r/vaultwarden

i have been looking for hours now and found no info maybe because this doesn't exist

im looking for a way where users can add ssh keys to their account then using the api i can get a users public keys along with name eg like GET /api/<user email id etc>/keys

So recently I started making a homelab and I have Proxmox hosting a few LXCs.

Current Stack:

Firewall and switch with VLANs for segmentation.

AdGuard Home on a Pi 4.

Uptime Kuma on an ODroidXU4 (technically within a docker container, but that’s not relevant here).

Old HP Elitedesk running Proxmox with three LXCs

1. Glance and Hompage for dashboards
2. NGINX Proxy Manager
3. Vaultwarden

All three of these are on a services VLAN (on the firewall, not a proxmox container VLAN). I have an explicit allow policy between my services VLAN and my core network VLAN, as well as my VPN VLAN and services VLAN. An allow policy for both directions. Networking doesn’t appear to be an issue as I’m not getting blocked and login requests are getting through DNS.

My firewall has WireGuard built into it for client VPN access. This is the ONLY way I plan of reaching any of my services remotely. I have no interest in port forwarding or proxying the traffic through the wide open internet.

I have all of these services/sites, including all my VLANS except for an IoT VLAN and a Guest Network VLAN, getting DNS through AdGuard home. With rewrites pointing a custom URL and domain suffix to the NGINX proxy server. The proxy then routes the traffic through the proper port and I can reach the page using uptimekuma.home.internal

I also made a certificate using mkcert and uploaded that certificate to NGINX to get HTTP/SSL (HTTPS) to all my my services too.

I had to add the root certificate to my end user devices individually, but at least this way it’s one wildcard that covers all my services instead of each one having its own cert.

I have an iPhone and the root certificate was added to my phone and I enabled full trust for the root certificate in my settings. I also added the cert to my home computer running windows.

Now here’s my situation:

While connected through to my core network (Ethernet or WiFi) on my computer, I can access the Bitwarden site.

While connected through my WiFi on my phone, I can access Vaultwarden using the Bitwarden mobile app with settings configured to use the URL of my Vaultwarden LXC, https://vaultwarden.home.internal

However, while connected to my VPN using WireGuard (which was configured to use the AdGuard Home DNS server) I CANNOT access Vaultwarden using the Bitwarden mobile app. I get a general login error.

Interestingly, I CAN log into it using WireGuard if I just try to sign into the webpage for Vaultwarden in Safari.

It’s not a networking or certificate problem from what I can tell. As evidenced by no DNS denials and ability to access webpage even through WireGuard on my phone.

I remember during the Vaultwarden installation proxmox helper script that it asked me if I needed to enable TUP or TUPA or some other acronym I didn’t recognize, and the description said explicitly it was something to do with connecting with WireGuard so I did hit yes on that.

I don’t know what else could be causing the issue. Is there some setting in the self-hosted options in the Bitwarden mobile app that needs changed to make it work over WireGuard? Is it a config issue on the LXC? I haven’t been able to figure it out. I did see at the bottom of the self hosted options a section for Client Certificate (MTLS). Do I need to add the rootCA.pem to that for it to work? Or do I need to add my mkcert.pem or whichever one it is (obviously not the one with the key in it) I’m not entirely sure what its use is since it worked on my network at home and the rootCA is installed on my phone directly. I just don’t know enough about certificates to know what I’m doing there.

Anyone have any ideas on what I should check?

Hello all,

I work for an MSP and want to establish a secure password manager. I installed vaultwarden without exposing it to the WAN, we will only use it at the office or with a VPN from outside the LAN.

Currently im a bit overwhelmed with organizations, Collections and Folders.

Its important for us, that we can find the customer and all related password quickly, because we have around 200.
How do you manage this? Should I create an organization for every Customer? I dont think thats the way to do it.

Right now we have a subfolders on our Fileserver with the alphabet so 26 folders A-Z and in there are our customers with the beginning letter with all the passowrds containing and documentations containing.

I would like to create a few subfolder in vaultwarden for a customer, because almost everyone has M365, VPN and an Infrustructure with several servers.

My Idea was the following:

1. Create one Organization (our company)

2. Create 26 Alphabet subfolders A-Z

3. In there again the customers just like on our fileserver

4. and again in there the folder structure Server, M365, VPN

so

A
└──Anton GmbH
└──Server
└──VPN
└──M365
└──ABC GmbH
└──.........

But i think maintaining this will be dogshit. Maybe somne of you have a solution for this! 😃

Hey everyone!

I was already aware of how rsync is so cool for incremental backups and a bunch of other things, and install is interesting for "atomic-ish" copies, moves, etc.; but today I learned about rclone (a CLI to transfer/sync files to any kind of backend (S3, Dropbox, G. Drive, etc.)), and also restic.

I stumbled upon these because I wanted a way to automate my Vaultwarden backups (and making sure restores as easy as pushing a button (or command)).
500 LOC later, I have what I unoriginally called vaultwarden-restic-backup, a Bash script that is meant to be ran as a cron job.

I'll open-source it soon (although I'm sure most of you can just ask any capable coding AI to help you write something similar for your own setup as well), but just wanted to share about these really cool tools I found today.

PS: it does take a while to setup permissions correctly on the Google end of things (probably easier for other platforms), but other that it's all pretty sweet 😎

Feel free to AMA if you found this interesting and want to know more.