admin/diagnostics internet access don't work with nat64 #3947
Replies: 7 comments 5 replies
-
|
I have tested a curl inside the container with curl -I https://github.com/dani-garcia/vaultwarden.. runs without any problems. |
Beta Was this translation helpful? Give feedback.
-
|
Not sure if and how can test this. I do not have access to an ipv6 only system that uses nat64. Could you post the diagnostics support string please? |
Beta Was this translation helpful? Give feedback.
-
Your environment (Generated via diagnostics page)
Config (Generated via diagnostics page)Show Running ConfigEnvironment settings which are overridden: DOMAIN, SENDS_ALLOWED, SIGNUPS_ALLOWED, SIGNUPS_VERIFY, SIGNUPS_VERIFY_RESEND_TIME, SIGNUPS_VERIFY_RESEND_LIMIT, EMERGENCY_ACCESS_ALLOWED, ADMIN_TOKEN, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME {
"_duo_akey": null,
"_enable_duo": false,
"_enable_email_2fa": true,
"_enable_smtp": true,
"_enable_yubico": false,
"_icon_service_csp": "",
"_icon_service_url": "",
"_ip_header_enabled": true,
"_smtp_img_src": "cid:",
"admin_ratelimit_max_burst": 10,
"admin_ratelimit_seconds": 60,
"admin_session_lifetime": 20,
"admin_token": "***",
"allowed_iframe_ancestors": "",
"attachments_folder": "data/attachments",
"auth_request_purge_schedule": "30 * * * * *",
"authenticator_disable_time_drift": false,
"data_folder": "data",
"database_conn_init": "",
"database_max_conns": 10,
"database_timeout": 30,
"database_url": "***************",
"db_connection_retries": 15,
"disable_2fa_remember": false,
"disable_admin_token": false,
"disable_icon_download": false,
"domain": "*****://*******************",
"domain_origin": "*****://*******************",
"domain_path": "",
"domain_set": true,
"duo_host": null,
"duo_ikey": null,
"duo_skey": null,
"email_attempts_limit": 3,
"email_expiration_time": 600,
"email_token_size": 6,
"emergency_access_allowed": true,
"emergency_notification_reminder_schedule": "0 3 * * * *",
"emergency_request_timeout_schedule": "0 7 * * * *",
"enable_db_wal": true,
"event_cleanup_schedule": "0 10 0 * * *",
"events_days_retain": null,
"extended_logging": true,
"helo_name": null,
"hibp_api_key": null,
"icon_blacklist_non_global_ips": true,
"icon_blacklist_regex": null,
"icon_cache_folder": "data/icon_cache",
"icon_cache_negttl": 259200,
"icon_cache_ttl": 2592000,
"icon_download_timeout": 10,
"icon_redirect_code": 302,
"icon_service": "internal",
"incomplete_2fa_schedule": "30 * * * * *",
"incomplete_2fa_time_limit": 3,
"invitation_expiration_hours": 120,
"invitation_org_name": "Vaultwarden",
"invitations_allowed": true,
"ip_header": "X-Real-IP",
"job_poll_interval_ms": 30000,
"log_file": null,
"log_level": "Info",
"log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
"login_ratelimit_max_burst": 10,
"login_ratelimit_seconds": 60,
"org_attachment_limit": null,
"org_creation_users": "*********************,***************,*********************",
"org_events_enabled": false,
"org_groups_enabled": false,
"password_hints_allowed": true,
"password_iterations": 600000,
"push_enabled": false,
"push_installation_id": "***",
"push_installation_key": "***",
"push_relay_uri": "https://push.bitwarden.com",
"reload_templates": false,
"require_device_email": false,
"rsa_key_filename": "data/rsa_key",
"send_purge_schedule": "0 5 * * * *",
"sendmail_command": null,
"sends_allowed": true,
"sends_folder": "data/sends",
"show_password_hint": false,
"signups_allowed": false,
"signups_domains_whitelist": "",
"signups_verify": true,
"signups_verify_resend_limit": 5,
"signups_verify_resend_time": 3600,
"smtp_accept_invalid_certs": false,
"smtp_accept_invalid_hostnames": false,
"smtp_auth_mechanism": null,
"smtp_debug": false,
"smtp_embed_images": true,
"smtp_explicit_tls": null,
"smtp_from": "**********",
"smtp_from_name": "\"Vault\"",
"smtp_host": "*****************",
"smtp_password": null,
"smtp_port": 25,
"smtp_security": "starttls",
"smtp_ssl": null,
"smtp_timeout": 15,
"smtp_username": null,
"templates_folder": "data/templates",
"tmp_folder": "data/tmp",
"trash_auto_delete_days": null,
"trash_purge_schedule": "0 5 0 * * *",
"use_sendmail": false,
"use_syslog": false,
"user_attachment_limit": null,
"web_vault_enabled": true,
"web_vault_folder": "web-vault/",
"websocket_address": "0.0.0.0",
"websocket_enabled": false,
"websocket_port": 3012,
"yubico_client_id": null,
"yubico_secret_key": null,
"yubico_server": null
} |
Beta Was this translation helpful? Give feedback.
