Jump to content
XPEnology Community

Bitwarden Self-Hosted Password Manager on Docker


shrabok

Recommended Posts

Recently I deployed Bitwarden (https://bitwarden.com/) in Synology Docker and thought I would share my experience for others looking to do so.

***For experienced individuals comfortable with synology command line and linux environments with docker, I take no responsibility for any issues encountered***

***Read fully before considering***

 

History:

I've used a number of password managers (lastpass, keeper, keepass, etc) and still use some for professional reasons.

For personal use I was using KeepassX so I could control the safe (in Dropbox) and did not want my personal data cloud hosted.
I need it to run on linux, windows, osx as well as mobile (android) support.

I also am a strong proponent of two factor authentication, keepass offers it but is a lackluster implementation.

I wanted a more robust self hosted password manager that I could host on my synology.

 

Feature Requirements:

There is a number of things I wanted in my personal password management that Bitwarden offered over the others

  • TOTP (Time Based One Time Passcode) Two factor authentication with Authy or Google Authenticator
  • Self hosted password manager with central database stored on my synology
  • Robust device and application support (Linux, Windows, OSX, IOS App, Android App, Browser integrations etc)
  • Push syncing of changes so conflicts in password safe are avoided or less likely
  • Secure software with good development (bitwarden has a cloud hosted solution as well as self hosted, so they are diligent in ensuring updates are made regularly https://help.bitwarden.com/security/ and community involvement is very good)
  • Free for personal use and open source

 

Setup Requirements:

You will need to have the following requirements met to follow this guide:

  • Latest XPenology/Synology: Currently on DSM 6.1.6-15266 with JUN'S LOADER v1.02b - DS3617xs
  • Latest Synology Docker Package: Currently on 17.05.0-0370 (https://www.synology.com/en-global/dsm/packages/Docker)
  • Your own public domain (in this use case I use a personal public facing domain with public DNS)
  • An understanding of Domains, Extenal DNS, SSL Certificates (Lets Encrypt), Reverse Proxies, Linux/Synology cli, Docker

 

Process:

Please fully read the bitwarden self hosting documentation (https://help.bitwarden.com/article/install-on-premise/) before attempting any of these steps

  • Create your bitwarden external DNS record (I used bw.<mydomain> this guides example will be bitwarden.domain.com)
    You have two options for your dns record:
    • "A record" which is a record to the External IP address you use to reach your synology/xpenology device (eg: bitwarden.domain.com A record to Your public IP)
    • "CNAME record" which is a record to the existing DNS Record of your synology/xpenology device (eg: bitwarden.domain.com CNAME record to nas.domain.com)
  • Create an SSL Certificate using Lets Encrypt within DSM Certificate Manager
    • Go to "Control Panel" -> "Security" -> "Certificate" -> "Add"
    • "Add a new certificate" -> "Next"
    • Description "Bitwarden Certificate""Get a certificate by Lets Encrypt" -> "Next"
    • Domain name: "bitwarden.domain.com", Email: "<your email address>" -> "Apply"
  • Create a Reverse Proxy in DSM to the docker port used by bitwarden
    • Go to "Control Panel" -> "Application Portal" -> "Reverse Proxy" -> "Create"
    • Description: "Bitwarden https reverse proxy"
    • Source: Protocol: "HTTPS", Hostname: "bitwarden.domain.com", Port: "443", HSTS and HTTP/2 "Unchecked"
    • Destination: Protocol: "HTTP", Hostname: "localhost", Port: "8123"
  • Associate Reverse Proxy with Certificate
    • Go to "Control Panel" -> "Security" -> "Certificate" -> "Configure"
    • Services: "bitwarden.domain.com"  Certificate: "bitwarden.domain.com" -> "OK"
  • Ensure docker is installed and collect docker folder location
    • Install docker from the package manager
    • Confirm docker shared folder location
      • "File Station" -> folder "docker" right click properties and collect path (mine was "/volume1/docker" and will be referenced as the path in this article)
  • SSH connect to synology/xpenology internal IP address or hostname as administrator account
    • linux/osx terminal command: ssh admin@<nas internal ip or dns> (enter admin user password)
    • windows use putty or bash for windows to connect (provide admin user and passwords as credentials)
  • Switch to root user for docker access
    • command: sudo su - (enter admin user password when prompted for password)
  • Change to the docker folder
    • command: cd /volume1/docker (or whatever your path to docker shared folder may be)
  • Follow bitwarden self hosted setup procedure (reference https://help.bitwarden.com/article/install-on-premise/)
  • Get a self hosting installation id and key here https://bitwarden.com/host
    • copy these value to be used when running installation
  • Import bitwarden.sh script
  • Run installation using script
    • command: ./bitwarden.sh install
  • follow prompts in code block:
    root@nas:/volume1/docker# ./bitwarden.sh install
     _     _ _                         _
    | |__ (_) |___      ____ _ _ __ __| | ___ _ __
    | '_ \| | __\ \ /\ / / _` | '__/ _` |/ _ \ '_ \
    | |_) | | |_ \ V  V / (_| | | | (_| |  __/ | | |
    |_.__/|_|\__| \_/\_/ \__,_|_|  \__,_|\___|_| |_|
    
