Are there any Asuswrt-Merlin solutions for self-hosting your password manager Vault on the router hardware?

[domic]

Or how do you yourselves self-host without going all hardcore server rack or stationary power hungry PC server setup with Docker containers for everything etc?

 

[Viktor Jaep]

Or how do you yourselves self-host without going all hardcore server rack or stationary power hungry PC server setup with Docker containers for everything etc?

I am pretty extreme I would say and pay for a hosted LastPass subscription.

Not entirely sure I would trust hosting anything on a router like ours... with default root-level privileges across the board.

 

[Kal1975]

I have a small single board computer NAS running Docker.

One of the Docker images is a self-hosted version of Bitwarden. The browser extension and Android app all work fine with the self-hosted version.

 

[PeterR]

I run Vaultwarden (compatible with Bitwarden) on a SBC.

 

[Kal1975]

Vaultwarden is the most recent alternate flavour of Bitwarden for Docker on SBCs.

I haven't updated yet to it. Will update at some point in the near future. Everything is running fine now. I also set up a self-signed certificate and installed it on several of my devices.

 

[mma]

Is there a particular reason why you are using a self-signed certificate instead of LetsEncrypt?

 

[RMerlin]

Storing your passwords on the firewall that's directly facing the Internet is a really bad idea...

 

[Kal1975]

@mma Easy enough to create a self-signed certificate. Then you have full control and don't have to worry about any issues with managing the certificates through a 3rd party and any restrictions/requirements they have.

 

[domic]

Vaultwarden is the most recent alternate flavour of Bitwarden for Docker on SBCs.

I haven't updated yet to it. Will update at some point in the near future. Everything is running fine now. I also set up a self-signed certificate and installed it on several of my devices.

Would someone like Richard Stallman approve it if it's run on a Raspberry Pi with F(L)OSS software?

 

[tgl]

I've been down the self-signed cert route; did that for several years. Yeah, you can do it if you're willing to invest enough effort, but it's getting increasingly harder to persuade phones and other consumer gear to accept such certificates --- as well it should be, because if you can get your phone to accept some random certificate, so can a bad guy. If you value your time at more than minimum wage, I think it's better to spend some $$ for a real traceable-to-a-trusted-root cert.

Let's Encrypt is a plausible alternative, although as far as I can tell their authentication model requires you to be running a public-facing web server. If you were doing that anyway, a Let's Encrypt cert is basically free; but if you weren't, that is not something you want to buy into. The admin effort and security hazards are not negligible.

I also agree with the upthread point about not keeping security-critical data on your internet-facing router: that means a bad guy only needs to break into one machine to have your keys.

You should also consider what's your plan for backing up those keys: whichever machine you keep them on, you want another copy somewhere.

 

[eightiescalling]

Let's Encrypt is a plausible alternative, although as far as I can tell their authentication model requires you to be running a public-facing web server. If you were doing that anyway, a Let's Encrypt cert is basically free; but if you weren't, that is not something you want to buy into. The admin effort and security hazards are not negligible.

Actually, no. You can get. Letsencrypt cert through domain ownership - the challenge protocol works by amending domain records based on the challenge token given. No public facing website required.

A combination of nginx and auto-renewing letsencrypt certs using domain challenge works well for the range of locally hosted apps that only support http.

 

[PeterR]

I find it easier to run caddy webserver, obtaining and renewing the ssl/tls certificates is handled automatically.

 

[XIII]

EFF's certbot with the certbot-dns-cloudflare plugin works great for me (on a Raspberry Pi) to automatically renew SSL certificates.

 

[eightiescalling]

I find it easier to run caddy webserver, obtaining and renewing the ssl/tls certificates is handled automatically.

Looks interesting though I'm not sure I'm sold on the use of the self signed certs for internal traffic it mentions. That still leaves the headache of CA certs on individual devices. I might be missing something in the caddy docs though.

Now I've got it configured, the nginx container automatically renews the certs using dehydrated. To be honest the main issue was one that caddy seems to have - the integrations to various DNS providers. lexicon can help there though.

 

[mma]

Let's Encrypt is a plausible alternative, although as far as I can tell their authentication model requires you to be running a public-facing web server.

I used to think like that, but the acme.sh that is mentioned in the wiki page is a simple enough alternative for me. The only moment when something listens on ports 80 (HTTP) or 443 (HTTPS) is when that script runs. Yesterday, when my certificate had expired, I disabled the firewall for the few seconds that it took to renew the certificate (Prosody involves a slightly different procedure).

Yes, the renewal could be automated, but for a non-essential service I can afford some downtime.

Merlin said that it is a bad idea to store credentials on the router. I agree, when it comes to storing credentials to external services. But, any authenticated services that the router provides must store some credentials, such as user names and encrypted passwords or public keys of a public/private key pair. I do not see too much risk in that. My Prosody server might cache some messages that could leak to an attacker, but all users would use OMEMO end-to-end encryption.

If a service was really important, I’d definitely run it on a separate GNU/Linux server in the LAN, and define some NAT port forwarding rules in the router. That is what I did with my old closed-source router.

 

[PeterR]

Looks interesting though I'm not sure I'm sold on the use of the self signed certs for internal traffic it mentions. That still leaves the headache of CA certs on individual devices. I might be missing something in the caddy docs though.

Now I've got it configured, the nginx container automatically renews the certs using dehydrated. To be honest the main issue was one that caddy seems to have - the integrations to various DNS providers. lexicon can help there though.

I use duckdns.org ddns and caddy obtains certs from Letsencrypt.

 

[SomeWhereOverTheRainBow]

Let's Encrypt is a plausible alternative, although as far as I can tell their authentication model requires you to be running a public-facing web server. If you were doing that anyway, a Let's Encrypt cert is basically free; but if you weren't, that is not something you want to buy into. The admin effort and security hazards are not negligible.

zerossl is better.