New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
VaultWarden private or public deployment?
I deployed a public facing VW with disabled admin. I enabled my login with 2FA authenicator.
But I am having 2nd thoughts if I should just do it within my home private Synology NAS.
The only day when I am not a home when I'm in office 1day/week.
I dont need access password outside as I have my mobile brower save login passwords.
Advice?
Comments
Depends what you want to achieve. Once approach may be to install it at home behind NAT and do not open it outside (no port forwarding) + VPN to access it. If you are hosting on the VPS then you can put it behind VPN as well. Alternatively, if you use OCI/AWS, you can set up VW's db on a separate machine in private net.
You can keep it as is. No one is going to hack your server just to hack your passwords. The main reason to host it privately is to prevent 0day vulnerabilities being exploited by bots. As long as you have a secure master password, even if you post your db online, there isn't much worth decoding it...
I'm sorry but do you know what vaultwarden is? What you wrote is nonsensical.
Vaultwarden, a port of bitwarden with paid features unlocked. You use it to save your passwords. Am i getting close?
I'm using keepass and store the file and key separately on cloud and phone/local storage. Thinking to migrate to VaultWarden with public facing (behind caddy/traefik) because I'm outside my house most of the time. I thought it's safe to have this setup together with 2FA.
I will be keeping tabs on this thread to see what the recommendations are.
And you think that no one will hack a server to get passwords/2fa/recovery codes/emails/accounts etc?
Yes. It's not worth it. Hackers have better things to do. Unless it's a targeted attack, it's better to hack a server used by multiple users instead of just hacking single user servers. And I believe I already mentioned that:
So you see one line and jump? Seems weird but you do you! Also, see my signature
Host it locally and use a VPN to access it when you're out and about. Tailscale is a super simple solution for this, and you can bind the Vaultwarden Docker container to the Tailscale IP so that it's only available over Tailscale
Bots are trying to brute force my SSH on my severs everyday. People will certainly try vaultwarden as well with bots. They might also have random bots looking for known vulnerabilitys on a server to hope it works
Create a WG or other VPN tunnel and make Vaultwarden available only in it. Create own CA to let desktop, mobile APPs to work. Create a cert, install CA on your devices and enjoy.
I have been using it since 2022 without any issues.
Never used bit or vaultwarden, but do you really need a SSL cert? Tailscale, zerotier, and WG usually have builtin encryption.
I deploy vaultwarden publicly. Security is highly overrated. The only thing you need to protect are bank accounts that can transfer money out like wire transfer. For this, I keep the password in local keepass. Everything else is not really important. Hackers want to login to my utility account or mobile phone and pay my bill for me? go ahead. Want to hack my instagram account and see my ugly friends and their pictures? Be my guest. Want to see my online credit card statements and what I spend my money on? No big deal.
Go with @CharityHost_org and host it under public_html
This is the only way
Security is a relative thing. Unless you have something really nasty to hide, hosting a keepass file over a decent cloud provider is good enough. Always keep your everyday passwords and other important passwords in separate keepass files. You may have memorise couple of complex passwords but its really worth it.
They don't hack your utility bill to pay it, they hack it for data. They get your logins they now have your name, address, number and some banking info as well. They will use this info to trick and scam others or you. Steal your instagram account? Now they try to scam your friends, post scams, or abuse whatever else they offer.
Vaultwarden requires an SSL cert to function properly in a browser: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS
If you're running it locally, the best solution is to create certificates for it with MKcert: https://github.com/FiloSottile/mkcert
you're right. even if someone gets the database, all they can do is attempt to brute-force. assuming you use a proper diceware passphrase, you'll be safe for centuries.
relying your infrastructure on proprietary tailscale control panel plus google login is arguably much riskier but it depends on your threat model.
that i disagree with. https://www.privacyguides.org/en/basics/threat-modeling/
vaultwarden + authelia
I respectfully disagree. One may disclose his bank account number yet may sleep peacefully but if his pronhub account gets exposed, I am sure he will have sleepless nights.
So it will be wrong to assume everything else is NOT really important.
Does your threat model include exploits in Vaultwarden that might allow an attacker to bypass authentication, such as the one that dropped last year?
https://insinuator.net/2024/11/vulnerability-disclosure-authentication-bypass-in-vaultwarden-versions-1-32-5/
I'm not aware of a public exploit for it, but if one ever drops then bots will be scanning and exploiting publicly exposed vulnerable instances within hours.
Also, I'm pretty sure if someone roots the server that Vaultwarden is running on then they'll be able to recover the private keys and unlock the vault without having to bruteforce anything.
Do you mind publishing everything here, so I can peep into your bank account?
even the client doesnt't store the private keys, period.
unless you're talking bout the 2fa hash.
just go read the fking .config directory
according to the article that vulnerability did theorically allow to brute-force, but thats it.
@bustersg said:
You sat you don't need to access it but have made it public?
Vaultwarden already have built in 2fa support. Is authelia really needed?
Jokes on you, my kinks are not allowed on pronhub anyway...
That's a reply I did NOT expect.
Well played lol.
I deploy publicly but with extra protection, basic HTTP Auth.
It's been a while since I deployed Vaultwarden. I believe it's meant to be publicly accessible (mandates HTTPS and a valid domain).
It's protected by a master password so it's not like you're exposing your credentials to the public.
TLS client certificates are also a good way of restricting access if you're scared of 0-days on Vaultwarden server. Browsers accept those with no issue but I'm not sure if bitwarden app supports them well enough.
I made a gist on how to set it up, just in case.
Anyway - I think it's fine to be a public deployment but ultimately it's up to you.
A combination of both these parts works for me, creating client certificates for those devices/users that need access and making that a requirement of connection. 'SSLVerifyClient require' on Apache, 'ssl_verify_client on' on Nginx. That way the vault is only public in the sense of globally accessible.