    Open source password management solutions
    Copyright 2015-2018, 8bit Solutions LLC
    https://bitwarden.com, https://github.com/bitwarden
    
    ===================================================
    
    
    Docker version 17.05.0-ce, build 9f07f0e-synology
    docker-compose version 1.14.0, build c7bdf9e
    
    (!) Enter the domain name for your bitwarden instance (ex. bitwarden.company.com): bitwarden.domain.com
    (!) Do you want to use Let's Encrypt to generate a free SSL certificate? (y/n): n
    1.17.2: Pulling from bitwarden/setup
    Digest: sha256:cf55e0288b6392ee9c35022089396c3c561773ddc963945f1afea8fce359757f
    Status: Image is up to date for bitwarden/setup:1.17.2
    (!) Enter your installation id (get it at https://bitwarden.com/host): <my_installation_id>
    (!) Enter your installation key: <my_installation_key>
    (!) Do you have a SSL certificate to use? (y/n): n
    (!) Do you want to generate a self-signed SSL certificate? (y/n): n
    !!!!!! WARNING !!!!!!
    You are not using an SSL certificate. Bitwarden requires HTTPS to operate. You must front your installation with a HTTPS proxy. The web vault (and other Bitwarden apps) will not
    work properly without HTTPS.
    !!!!!!!!!!!!!!!!!!!!!
    Generating key for IdentityServer.
    Generating a 4096 bit RSA private key
    ....................................................................................++
    ......................................++
    writing new private key to 'identity.key'
    -----
    (!) Do you want to use the default ports for HTTP (80) and HTTPS (443)? (y/n): n
    (!) HTTP port: 8123
    (!) Is your installation behind a reverse proxy? (y/n): y
    (!) Do you use the default ports on your reverse proxy (80/443)? (y/n): y
    (!) Do you want to use push notifications? (y/n): y
    Building nginx config.
    Building docker environment files.
    Building docker environment override files.
    Building app settings.
    Building FIDO U2F app id.
    Building docker-compose.yml.
    
    Setup complete

     

  • Once setup is complete you will need to create some missing folders (this is due to the docker version on synology not creating bind mount locations on container creation, likely a version bug)
    • there should be a new folder creating in your /volume1/docker location called /volume1/docker/bwdata
    • create the following folders in the bwdata directory from your current location (/volume1/docker location)
      • command: mkdir bwdata/core bwdata/core/attachments
      • command: mkdir bwdata/ca-certificates
      • command: mkdir bwdata/logs bwdata/logs/admin bwdata/logs/api bwdata/logs/identity bwdata/logs/mssql bwdata/logs/nginx bwdata/logs/notifications bwdata/logs/icons
      • command: mkdir bwdata/mssql bwdata/mssql/data bwdata/mssql/backups
    • If there are any failures on the ./bitwarden.sh start stating "ERROR: for <container name> Cannot start service <container name>: Bind mount failed: '/volume1/docker/bwdata/<path>' does not exists" make sure to create that missing <path> specified in the error
  • Run setup using script
    • command: ./bitwarden.sh start
    • if there are not missing folders as per notes above the service should now be running on port 8123 and reachable from your external dns entry https://bitwarden.domain.com
  • Run updatedb using script
    • command: ./bitwarden.sh updatedb
    • this will run database migrations on bitwarden for any latest database changes to run
  • Additional changes to consider:
    • modify your bwdata/env/global.override.env for the following features
      • add smtp email
      • disable registrations after you create your accounts
      • other override features specific to your use case
    • restart containers after change to global environment vars

