Not exposing bitwarden to the internet

Hey,

I’m using bitwarden since a while now, but it was always running on a ubuntu system. I decided to switch to unraid because my old setup was a mess. I’m using wireguard as a VPN solution, so I’m always able to connect into my home network, that’s why I don’t want to expose any service to the internet, especially not bitwarden! With the setup I used that was working like a charm and of course I expected this to be true for bitwardenrs. But all Tutorial explain how to expose the server to the internet and if I don’t follow this guide I don’t get a SSL certificate thus I can not connect to the server (even from inside).

I do not need https, I trust my home network, but if I have to use https, I can do that. But I would need an explanation how to be able to use bitwardenrs without having a port forward to my home server.

Any help is welcome, I’m not an expert in https or certificates, but in general I’m not completely moronic when it comes to following an instruction. :wink:

Thank you already,
Autchi

Hey,
you are correct, you either need a port forward - but then your bitwarden is exposed to the internet. Or you connect to your network via vpn. If you don’t use HTTPS be aware of the following

IMPORTANT : Some web browsers, like Chrome, disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like Cannot read property 'importKey' . To solve this problem, you need to access the web vault from HTTPS.

I suppose you can just use the standard installation procedure from the docs anyways and come back if something does not work.

what exactly does not work now?
what do the logs say docker logs --tail 10 YOURBITWARDENCONTAINER

2 more setups to consider

  1. Use a linuxserver.io swag image as reverse proxy and DuckDNS for dynamic DNS.
  2. rent a cheap server for 3 $ / month on netcup or alike and setup either naked bitwarden or bitwarden in conjunction with swag image.

You can use ACME with DNS challenge to get proper certs even if your server isn’t publicly accessible. You’ll have to figure out the details for your particular setup, but there’s an example at https://github.com/dani-garcia/bitwarden_rs/wiki/Running-a-private-bitwarden_rs-instance-with-Let’s-Encrypt-certs.

Hello,

I am using bitwardenrs the same way you do. Without https only web interface won’t work as far as i know but both desktop app and browser plugin will work.

However, couple of months ago i decided to use self signed cert for all my internal deployment, and the internal CA that sign this cert is trusted by my all devices.

Bitwardenrs also working verywell with this setup with no issues at all.

Let me know what is not working for you, and happy to help

Hey Guys,

thank you for your answers! I looked into the solutions you suggested, I think the one I will go for is the http solution, it sucks, but I didn’t manage to get Caddy running on my unraid system. I will keep this in mind as soon I’m more comfortable with this operating system.

Thank you for your support,
Autchi

Know that http will not work for the web-vault and some clients.
Also some other features could have issues.

Thank you for this information, I’m aware of the web-vault drawback. Currently it’s running in some kind of hybrid mode where I can always switch it to https where I can access it from externally, this is used to write back the data etc.
I never noticed any other drawbacks, what features are you referring to?

Some MFA’s will not work, but i think that is about it.

What does MFA’s stand for? :slight_smile:

I’m thinking about putting my Vaultwarden through a VPN and removing my reverse proxy to take it off the internet for added security. I’m also in unRAID & have WireGuard setup but not for Vaultwarden. Would you be open to sharing how you set yours up & if you’ve run into any issues without HTTPS?

I would recommend against not having HTTPS of some sort, as the mobile application, chrome, and I believe even the browser extension can have weird issues with trying to connect over standard http from what I understand.

Even something such as a self-signed cert, with the added bit of having to add that self signed cert to your devices trust store.
Bitwarden really is meant to run over https and more or less expects it to do so, unless you plan to only run the local webvault in which case I don’t believe this will be an issue.

The clients mostly work except for the web-client which needs https for the crypto libraries to work.

Also u2f/webauthn needs https else it will not work.

Does anyone have the patience to outline how to implement the method above using Caddy or Swag via dockers in unRAID so I can get HTTPS without exposing my vault to the internet? Goal is to access through WireGuard. I’d be using DuckDNS.

Considering the popularity of the guide posted by Spaceinvaderone I’m confident that I’m not the only one looking into this option to improve security.

Thanks in advance