for use with Vaultwarden, or any "private" content. Using RP alone, and the VPN usage has no similar effect.

Overall I'm soured on CF tunnels... unless you are running a public web page or the like.

 

[Gerard]

To bring pseudo-closure to this, I've withdrawn from CF tunnel for this application, recognizing that CF has unencrypted access to all tunnel traffic. Seems like a bad plan for use with Vaultwarden, or any "private" content. Using RP alone, and the VPN usage has no similar effect.

Overall I'm soured on CF tunnels... unless you are running a public web page or the like.

Wild that CF was the cause of this. Glad you have closure!