 

Update bitwarden version:

To update to the latest version run:

  • command : ./bitwarden.sh updateself 
  • command: ./bitwarden.sh update

 

Hopefully this guide is helpful to anyone looking to host bitwarden on their synology/xpenology device.

Edited by shrabok
Addition of two new logs directories (notifications and icons) needed creation on v1.24
  • Like 3
  • Thanks 1
Link to comment
Share on other sites

Good writeup. There are a couple of "corrections" or changes since this has been created:

 

1. There is a mismatch in this command as it starts out log and then moves to logs:

command: mkdir bwdata/log bwdata/log/admin bwdata/log/api bwdata/logs/identity bwdata/logs/mssql bwdata/logs/nginx

2. Instead of running ./bitwarden.sh setup it is now ./bitwarden.sh start

 

Addition:

 

To update run ./bitwarden.sh updateself and then ./bitwarden.sh update

  • Thanks 1
Link to comment
Share on other sites

Hi @ebell
Thanks for mentioning the corrections. It seems I'm no longer able to edit the original post. Referencing the Bitwarden docs for all the latest changes is highly recommended as it does change frequently. Hopefully Synology can get Docker updated to a point where we no longer need to manually create the folders that were missing as well. 
Also for clarity the line `command: mkdir bwdata/log bwdata/log/admin bwdata/log/api bwdata/logs/identity bwdata/logs/mssql bwdata/logs/nginx`
should be changed to
`command: mkdir bwdata/logs bwdata/logs/admin bwdata/logs/api bwdata/logs/identity bwdata/logs/mssql bwdata/logs/nginx`

Edited by shrabok
Added clarity on correction for logs path
Link to comment
Share on other sites

In order to access the Bitwarden Admin site on the Synology you will need to perform the following:

  • Modify the bitwarden-admin container
    • Stop the container.
    • Click on Edit
    • Click on the Port Settings tab
    • Add the following settings
      • Local port - 8124
      • Container port - 5000
      • Type - TCP
    • Click Apply
    • Start the container
  • Modify the reverse proxy settings via SSH
    • SSH into your Synology Server
    • Change to this directory: /usr/local/etc/nginx/conf.d
    • Create a file in this director (i.e., www.rproxy.bw_admin.conf)
    • Add the following content
      •         location ~ /admin/ {
                    proxy_pass http://localhost:8124;
                }

         

    • Save the file and test the configuration. The following should return "Syntax is OK" and "Test is successful"
      • nginx -T > /tmp/nginx.conf

         

    • Restart nginx
      • nginx -s reload

         

Now bwitwarden.url/admin should redirect you to the appropriate page where you can login with an admin account.

Edited by ebell
formatting
Link to comment
Share on other sites

10 hours ago, ebell said:

In order to access the Bitwarden Admin site on the Synology you will need to perform the following:

  • Modify the bitwarden-admin container
    • Stop the container.
    • Click on Edit
    • Click on the Port Settings tab
    • Add the following settings
      • Local port - 8124
      • Container port - 5000
      • Type - TCP
    • Click Apply
    • Start the container
  • Modify the reverse proxy settings via SSH
    • SSH into your Synology Server
    • Change to this directory: /usr/local/etc/nginx/conf.d
    • Create a file in this director (i.e., www.rproxy.bw_admin.conf)
    • Add the following content
      • 
                location ~ /admin/ {
                    proxy_pass http://localhost:8124;
                }

         

    • Save the file and test the configuration. The following should return "Syntax is OK" and "Test is successful"
      • 
        nginx -T > /tmp/nginx.conf

         

    • Restart nginx
      • 
        nginx -s reload

         

Now bwitwarden.url/admin should redirect you to the appropriate page where you can login with an admin account.

