Bitwarden Proxmox



  1. Bitwarden Proxmox Vm
  2. Bitwarden_rs Proxmox
  3. Bitwarden Proxmox Create
  4. Bitwarden Proxmox
  5. Bitwarden Proxmox Change
  6. Bitwarden Proxmox Ve

Howto install Bitwarden in a LXC container (e.g. Proxmox)

January 13, 2019

Qdevice: This really my Proxmox Backup Server server. It will serve double duty as qdevice. I can migrate as necessary vms between nodes if all nodes are alive, except for nodes in the HA group. The HA vms are my opnsense firewall, bitwarden server, systems monitor server and smtp relay. They stayed alive or failed over during the testing today. To start learning about Bitwarden, check out our Get Started with Bitwarden guides or the most important things to know about Bitwarden for your Business.

As many of you know me, I’m quite serious about security and therefore a believer in the theory that a service which is not reachable (e.g. from the Internet) cannot be attacked as easily as one that it. Looking at password managers this makes choosing not that easy. Sure there is Keepass and the descendants, but they have the problem that the security is based solely on the master password and the end device security. Knowing friends that use Google Drive for syncing the password file between their devices, I looked at that option, but it was not right for me (e.g. Browser integration, 2FA, …).

Password managers like Lastpass or 1Password are also not the right solution for me. Yes, I believe that their crypto is good, and they never see the passwords of their users, but the 2FA is only as good as the lost password/2FA reset feature is. I’ve read and seen to many attacks on that to rely on it.

All of this leads to Bitwarden, it provides the same level of functionality as Lastpass or 1Password but is OpenSource and can be hosted on my own server. Not opening it up to Internet and using it from remote only via VPN (which I have anyway) make for a real small attack surface. This blog post shows how I installed it within a Proxmox LXC container, which I did to isolated it from other stuff and therefore there are no dependencies, if I need to upgrade something. I don’t like to install anything on the Proxmox host itself. As this is my first try, and I run into a problem with an unprivileged container and docker within it, this setup works currently only with a privileged container. I know this is not that good, but in this case it is a risk I can accept. If you find a solution to get it running in an unprivileged container please send me an email or write a comment.

LXC container

After creating the LXC container (2Gb RAM, >5GB HD) with Debian 9, don’t start the container at once. You need to add following to /etc/modules-load.d/modules.conf

aufs
overlay

Proxmox

And if you don’t want to boot load the modules with

modprobe aufs
modprobe overlay

If you don’t do this your installation will get gigantic (over 30gb). Now we just need to add following to /etc/pve/lxc/<vid>.conf

#insert docker part below
lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: a
lxc.cap.drop:

Tricare select er copay. Now you can start the container and enter it, we’ll check later if all was correct, but we need docker for this.

Docker and Docker Composer

Some requirements for docker

apt install apt-transport-https ca-certificates curl gnupg2 software-properties-common

and now we can add the repository for docker

curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
add-apt-repository 'deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable'

and now we can install it with

apt-get update apt-get install docker-ce

The Docker Composer which is shipped with Debian is too old to work with this docker, so we need following:

curl -L 'https://github.com/docker/compose/releases/download/1.23.1/docker-compose-$(uname -s)-$(uname -m)' -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose

and add /usr/local/bin/ to the path variable by adding

PATH=/usr/local/bin:$PATH

to .bashrc and calling it directly in the bash to get it set without starting a new bash instance. I know that a package would be better, couldn’t find one, so this is a temporary solution. If someone finds a better one, leave it in the comments below.

Now we need to check if the overlay stuff is working by calling docker info and hopefully you get also overlay2 as storage driver:

Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 18.06.1-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file

Bitwarden

Now we just need following:

curl -s -o bitwarden.sh https://raw.githubusercontent.com/bitwarden/core/master/scripts/bitwarden.sh
chmod +x bitwarden.sh
./bitwarden.sh install
./bitwarden.sh start
./bitwarden.sh updatedb

And now you’re done, you’ve your own password manager server which also supports Google Authenticator (Time-based One-time Password Algorithm (TOTP) as second factor. Maybe I’ll write a blogpost how to setup a Yubikey as 2FA (desktop and mobile) later.

