i may be experiencing a general DNS issue while connecting via VPN… the vault server is accessible over https (the server functions, and https access functions), but to get the vault server to resolve properly i had to set up a hard mapping locally - the browser access (required to set up the account initially) worked perfectly via a manual hosts file mapping, and then i tried to broaden out the accessibility/flexibility by hard coding the mapping on my router (all DNS traffic goes through my router’s built in resolver - the LAN clients all get passed the router’s gateway address as the only DNS server, and all other DNS traffic is dropped by firewall rule, if i remember correctly).
the new data i have today is that when my laptop is connecting over VPN, the browser can get to the vault server using the hostname mapping and over https (as required by direct browser access), but the bitwarden chrome extension required the numerical http address to and port number be entered in order to sync; the extension would not work after entering just the https hostname.
that makes me think that either i’m mistaken about what’s going on with DNS, or the extension and perhaps the iOS app have a selection of DNS server IPs hard coded into them in such a way to override the host OS DNS server entries. i would expect iOS to have some issues with DNS over VPN, and that maybe the iOS bitwarden app might fall prey to Apple’s choices about DNS in a VPN environment, but the bitwarden extension having its own DNS servers (separate from what the browser is using) would be a surprise.
i’ll be able to be more precise about the above tonight i think. i can be more careful about when i’m flushing DNS cache on the laptops to make sure about what i’m seeing. all i know for sure right this second is that using the win10 hosts file to map the vault server IP address to the hostname i’ve selected (vault.synology) works to get chrome on that win10 machine to access the vault server directly over https properly. (i can’t remember if the browser extension worked too.)
tonight i’ll try to make an exhaustive matrix of https/not-https for browser, browser extension, iOS app, in the context of hosts file DNS mapping, router DNS mapping, and VPN DNS mapping.
my guess is that it’s 90% likely that my hard coded DNS mapping isn’t translating properly over VPN.
if i can get bitwarden to work with a self signed cert, locally hosted vault server, sync only accessible over VPN, then this will be an easily implementable and otherwise perfect setup for moving away from some less reliable password managers, and with a nice security boost (in my opinion, anyway).
oh, another surprise today - i can’t edit a password entry (i.e., i can’t update the password database if i want to change a password) without being able to sync immediately upon save. i had hoped that i could run essentially fully locally, updating my device vault here and there, and then only sync at the end of the day (unless i wanted to force an update earlier), but that does not seem to be the case. that would be a pretty cool option, though it would raise potential issues with out of order syncing (not a big deal i don’t think).