 

Hi @ebell

 

In my current installation I can reach the admin site using https://bitwarden.domain.com/admin/login/  without a dedicated port. There is an issue open regarding the https://bitwarden.domain.com/admin redirecting to a non https port here https://github.com/bitwarden/core/issues/253.

 

Your approach could be interesting alternative as a dedicated url specific to admin that is internal only and not public facing.

 

Also I have edit capability to the orginal post  and will attempt to keep it relevant and recent. 

Link to comment
Share on other sites

  • 1 month later...

I followed the instructions, but am having a problem. I can't login to bitwarden from the android app when connected to LTE. I can only login to the android app when connected to my LAN/WiFi.

 

I can login to the Bitwarden webUI/vault from a web browser on my PC and android phone (on WiFi and LTE), I can login with a browser extension from a PC on the same LAN.

 

Any ideas? I assume it is something with the certificates? I don't think it is port forwarding as I port forwarded port 443 and even tried to DMZ briefly to see if the firewall was the problem.

Link to comment
Share on other sites

On 7/5/2018 at 1:58 AM, GKay said:

I followed the instructions, but am having a problem. I can't login to bitwarden from the android app when connected to LTE. I can only login to the android app when connected to my LAN/WiFi.

 

I can login to the Bitwarden webUI/vault from a web browser on my PC and android phone (on WiFi and LTE), I can login with a browser extension from a PC on the same LAN.

 

Any ideas? I assume it is something with the certificates? I don't think it is port forwarding as I port forwarded port 443 and even tried to DMZ briefly to see if the firewall was the problem.

 

Fixed it... IPV6 firewall was not port-forwarded, while the IPV4 firewall was. T-mobile LTE is IPV6 only and would only try to connect through IPV6.

Link to comment
Share on other sites

19 hours ago, GKay said:

 

Fixed it... IPV6 firewall was not port-forwarded, while the IPV4 firewall was. T-mobile LTE is IPV6 only and would only try to connect through IPV6.

Thanks for sharing @GKay, I have not come across IPV6 connection yet so thats a good thing to keep in mind

Link to comment
Share on other sites

  • 2 months later...

After following these instructions to the letter, I'm trying to go to https://bw.domain.com and it's acting like the site doesn't exist, but if I go to http://bw.domain.com I'm able to reach the site, of course without the SSL certificate.  Any ideas as to what my issue is?  Happy to provide any add'l information needed.

 

Edit: I also just realized that when I go to create my account, I click on "Submit" but nothing happens.  Maybe this is related in some way?

 

Edit2: Nevermind, y'all.  Went to incognito and it worked, so probably just clear cache and I'll be good.  I'm leaving my stupidity up for the world to see, just in case it helps anybody else in the future.

Edited by jermz162
Link to comment
Share on other sites

  • 1 month later...

Hello,

 

I am trying to install Bitwarden, but running the bitwarden.sh install script it doesn't prompt for the proxy information eg.:

Quote

(!) Do you want to use the default ports for HTTP (80) and HTTPS (443)? (y/n): n (!) HTTP port: 8123 (!) Is your installation behind a reverse proxy? (y/n): y (!) Do you use the default ports on your reverse proxy (80/443)? (y/n): y (!) Do you want to use push notifications? (y/n): y

 

I've got no idea how to get bitwarden to ask these questions and  I do not know what to include in the ./bwdata/config.yml to manually add the proxy. Can anyone help me out here?

Link to comment
Share on other sites

Hi @Binkem

 

It seems as though bitwarden setup has changed over time. I had a look at my config.yml and it looks like this (FYI - I've excluded all the comments):

url: https://bw.domain.com
generate_compose_config: true
generate_nginx_config: true
http_port: 8123
https_port:
compose_version:
ssl: false
ssl_versions:
ssl_ciphersuites:
ssl_managed_lets_encrypt: false
ssl_certificate_path:
ssl_key_path:
ssl_ca_path:
ssl_diffie_hellman_path:
push_notifications: true
database_docker_volume: false

Also sounds like you can reconfigure your deployment using the commands here:

https://help.bitwarden.com/article/install-on-premise/#post-install-environment-configuration

 

I've not attempted an install since my original post. Please let me know if this is helpful with regard to your setup.