-
|
@BlackDex did the output help? Do you need anything else? |
Beta Was this translation helpful? Give feedback.
-
|
I am in this exact same spot. I can curl/wget from inside the container the url and it works fine. This is preventing logging in on the android application when push notifications are enabled with the error: Your environment (Generated via diagnostics page)
Config (Generated via diagnostics page)Show Running ConfigEnvironment settings which are overridden: {
"_duo_akey": null,
"_enable_duo": true,
"_enable_email_2fa": true,
"_enable_smtp": true,
"_enable_yubico": true,
"_icon_service_csp": "",
"_icon_service_url": "",
"_ip_header_enabled": true,
"_smtp_img_src": "cid:",
"admin_ratelimit_max_burst": 3,
"admin_ratelimit_seconds": 300,
"admin_session_lifetime": 20,
"admin_token": "***",
"allowed_iframe_ancestors": "",
"attachments_folder": "data/attachments",
"auth_request_purge_schedule": "30 * * * * *",
"authenticator_disable_time_drift": false,
"data_folder": "data",
"database_conn_init": "",
"database_max_conns": 10,
"database_timeout": 30,
"database_url": "***************",
"db_connection_retries": 15,
"disable_2fa_remember": false,
"disable_admin_token": false,
"disable_icon_download": false,
"domain": "*****://***********************************",
"domain_origin": "*****://***********************************",
"domain_path": "",
"domain_set": true,
"duo_host": null,
"duo_ikey": null,
"duo_skey": null,
"email_attempts_limit": 3,
"email_change_allowed": true,
"email_expiration_time": 600,
"email_token_size": 6,
"emergency_access_allowed": true,
"emergency_notification_reminder_schedule": "0 3 * * * *",
"emergency_request_timeout_schedule": "0 7 * * * *",
"enable_db_wal": true,
"event_cleanup_schedule": "0 10 0 * * *",
"events_days_retain": null,
"experimental_client_feature_flags": "fido2-vault-credentials",
"extended_logging": true,
"helo_name": null,
"hibp_api_key": null,
"icon_blacklist_non_global_ips": true,
"icon_blacklist_regex": null,
"icon_cache_folder": "data/icon_cache",
"icon_cache_negttl": 259200,
"icon_cache_ttl": 2592000,
"icon_download_timeout": 10,
"icon_redirect_code": 302,
"icon_service": "internal",
"incomplete_2fa_schedule": "30 * * * * *",
"incomplete_2fa_time_limit": 3,
"invitation_expiration_hours": 120,
"invitation_org_name": "Vaultwarden",
"invitations_allowed": true,
"ip_header": "X-Real-IP",
"job_poll_interval_ms": 30000,
"log_file": null,
"log_level": "Info",
"log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
"login_ratelimit_max_burst": 10,
"login_ratelimit_seconds": 60,
"org_attachment_limit": null,
"org_creation_users": "",
"org_events_enabled": false,
"org_groups_enabled": false,
"password_hints_allowed": true,
"password_iterations": 600000,
"push_enabled": true,
"push_identity_uri": "https://identity.bitwarden.com",
"push_installation_id": "***",
"push_installation_key": "***",
"push_relay_uri": "https://push.bitwarden.com",
"reload_templates": false,
"require_device_email": false,
"rsa_key_filename": "data/rsa_key",
"send_purge_schedule": "0 5 * * * *",
"sendmail_command": null,
"sends_allowed": true,
"sends_folder": "data/sends",
"show_password_hint": false,
"signups_allowed": true,
"signups_domains_whitelist": "",
"signups_verify": false,
"signups_verify_resend_limit": 6,
"signups_verify_resend_time": 3600,
"smtp_accept_invalid_certs": false,
"smtp_accept_invalid_hostnames": false,
"smtp_auth_mechanism": null,
"smtp_debug": false,
"smtp_embed_images": true,
"smtp_explicit_tls": null,
"smtp_from": "*****************************",
"smtp_from_name": "Vaultwarden",
"smtp_host": "**********************",
"smtp_password": "***",
"smtp_port": 465,
"smtp_security": "force_tls",
"smtp_ssl": null,
"smtp_timeout": 15,
"smtp_username": "**************************",
"templates_folder": "data/templates",
"tmp_folder": "data/tmp",
"trash_auto_delete_days": null,
"trash_purge_schedule": "0 5 0 * * *",
"use_sendmail": false,
"use_syslog": false,
"user_attachment_limit": null,
"user_send_limit": null,
"web_vault_enabled": true,
"web_vault_folder": "web-vault/",
"websocket_address": "\"::\"",
"websocket_enabled": false,
"websocket_port": 3012,
"yubico_client_id": null,
"yubico_secret_key": null,
"yubico_server": null
}/home/deadc0de # docker exec -it app-vaultwarden-1 sh
Emulate Docker CLI using podman. Create /usr/etc/containers/nodocker to quiet msg.
