Vaultwarden part 3/4: Publish to the Internet

Publish Vaultwarden to the Internet

Public access to our Vaultwarden instance

In the last article we set up a Vaultwarden instance in a container with Podman, nicely integrated with systemd. The container is running as an unprivileged user and starts at boottime. Nice!

Now we need to make Vaultwarden accessible over the Internet. There are many solutions to solve this challenge. We could set up portforwarding on our edge device to a reverse proxy like Caddy, Nginx or Traefik. Letsencrypt could provide a certificate. No-Ip or DynDns would releave us from the need of a static IP. We could also require a VPN to our firewall…

But personally I think Cloudflare has a more elegant solution, a tunnel.

Cloudflare tunnel

A Cloudflare Tunnel is a secure method for connecting your web server or application to Cloudflare’s network without exposing your server’s IP address to the public internet. It creates a private link between your server and Cloudflare, allowing traffic to be routed through Cloudflare’s global network. This approach offers enhanced security, performance, and ease of use compared to traditional methods such as port forwarding or reverse proxies.

The main benefits for our project:

  • Enhanced Security
    • No Open Ports: Cloudflare Tunnel eliminates the need to open ports on your router or firewall, reducing the attack surface and minimizing the risk of unauthorized access.
    • Automatic TLS Encryption: Traffic between the client and Cloudflare’s network is encrypted using TLS, ensuring secure communication without the need to manually configure SSL/TLS certificates.
  • Simplified Configuration
    • Ease of Setup: Setting up a Cloudflare Tunnel is straightforward and doesn’t require complex network configurations, such as adjusting NAT settings or configuring reverse proxy rules.
    • No Need for Public IP: You don’t need a static or public IP address for your server, as Cloudflare Tunnel handles the external connectivity.
  • DDoS Protection and Web Application Firewall (WAF)
    • DDoS Mitigation: Cloudflare’s global network provides robust protection against Distributed Denial of Service (DDoS) attacks, helping to ensure your website remains accessible even during an attack.
    • Web Application Firewall: Cloudflare offers a WAF that protects against common web vulnerabilities like SQL injection, cross-site scripting (XSS), and more.
  • Cost-Effective
    • Reduced Infrastructure Costs: By offloading tasks such as SSL termination, DDoS mitigation, and content caching to Cloudflare, you can reduce the burden on your server infrastructure and potentially lower hosting costs.
    • Free Plan Availability: Cloudflare offers a free plan that includes many of these features, making it an economical choice for small to medium-sized websites.

Configure the tunnel

If you don’t have a Cloudflare account, create one and log in to the Cloudflare dashboard. Move your domain to Cloudflare, this cloud be a potential show stopper, but the free plan is very generous.

Browse to Zero Trust, Networks, Tunnels and click Create Tunnel. Select Cloudflared and click Next.

alt Cloudflared1

Give your tunnel a name and click Save tunnel.

alt Cloudflared2

Select the operating system and architecture. In our case Red Hat and 64-bit. Copy the install commands and run them on the vm.

alt Cloudflared3

This will install the connector and make a link with Cloudflare almost immediatly.

alt Cloudflared4

Finally we need to provide Cloudflare the FQDN to use for our application, and where to find it. In my case the domain is pw.memosforadmins.com and the application can be found on http://localhost:8080.

alt Cloudflared5

Click Save tunnel. This will add a CNAME record pointing to the tunnel ID in the DNS zone.

We can now browse to https://pw.memosforadmins.com

alt Vaultwarden

But there are no accounts yet, and in vault.yml we defined that signups are not allowed.VAULTWARDEN_SIGNUPS_ALLOWED: false. But we can invite new users. Browse to the admin page on https://pw.memosforadmins.com/admin and enter the secret. (This is the argon2 secret we created earlier). Browse to Users, enter an email address and click Invite.

alt Vaultwarden

The user will receive an invitation with instructions on how to create an account on our new shiny Vaultwarden. Because Vaultwarden is a rebuild of Bitwarden, it’s compatible with the Bitwarden desktop application, browser extensions and mobile applications which can be found here.

Verify the installation

In the admin portal, click on Diagnostics to view the diagnostics of the set up.

alt Vaultwarden

All green here.

Whats next?

The work required to set this up again is minimal. Install a new vm, install Git and Ansible, get the playbook and your vault.yml and run it. Publish to the Internet and you’re done.

But as anyone that has been working in IT for a few years knows: “What goes up, must come down…”. We need to prepare for a disaster. We need an easy solution to back up this sensitive data.

We’ll cover that in part 4.

Avatar
Sven de Windt
Systems Administrator

Systems engineer with an intrest in automation

Related

comments powered by Disqus