The purpose of this guide is to show you how to install Vaultwarden and allow you to access it safely over the internet through Swag in Unraid.
Vaultwarden is a self-hosted password manager based on Bitwarden.
SWAG - formerly known as letsencrypt is an Nginx webserver and reverse proxy that offers a safe way to host Vaultwarden through the internet. It offers this safety through:
- fail2ban - an instrusion prevention software that prevents brute-force attacks
- SSL certs - Encrypted data transmission.
- Reverse Proxy (From Spaceinvader One video):
- Allows online access
- Redirects requests made to it to other places behind a firewall
- Additional layer of abstraction and therefore additional security.
DuckDNS - Free dynamic DNS. Support the project through their Patreon
This guide is mostly taken from Spaceinvader One's videos but with updated information.
How to Setup and Configure a Reverse Proxy on unRAID with LetsEncrypt & NGINX
Easily Setup a Bitwarden/vaultwarden Server on Unraid or a VPS for Password Management
DuckDNS allows us to track our WAN IP. This IP changes often depending on your ISP so this is whyDuckDNS is needed. With DuckDNS, you can easily access your server at myUnraidServer.duckdns.org
- Go to https://www.duckdns.org/
- Create an account and add 2 domains.
- The first domain points directly to your Unraid server. Example:
myUnraidServer.duckdns.org - The second domain points to your Vaultwarden container. Example:
myUnraidServerVaultwarden.duckdns.org
- The first domain points directly to your Unraid server. Example:
- Make sure you write this down somewhere, or can remember it
- Go to APPS/Unraid Community Applications and install Linuxserver.io's duckdns container
| Container Variables | Value | Details |
|---|---|---|
| Repository | linuxserver/duckdns | |
| Network Type | Host | |
| Privileged | On | |
| SUBDOMAINS | myUnraidServer.duckdns.org, myUnraidServerVaultwarden.duckdns.org | These are the custom domain names you made in DuckDNS |
| TOKEN | yourDuckDNS_Token | Your token from https://www.duckdns.org/ |
- On your Router port forward your server ports:
| External Port | Internal IP | Internal Port |
|---|---|---|
| 80 | myUnraidServerLanIpAddress | 180 |
| 443 | myUnraidServerLanIpAddress | 1443 |
The Internal Port numbers do not matter, just make sure they're not used by other services on your server and take note of them.
In Unraid, create a UserDefined Bridge. There are many reasons to do this but here are some from docs.docker
- User-defined bridges provide automatic DNS resolution between containers
- User-defined bridges provide better isolation
- Containers can be attached and detached from user-defined networks on the fly
- Each user-defined network creates a configurable bridge
- Linked containers on the default bridge network share environment variables
- Disable Docker by going to Unraid Settings>Docker>
Enable Dockerset toNothen apply - Under Docker settings and with
Advanced Viewenabled, setPreserve user defined networkstoYes - Reenable Docker Unraid Settings>Docker>
Enable Dockerset toYesthen apply - Open an Unraid Terminal then run:
docker network create myNetName
We are now ready to install the SWAG container.
- Go to APPS also known as Unraid's Community Applications and install linuxserver's swag:
Overview:
SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.
| Container Variables | Value | Details |
|---|---|---|
| Repository | lscr.io/linuxserver/swag | |
| Network Type | myNetName | This is the custom network or UserDefinedBridge |
| WebUI | 1443 | This is the custom internal port that was forwarded |
| Port 80 | 180 | This is the custom internal port that was forwarded |
| URL | duckdns.org | |
| VALIDATION | http | |
| SUBDOMAINS | myUnraidServer, myUnraidServerVaultwarden | These are the custom domain names you made in DuckDNS |
| DNSPLUGIN | duckdns | |
| yourEmail@whatever.com | ||
| STAGING | false | |
| DUCKDNSTOKEN | yourDuckDNS_Token | Your token from https://www.duckdns.org/ |
| Log Storage Path | /mnt/user/appdata/logs/ | See Log Storage Path |
| Appdata | /mnt/user/appdata/swag | |
This is used for fail2ban.