1. Caddy version (caddy version): v2.0.0 – commit id: e051e119d1dff75972ed9b07cf97bbb989ba8daa

2. How I run Caddy:

Using a systemd service as defined below.

a. System environment:

Archlinux LXC container on Proxmox VE 6.2-4

b. Command:

N/A if restarting the container

OR

c. Service/unit/compose file:

Bitwarden Proxmox Vm

d. My complete Caddyfile or JSON config:

I got the header section and the proxy configuration setup from the Caddy 2 example from this link

3. The problem I’m having:

I cannot get to the bitwarden web-vault nor can i access the reverse proxy server which would then forward me to the bitwarden service using HTTPS.
Questions

  • What DNS records and their values do I need in my Cloudflare account to setup on my domain so that I can access the reverse proxy which would then forward me to the correct service based on what I type in the address bar?
  • Should I use wildcard SSL cert so that the same cert can be used for all the services on my network? Which DNS records in my Cloudflare account are required in this case?
  • Or Should I use separate certs for each service?

AIM : to simply type in the address bar (while on the LAN)

  • cloud - so that it would take me to my self-hosted Nextcloud instance
  • nas - so that it would take me to my nas login page etc.

4. Error messages and/or full log output:

Bitwarden_rs Proxmox

I don’t see any logs generated under /var/log/caddy

Here’s what #systemctl status caddy shows:

5. What I already tried:

Backstory: This all started with my Bitwarden web vault not being accessible after a Firefox update. I got errors saying:

Apparently this post seemed to suggest it was a browser issue where the browser no longer supported HTTP access to the bitwarden service. So in enabling HTTPS for bitwarden, I thought I might as well also implement a reverse proxy so that I don’t have to remember the ports for all the various services that I have on my network. Enter caddy, since it supported easy configuration for Let’s Encrypt. Being new to this whole thing, it didn’t matter if I chose Apache, Nginx or caddy.

I went ahead and bought a domain for this purpose and since caddy didn’t have a dns provider for my domain registrar’s name servers, I switched over to Cloudflare. After installing caddy on my Archlinux container using this PKGBUILD from caddyserver/dist/archlinux , I built a new binary using the xcaddy command below and copied the newly built caddy binary to /usr/bin/caddy
xcaddy build --with github.com/caddy-dns/cloudflare

Sas statistical software for mac download. I don’t have anything hosted on my domain – if that matters. Maybe in the future I will buy a hosting package and put up a website there

I seemed to have picked an inopportune time to create a reverse proxy because caddy was in transition from v1 to v2. caddy was in the late betas at the time, so I went through the muck of various forum posts and incomplete (at that time) documentation to see how to create a Caddyfile for v2. After a lot of trial and error with various settings – some which happened to be from v1 and didn’t quite translate over to v2, I finally have that right and I can get the SSL certs from Let’s Encrypt by creating an ‘A’ record for bw and pointing it to my home’s WAN IP address.

Currently:
However, I use pfsense as my router and when I put in bw.tabala.com in the address bar (while being on the LAN), I get presented the NET::ERR_CERT_AUTHORITY_INVALID page. If I click Advanced and proceed I get the pfsense page with the following warning :

Bitwarden Proxmox Create

Bitwarden

instead of being presented the bitwarden login page.

Bitwarden Proxmox

What DNS records do I need to set in my DNS provider, in order for me to get to the reverse proxy – which would then forward me to the correct service (bitwarden or guacamole, or syncthing etc.)?

Currently I am trying this only with bitwarden, but eventually I want the same reverse proxy to be able to handle all of the services on my network (8 LXC containers, 3 VMs, Proxmox host itself, separate FreeNAS box and 3 plugins on the FreeNAS box, & pfsense router). Some of them currently use self signed certs and some just work on HTTP – I was hoping to use Let’s Encrypt certs for all the services. That way I won’t have to remember the port numbers etc. and would aim to simply put in the address bar (while on the LAN)
cloud - so that it would take me to my self-hosted Nextcloud instance
nas - so that it would take me to my nas login page etc.

Bitwarden Proxmox Change

6. Links to relevant resources:

Bitwarden Proxmox Ve

I read a lot of forum posts and links which eventually helped me get to a point where I am able to get the SSL certs correctly, but I don’t think they are relevant to the issue that I have now.