 

Link to comment
Share on other sites

Hi @Binkem, 

 

This could very well be a possibility. There are multiple containers used by bitwarden and mssql is quite large as well. Here are my current docker stats:
 

CONTAINER           CPU %               MEM USAGE / LIMIT     MEM %               NET I/O             BLOCK I/O           PIDS
370126b59277        0.00%               14MiB / 15.63GiB      0.09%               1.85MB / 1.28MB     0B / 0B             0
291a000cfd52        0.93%               746.6MiB / 15.63GiB   4.66%               701kB / 537kB       0B / 0B             0
c4f8e956a4ae        0.03%               27.76MiB / 15.63GiB   0.17%               139kB / 0B          0B / 0B             0
0911a92c79e6        0.06%               39.08MiB / 15.63GiB   0.24%               726kB / 148kB       0B / 0B             0
0ba98ce071b3        0.02%               59.76MiB / 15.63GiB   0.37%               607kB / 520kB       0B / 0B             0
e3e8ac74eea8        0.02%               42.95MiB / 15.63GiB   0.27%               1.28MB / 449kB      0B / 0B             0
49b58a990b7f        0.02%               17.88MiB / 15.63GiB   0.11%               139kB / 0B          0B / 0B             0
7ca297b1174c        0.02%               35.82MiB / 15.63GiB   0.22%               214kB / 60.8kB      0B / 0B             0
75ddff907b44        0.01%               16.79MiB / 15.63GiB   0.10%               139kB / 0B          0B / 0B             0

you can also try `docker logs bitwarden-mssql` to see the logs and what is causing the restart. 

 

Link to comment
Share on other sites

  • 3 weeks later...

Hi!

 

I am getting this error

for nginx  Cannot start service nginx: driver failed programming external connectivity on endpoint bitwarden-nginx (64e618a8b5ae951d8857fe07d08cf85d36f20ab7e05a6316907c1a43be7d9797): Error starting userland proxy: listen tcp 0.0.0.0:443: bind: address already in use

but i dont know why bind already exists. There is just the DSM it self.

Link to comment
Share on other sites

19 minutes ago, StifflersMoM said:

Hi!

 

I am getting this error


for nginx  Cannot start service nginx: driver failed programming external connectivity on endpoint bitwarden-nginx (64e618a8b5ae951d8857fe07d08cf85d36f20ab7e05a6316907c1a43be7d9797): Error starting userland proxy: listen tcp 0.0.0.0:443: bind: address already in use

but i dont know why bind already exists. There is just the DSM it self.

 

Trying determining what is listening on that port - https://www.cyberciti.biz/faq/what-process-has-open-linux-port/

Did you choose the option to use the default ports when setting up Bitwarden?

Link to comment
Share on other sites

Like Binkem posted before, i did not got asked for the ports.

Hm I cant see a service which is configured with port 443

Just see

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -

Edited by StifflersMoM
Link to comment
Share on other sites

On 10/31/2018 at 10:48 PM, shrabok said:

Hi @Binkem

 

It seems as though bitwarden setup has changed over time. I had a look at my config.yml and it looks like this (FYI - I've excluded all the comments😞


url: https://bw.domain.com
generate_compose_config: true
generate_nginx_config: true
http_port: 8123
https_port:
compose_version:
ssl: false
ssl_versions:
ssl_ciphersuites:
ssl_managed_lets_encrypt: false
ssl_certificate_path:
ssl_key_path:
ssl_ca_path:
ssl_diffie_hellman_path:
push_notifications: true
database_docker_volume: false

Also sounds like you can reconfigure your deployment using the commands here:

https://help.bitwarden.com/article/install-on-premise/#post-install-environment-configuration

 

I've not attempted an install since my original post. Please let me know if this is helpful with regard to your setup.

 

Changing the config still does not work for me (http and https)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...