# apt install wget -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
wget
0 upgraded, 1 newly installed, 0 to remove and 13 not upgraded.
Need to get 984 kB of archives.
After this operation, 3692 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main amd64 wget amd64 1.21.3-1+b2 [984 kB]
Fetched 984 kB in 0s (3757 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package wget.
(Reading database ... 8810 files and directories currently installed.)
Preparing to unpack .../wget_1.21.3-1+b2_amd64.deb ...
Unpacking wget (1.21.3-1+b2) ...
Setting up wget (1.21.3-1+b2) ...
# wget github.com
URL transformed to HTTPS due to an HSTS policy
--2024-03-01 23:05:34-- https://github.com/
Resolving github.com (github.com)... 64:ff9b::8c52:7103, 140.82.113.3
Connecting to github.com (github.com)|64:ff9b::8c52:7103|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html.1'
index.html.1 [ <=> ] 218.45K 1.32MB/s in 0.2s
2024-03-01 23:05:35 (1.32 MB/s) - 'index.html.1' saved [223690]
#*** Formatting |
Beta Was this translation helpful? Give feedback.
-
|
Quick followup, i found two ways to get it to work.. The first is the most obvious, give the VM and podman container ipv4 addresses. I don't like this, so instead I set up squid in the docker compose using this configuration file ( https://github.com/beigi-reza/docker-compose-squid/blob/main/config/squid.conf ) version: '3.8'
services:
squid:
image: ubuntu/squid:latest
volumes:
- /mnt/squid/squid.conf:/etc/squid/squid.conf
networks:
- vaultwarden-external
vaultwarden:
image: vaultwarden/server:latest
ports:
- '8115:80'
volumes:
- 'vaultwarden_data:/data/'
networks:
- vaultwarden-external
environment:
- ROCKET_ADDRESS="::"
- WEBSOCKET_ADDRESS="::"
- DOMAIN=${APP_URL}
- HTTP_PROXY=squid:3128
- HTTPS_PROXY=squid:3128
env_file:
- env
volumes:
vaultwarden_data:
driver: local
networks:
vaultwarden-external:
driver: bridge
ipam:
driver: default
config:
- subnet: fd49:3:2::/64
gateway: fd49:3:2::1This still says there's an error with the DNS but Login with device is working now, and I can login to the app on the phone. Your environment (Generated via diagnostics page)
Config (Generated via diagnostics page)Show Running ConfigEnvironment settings which are overridden: {
"_duo_akey": null,
"_enable_duo": true,
"_enable_email_2fa": true,
"_enable_smtp": true,
"_enable_yubico": true,
"_icon_service_csp": "",
"_icon_service_url": "",
"_ip_header_enabled": true,
"_smtp_img_src": "cid:",
"admin_ratelimit_max_burst": 3,
"admin_ratelimit_seconds": 300,
"admin_session_lifetime": 20,
"admin_token": "***",
"allowed_iframe_ancestors": "",
"attachments_folder": "data/attachments",
"auth_request_purge_schedule": "30 * * * * *",
"authenticator_disable_time_drift": false,
"data_folder": "data",
"database_conn_init": "",
"database_max_conns": 10,
"database_timeout": 30,
"database_url": "***************",
"db_connection_retries": 15,
"disable_2fa_remember": false,
"disable_admin_token": false,
"disable_icon_download": false,
"domain": "*****://***********************************",
"domain_origin": "*****://***********************************",
"domain_path": "",
"domain_set": true,
"duo_host": null,
"duo_ikey": null,
"duo_skey": null,
"email_attempts_limit": 3,
"email_change_allowed": true,
"email_expiration_time": 600,
"email_token_size": 6,
"emergency_access_allowed": true,
"emergency_notification_reminder_schedule": "0 3 * * * *",
"emergency_request_timeout_schedule": "0 7 * * * *",
"enable_db_wal": true,
"event_cleanup_schedule": "0 10 0 * * *",
"events_days_retain": null,
"experimental_client_feature_flags": "fido2-vault-credentials",
"extended_logging": true,
"helo_name": null,
"hibp_api_key": null,
"icon_blacklist_non_global_ips": true,
"icon_blacklist_regex": null,
"icon_cache_folder": "data/icon_cache",
"icon_cache_negttl": 259200,
"icon_cache_ttl": 2592000,
"icon_download_timeout": 10,
"icon_redirect_code": 302,
"icon_service": "internal",
"incomplete_2fa_schedule": "30 * * * * *",
"incomplete_2fa_time_limit": 3,
