How to setup vaultwarden

anarchy · 18 December 2022 20:35

I just installed dietpi on my raspberry pi 4 and I am trying to run vaultwarden.

I installed it using sudo dietpi-software. Now I have no idea what to do to set it up. I can’t find a guide for dietpi, I only can find guides for docker installs but this doesn’t seem to use docker.

Joulinar · 18 December 2022 20:50

have a look to our online docs DietPi Documentation - DietPi.com Docs

There all our tools are described, including dietpi-software. This will give an idea on how to install optimized software.

according to our docs, just open https://<your.IP>:8001 Cloud and Backup Systems Software Options - DietPi.com Docs

Vaultwarden is completly configured and ready to use once installation finished

correct, we have created a Debian apt package for our users to save time and resource.

anarchy · 18 December 2022 20:55

thank you so much i had no idea the docs existed for each package. sorry for wasting your time.

anarchy · 18 December 2022 21:21

so i followed the guide, i am stuck at the part where I have to add the certificates.

I used sudo dietpi-letsencrypt to create a cert. I dont get how to add it to the config file located at ‘/mnt/dietpi_userdata/vaultwarden/vaultwarden.env’

i cant find the pem files created by letsencrypt

Joulinar · 18 December 2022 21:37

how do you plan to access Vaultwarden at the end? Via https://<your.DDNS.com>:8001?

anarchy · 18 December 2022 21:40

i found the files at /etc/letsencrypt/something.ddnsaddress.com/… and changed the variable in the .env file but now I cant even access the login page in http mode.

yes i plan to use something.ddns…

anarchy · 18 December 2022 21:43

I checked the vaultwarden logs, it says

Dec 18 21:34:31 DietPi vaultwarden[479]: [INFO] No .env file found.
Dec 18 21:34:31 DietPi vaultwarden[479]: Error: Rocket.
Dec 18 21:34:31 DietPi vaultwarden[479]: Custom {
Dec 18 21:34:31 DietPi vaultwarden[479]: kind: PermissionDenied,
Dec 18 21:34:31 DietPi vaultwarden[479]: error: “error reading TLS file /etc/letsencrypt/live/my.ddns.com/cert.pem: Permission denied (os error 13)”,
Dec 18 21:34:31 DietPi vaultwarden[479]: },

should i be using the sudo account to run vaultwarden or something?

Joulinar · 18 December 2022 21:45

This is not goanna work. Vaultwarden has no access to these files.

Question is, if you like to access Vaultwarden via port 8001 or without using something like a sub path on your domain. Means without the need to enter port 8001 on your URL

anarchy · 18 December 2022 21:46

i would like to be able to use the bitwarden client on my phone and the bitwarden apps on the computer to access my raspberry pi. So i think it has to work without the 8001 right?

Joulinar · 18 December 2022 21:48

in this case you should think of using a revers proxy. This would simplify the usage of SSL certificates as well. Typically, a web server like Nginx or Apache would do.

anarchy · 18 December 2022 21:53

So can i install frp or nginx using the dietpi-software installer?

Is there a guide for dietpi on how to set these up for vaultwarden?

Joulinar · 18 December 2022 22:01

Use Nginx via our installer. I would recommend using dietpi-letsencrypt to setup SSL on Nginx next. Once done you could configure the proxy for Vaultwarden

We don’t have a direct guide. Just have a look to proxy example on Vaultwarden GitHub Proxy examples · dani-garcia/vaultwarden Wiki · GitHub You could use them as starting point.

anarchy · 18 December 2022 22:06

should i be modifying the file located at /etc/nginx/nginx.conf ?

Joulinar · 18 December 2022 22:23

No, don’t touch the main configuration file. Better to create an own configuration at /etc/nginx/sites-dietpi/*.conf;

anarchy · 18 December 2022 22:35

I tried this in the directory you recommended, it still doesn’t work. Did i miss anything out?

server {
  listen 443 ssl http2;
  server_name myddnsname.ddnsprovider.com;

  ssl_certificate /etc/letsencrypt/live/myddnsname.ddnsprovider.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/myddnsname.ddnsprovider.com/privkey.pem;

  # Specify SSL config if using a shared one.
  #include conf.d/ssl/ssl.conf;

  # Allow large attachments
  client_max_body_size 128M;

  location / {
    proxy_pass http://127.0.0.1:80;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  location /notifications/hub {
    proxy_pass http://127.0.0.1:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
   }

  location /notifications/hub/negotiate {
    proxy_pass http://127.0.0.1:80;
  }

}

also my vaultwarden is only listening to port 8001, not sure what i did wrong there,

dietpi@DietPi:~$ ss -tulpn | grep LISTEN
tcp   LISTEN 0      128          0.0.0.0:22         0.0.0.0:*
tcp   LISTEN 0      1024         0.0.0.0:8001       0.0.0.0:*
tcp   LISTEN 0      128             [::]:22            [::]:*