Under SWAG's docker settings, Add another Path, Port, Variable, Label or Device
| Setting | Value |
|---|---|
| Config Type | Path |
| Name | Log Storage Path |
| Container Path | /logs |
| Host Path | /mnt/user/appdata/logs/ |
| Default Value | |
| Access Mode | Read Only |
Create a folder wherever you would like. In my case I used /mnt/user/appdata/logs
Under /appdata/swag/nginx/proxy-confs/ or where Appdata variable is set for swag: swag/nginx/proxy-confs/
Create a new file named vaultwarden.subdomain.conf. There should be samples for different services under swag/nginx/proxy-confs/
Refer to the vaultwarden.subdomain.conffile attached to this guide.
Install the vaultwarden container.
- Go to APPS/Unraid's Community Applications and install vaultwarden:
| Container Variables | Value | Details |
|---|---|---|
| Repository | vaultwarden/server | |
| Network Type | myNetName | This is the custom network or UserDefinedBridge |
| WebUI HTTP Port | 4743 | |
| SIGNUPS_ALLOWED | false | |
| INVITATIONS_ALLOWED | false | |
| WEBSOCKET_ENABLED | true | |
| ADMIN_TOKEN | yourTemporaryPassword | See ADMIN_TOKEN |
| LOG_FILE | /logs/vaultwarden.log | |
| Log Storage | /mnt/user/appdata/logs/ | |
| Storage | /mnt/user/appdata/vaultwarden |
On your Unraid terminal, run:
openssl rand -base64 48
Use the output as your ADMIN_TOKEN
Important: The ADMIN_TOKEN should be hashed after the initial setup.
While the vaultwarden container is running, on your Unraid terminal:
docker exec -it vaultwarden /vaultwarden hash
- Click on the Vaultwarden container and press the WebUI button. This should take you to the admin page
myUnraidServerLanIpAddress:4743/admin. - Change the
Domain URLtohttps://myUnraidServerVaultwarden.duckdns.org. This should be the DuckDNS domain you set up in [[#DuckDNS]]. - Secure the [[#ADMIN_TOKEN]].
- Optional: Follow Spaceinvader One's video to enable SMTP Email
- Under General settings, temporarily enable
Allow new signups - Save/Apply the settings by pressing the
Savebutton on the bottom left of the UI. - Restart the Vaultwarden container.
- Go to
https://myUnraidServerVaultwarden.duckdns.organd create an account. - Go back to the Vaultwarden admin panel, General settings > disable
Allow new signups - IMPORTANT Edit
vaultwarden.subdomain.confat/appdata/swag/nginx/proxy-confs/to disable the admin panel from WAN access but allow local/LAN access or just disable the admin panel altogether.
Swag also includes fail2ban.
We can setup fail2ban to read Vaultwarden's logs and ban an IP address if attempted logins exceed a certain amount.
- On
/appdata/swag/fail2ban/jail.local
Add a new jail:
[vaultwarden]
enabled = true
port = http,https
filter = vaultwarden
action = iptables-allports[name=vaultwarden]
logpath = /logs/vaultwarden.log
maxretry = 5
bantime = 14400
findtime = 14400
- On
/appdata/swag/fail2ban/filter.d/Create a new file:vaultwarden.conf
# https://github.com/dani-garcia/bitwarden_rs/wiki/Fail2Ban-Setup
# - Set up logging to file > https://github.com/dani-garcia/bitwarden_rs/wiki/Logging
# - Set logging level to warn or error
# Logged in bwdata/logs/identity/Identity/log.txt
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =
- Verify fail2ban works by using a VPN and fail login past the
maxretryvalue(default is 5)- Logs are located at
/appdata/swag/log/and/appdata/logs - You can unban an IP using the following command on your Unraid terminal:
sudo docker exec -t fail2ban fail2ban-client set vaultwarden unbanip XX.XX.XX.XX
- Logs are located at