"invitation_expiration_hours": 120,
"invitation_org_name": "Vaultwarden",
"invitations_allowed": true,
"ip_header": "X-Real-IP",
"job_poll_interval_ms": 30000,
"log_file": null,
"log_level": "Info",
"log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
"login_ratelimit_max_burst": 10,
"login_ratelimit_seconds": 60,
"org_attachment_limit": null,
"org_creation_users": "",
"org_events_enabled": false,
"org_groups_enabled": false,
"password_hints_allowed": true,
"password_iterations": 600000,
"push_enabled": true,
"push_identity_uri": "https://identity.bitwarden.com",
"push_installation_id": "***",
"push_installation_key": "***",
"push_relay_uri": "https://push.bitwarden.com",
"reload_templates": false,
"require_device_email": false,
"rsa_key_filename": "data/rsa_key",
"send_purge_schedule": "0 5 * * * *",
"sendmail_command": null,
"sends_allowed": true,
"sends_folder": "data/sends",
"show_password_hint": false,
"signups_allowed": true,
"signups_domains_whitelist": "",
"signups_verify": false,
"signups_verify_resend_limit": 6,
"signups_verify_resend_time": 3600,
"smtp_accept_invalid_certs": false,
"smtp_accept_invalid_hostnames": false,
"smtp_auth_mechanism": null,
"smtp_debug": false,
"smtp_embed_images": true,
"smtp_explicit_tls": null,
"smtp_from": "*****************************",
"smtp_from_name": "Vaultwarden",
"smtp_host": "**********************",
"smtp_password": "***",
"smtp_port": 465,
"smtp_security": "force_tls",
"smtp_ssl": null,
"smtp_timeout": 15,
"smtp_username": "**************************",
"templates_folder": "data/templates",
"tmp_folder": "data/tmp",
"trash_auto_delete_days": null,
"trash_purge_schedule": "0 5 0 * * *",
"use_sendmail": false,
"use_syslog": false,
"user_attachment_limit": null,
"user_send_limit": null,
"web_vault_enabled": true,
"web_vault_folder": "web-vault/",
"websocket_address": "\"::\"",
"websocket_enabled": false,
"websocket_port": 3012,
"yubico_client_id": null,
"yubico_secret_key": null,
"yubico_server": null
} |
Beta Was this translation helpful? Give feedback.
-
|
Looks like hickory-dns which is enabled for reqwest in Vaultwarden prefers IPv4 over IPv6 by default. Other than compiling vaultwarden with hicory-dns feature flag removed from reqwest it's most likely possible to workaround this by hiding relevant A records in DNS ... Edit: seems to work fine after hiding A records from bitwarden.com zone, for example in CoreDNS: |
Beta Was this translation helpful? Give feedback.
-
|
if this can be "easily" integrated into the compose and have VW use it I'd love to try it, but there's zero chance I'm going into my networks bind9's to add entries to override an external domain that's not mine, especially since it's mostly a dual stack network with the option for ipv6 only enabled for vm's that don't need ipv4. |
Beta Was this translation helpful? Give feedback.
-
|
For me to test it, i need a 4to6 translation somehow. There are probably services out there which do such a thing, but i have not yet searched for it that well. If someone has something they use already, would be nice if that can be shared. |
Beta Was this translation helpful? Give feedback.
-
|
I've set up a VM with guacamole and vaultwarden in my environment, it has podman installed in an Alpine environment, with both guac and vault running in podman in an ipv6 only environment behind nat64. This would be easier to send you details if github hadn't removed their DM feature thing. How can I send you the login details? |
Beta Was this translation helpful? Give feedback.
-
|
Sorry, i just see this message right now. Ill see if i can address this in a good way :). |
Beta Was this translation helpful? Give feedback.
-
|
FYI this should be fixed in the current |
Beta Was this translation helpful? Give feedback.
-
hi,
I installed a vaultwarden instance on an ipv6 only system with nat64 in place. The container got an ipv6 and can communicate with the world. But the diagnostic page shows that "Internet access" Error.
Beta Was this translation helpful? Give feedback.
All reactions