Joulinar · 18 December 2022 22:39

the whole server block is not needed. should be fine to use location section only. As well you need to disable HTTPS on vaultwarden, to allow HTTP connection. We did something similar for lighttpd Confused Reverse proxy and vaultwarden - #45 by IIMustangII1151 and Confused Reverse proxy and vaultwarden - #21 by Joulinar

nano /mnt/dietpi_userdata/vaultwarden/vaultwarden.env

change the following things

IP_HEADER=X-Forwarded-For
WEBSOCKET_ENABLED=true
WEBSOCKET_ADDRESS=0.0.0.0
WEBSOCKET_PORT=3012
DOMAIN=> [https://domain.com](https://domain.com/)
#ROCKET_TLS={certs="./cert.pem",key="./privkey.pem"}

anarchy · 18 December 2022 22:46

the domain line must look exactly like this?

anarchy · 18 December 2022 22:52

I did DOMAIN=https://myadd.ddnsprovider.com,

now the vaultwarden log shows,

Dec 18 22:49:02 DietPi vaultwarden[485]: [2022-12-18 22:49:02.312][vaultwarden::api::notifications][INFO] Starting WebSockets server on 0.0.0.0:3012
Dec 18 22:49:02 DietPi vaultwarden[485]: [2022-12-18 22:49:02.325][start][INFO] Rocket has launched from http://0.0.0.0:8001
Dec 18 22:50:04 DietPi vaultwarden[485]: [2022-12-18 22:50:04.940][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59194
Dec 18 22:50:04 DietPi vaultwarden[485]: [2022-12-18 22:50:04.942][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59195
Dec 18 22:50:04 DietPi vaultwarden[485]: [2022-12-18 22:50:04.953][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59196
Dec 18 22:50:04 DietPi vaultwarden[485]: [2022-12-18 22:50:04.955][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59197
Dec 18 22:50:04 DietPi vaultwarden[485]: [2022-12-18 22:50:04.956][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59198
Dec 18 22:50:04 DietPi vaultwarden[485]: [2022-12-18 22:50:04.958][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59200
Dec 18 22:50:05 DietPi vaultwarden[485]: [2022-12-18 22:50:05.983][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59204
Dec 18 22:50:05 DietPi vaultwarden[485]: [2022-12-18 22:50:05.985][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59205
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.098][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59206
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.100][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59207
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.120][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59208
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.120][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59209
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.122][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59211
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.123][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59212
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.913][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59214
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.915][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59215
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.921][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59216
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.923][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59217
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.923][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59218
Dec 18 22:50:06 DietPi vaultwarden[485]: [2022-12-18 22:50:06.925][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59220
Dec 18 22:50:11 DietPi vaultwarden[485]: [2022-12-18 22:50:11.945][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59228
Dec 18 22:50:11 DietPi vaultwarden[485]: [2022-12-18 22:50:11.947][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59229
Dec 18 22:50:11 DietPi vaultwarden[485]: [2022-12-18 22:50:11.955][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59230
Dec 18 22:50:11 DietPi vaultwarden[485]: [2022-12-18 22:50:11.956][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59231
Dec 18 22:50:11 DietPi vaultwarden[485]: [2022-12-18 22:50:11.957][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59233
Dec 18 22:50:11 DietPi vaultwarden[485]: [2022-12-18 22:50:11.958][vaultwarden::api::notifications][INFO] Accepting WS connection from 192.168.1.99:59234

Joulinar · 19 December 2022 10:18

Played with it. At least I don’t have these entries on my log. But it’s information only about connection from local IP 192.168.1.99

that should be fine. Are you able to access Vaultwarden locally using http://you.ip.address:8001 now??

My Nginx setup as follow

nano /etc/nginx/sites-dietpi/vaultwarden.conf

added following

    location / {
      proxy_http_version 1.1;
      proxy_set_header "Connection" "";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://you.ip.address:8001;
    }

    location /notifications/hub/negotiate {
      proxy_http_version 1.1;
      proxy_set_header "Connection" "";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://you.ip.address:8001;
    }

    location /notifications/hub {
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";

      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Forwarded $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://you.ip.address:3012;
    }

next, remove root locating from default config file to avoid duplicate location /

nano /etc/nginx/sites-available/default

mark lines for location / using #

#       location / {
#               try_files $uri $uri/ =404;
#       }

Restart Nginx and you should be done

systemctl restart nginx.service

anarchy · 19 December 2022 13:38

I have done all the steps, I can access it locally but the site pops up as untrusted. I need to forward the port so I can use it on the bitwarden app, I am guessing external is 8080 and internal is 8001 right?