Self-Hosted Bitwarden Server IPv6 support

The self-hosted Bitwarden server isn’t useful to me right now because I require an IPv6-only installation, and the current docker-compose configuration doesn’t support listening on IPv6.

1 Like

+1

IPv6 is currently not working for me either.

This is 2021, things should be v6 first v4 second.

1 Like

Hi, it is 2022. I have a paid license and i also need the ipv6 (only) functionality? Is there anything on the roadmap?

Hey everyone, sharing some insight from our integration team:

The Bitwarden self-hosted instance does support IPv6. Due to a limitation in Docker, you will not see the IPv6 addresses of connecting traffic inside the container logs - this is due to IPv4 traffic being directly NATed into the container network, while IPv6 traffic is handled by a userland proxy process on the host OS.

In order to see IPv6 addresses inside the container logs, you need to run a separate reverse proxy on the host OS listening on both v4 and v6 or just v6, and pass traffic into the Docker environment on v4-only with headers for the real client IPs. If you do not need to log the real client addresses in the containers, the default setup should be working on v4 and v6

For additional support, you can contact our support team.

I had also a lot of trouble with bringing Bitwarden up with IPv6 (mixed with IPv4). But now it should work with using Traefik.

Edit /etc/docker/daemon.json

{
  "dns": ["192.168.1.1", "192.168.1.2"],

  "iptables": true,
  "userland-proxy": false,
  "ipv6": true,
  "fixed-cidr-v6": "fd00:78:49::/80",
  "experimental": true,
  "ip6tables": true,
  "default-address-pools": [
    {"base": "172.17.0.0/16", "size": 24},
    {"base": "fd00:78:49:0::/64", "size": 64},
    {"base": "fd00:78:49:1::/64", "size": 64},
    {"base": "fd00:78:49:2::/64", "size": 64}
  ]
}

systemctl restart docker.service

Create traefik/docker-compose.yml

version: '3.7'

services:

  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:rw"
      - "/etc/timezone:/etc/timezone:ro"
      - "/etc/localtime:/etc/localtime:ro"
      - "./traefik.yml:/etc/traefik/traefik.yml:ro"
      - "./acme.json:/etc/traefik/acme.json:rw"
      - "./rules:/etc/traefik/rules:ro"
    networks:
      - reverse-proxy

networks:
  reverse-proxy:
    name: reverse-proxy
    driver_opts:
      com.docker.network.enable_ipv6: "true"
    enable_ipv6: true

Create bwdata/docker/docker-compose.override.yml

version: '3'

services:

  nginx:
    labels:
      - "com.centurylinklabs.watchtower.enable=false"
      - "traefik.enable=true"
      - "traefik.docker.network=reverse-proxy"
      - "traefik.http.routers.bitwarden-proxy.rule=Host(`${BITWARDEN_HOST}`)"
      - "traefik.http.routers.bitwarden-proxy.entrypoints=websecure"
      - "traefik.http.routers.bitwarden-proxy.tls=true"
      - "traefik.http.routers.bitwarden-proxy.tls.certResolver=letsencrypt"
      - "traefik.http.routers.bitwarden-proxy.middlewares=hsts@file"
      - "traefik.http.routers.bitwarden-proxy.service=bitwarden-proxy-svc"
      - "traefik.http.services.bitwarden-proxy-svc.loadbalancer.server.port=8080"
    networks:
      - reverse-proxy

networks:
  reverse-proxy:
    external: true

  public:
    name: bitwarden-public
    driver_opts:
      com.docker.network.enable_ipv6: "true"
    enable_ipv6: true

  default:
    name: bitwarden-internal
    driver_opts:
      com.docker.network.enable_ipv6: "true"
    enable_ipv6: true

Maybe someone of you can review and agree to this?