admin/diagnostics internet access don't work with nat64

[ruben-herold]

hi,

I installed a vaultwarden instance on an ipv6 only system with nat64 in place. The container got an ipv6 and can communicate with the world. But the diagnostic page shows that "Internet access" Error.

[ruben-herold]

I have tested a curl inside the container with curl -I https://github.com/dani-garcia/vaultwarden.. runs without any problems.

[BlackDex]

Not sure if and how can test this. I do not have access to an ipv6 only system that uses nat64.

Could you post the diagnostics support string please?

[ruben-herold]

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.29.2
• Web-vault version: v2023.7.1
• OS/Arch: linux/x86_64
• Running within Docker: true (Base: Debian)
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: false
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: n/a
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.41.2
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: DOMAIN, SENDS_ALLOWED, SIGNUPS_ALLOWED, SIGNUPS_VERIFY, SIGNUPS_VERIFY_RESEND_TIME, SIGNUPS_VERIFY_RESEND_LIMIT, EMERGENCY_ACCESS_ALLOWED, ADMIN_TOKEN, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": false,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 10,
  "admin_ratelimit_seconds": 60,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*******************",
  "domain_origin": "*****://*******************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "*********************,***************,*********************",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 5,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "**********",
  "smtp_from_name": "\"Vault\"",
  "smtp_host": "*****************",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

[ruben-herold]

@BlackDex did the output help? Do you need anything else?

[centerionware]

I am in this exact same spot. I can curl/wget from inside the container the url and it works fine. This is preventing logging in on the android application when push notifications are enabled with the error:

An error has occurred.

Error getting push token from bitwarden server: error sending request for url (https://identity.bitwarden.com/connect/token): error trying to connect: tcp connect error: Network is unreachable (os error 101)

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.30.3
• Web-vault version: v2024.1.2
• OS/Arch: linux/x86_64
• Running within Docker: true (Base: Debian)
• Environment settings overridden: false
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: false
• Internet access via a proxy: false
• DNS Check: false
• Browser/Server Time Check: true
• Server/NTP Time Check: n/a
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.44.0
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://***********************************",
  "domain_origin": "*****://***********************************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*****************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**********************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "**************************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "\"::\"",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

-------------------------------------------------- The following shows the results of going into the container and using wget to access github via the 64 since github famously doesn't have an ipv6 address.

/home/deadc0de # docker exec -it app-vaultwarden-1 sh
Emulate Docker CLI using podman. Create /usr/etc/containers/nodocker to quiet msg.
# apt install wget -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  wget
0 upgraded, 1 newly installed, 0 to remove and 13 not upgraded.
Need to get 984 kB of archives.
After this operation, 3692 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main amd64 wget amd64 1.21.3-1+b2 [984 kB]
Fetched 984 kB in 0s (3757 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package wget.
(Reading database ... 8810 files and directories currently installed.)
Preparing to unpack .../wget_1.21.3-1+b2_amd64.deb ...
Unpacking wget (1.21.3-1+b2) ...
Setting up wget (1.21.3-1+b2) ...
# wget github.com
URL transformed to HTTPS due to an HSTS policy
--2024-03-01 23:05:34--  https://github.com/
Resolving github.com (github.com)... 64:ff9b::8c52:7103, 140.82.113.3
Connecting to github.com (github.com)|64:ff9b::8c52:7103|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html.1'

index.html.1                                     [ <=>                                                                                         ] 218.45K  1.32MB/s    in 0.2s

2024-03-01 23:05:35 (1.32 MB/s) - 'index.html.1' saved [223690]

#

*** Formatting

[centerionware]

Quick followup, i found two ways to get it to work.. The first is the most obvious, give the VM and podman container ipv4 addresses. I don't like this, so instead I set up squid in the docker compose using this configuration file ( https://github.com/beigi-reza/docker-compose-squid/blob/main/config/squid.conf )
and set up the docker-compose for vaultwarden as such:

version: '3.8'
services:
  squid:
    image: ubuntu/squid:latest
    volumes:
      - /mnt/squid/squid.conf:/etc/squid/squid.conf
    networks:
      - vaultwarden-external
  vaultwarden:
    image: vaultwarden/server:latest
    ports:
      - '8115:80'
    volumes:
      - 'vaultwarden_data:/data/'
    networks:
      - vaultwarden-external
    environment:
      - ROCKET_ADDRESS="::"
      - WEBSOCKET_ADDRESS="::"
      - DOMAIN=${APP_URL}
      - HTTP_PROXY=squid:3128
      - HTTPS_PROXY=squid:3128
    env_file:
      - env
volumes:
  vaultwarden_data:
    driver: local

networks:
  vaultwarden-external:
    driver: bridge
    ipam:
      driver: default
      config:
       - subnet: fd49:3:2::/64
         gateway: fd49:3:2::1

This still says there's an error with the DNS but Login with device is working now, and I can login to the app on the phone.

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.30.3
• Web-vault version: v2024.1.2
• OS/Arch: linux/x86_64
• Running within Docker: true (Base: Debian)
• Environment settings overridden: false
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: true
• DNS Check: false
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.44.0
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://***********************************",
  "domain_origin": "*****://***********************************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*****************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**********************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "**************************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "\"::\"",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

[eplightning]

Looks like hickory-dns which is enabled for reqwest in Vaultwarden prefers IPv4 over IPv6 by default.

Other than compiling vaultwarden with hicory-dns feature flag removed from reqwest it's most likely possible to workaround this by hiding relevant A records in DNS ...

Edit: seems to work fine after hiding A records from bitwarden.com zone, for example in CoreDNS:

.:53 {
    ...

    template IN A bitwarden.com {
        rcode NXDOMAIN
    }

    forward . /etc/resolv.conf
    ...
}

[centerionware]

if this can be "easily" integrated into the compose and have VW use it I'd love to try it, but there's zero chance I'm going into my networks bind9's to add entries to override an external domain that's not mine, especially since it's mostly a dual stack network with the option for ipv6 only enabled for vm's that don't need ipv4.

[BlackDex]

For me to test it, i need a 4to6 translation somehow. There are probably services out there which do such a thing, but i have not yet searched for it that well.

If someone has something they use already, would be nice if that can be shared.

[centerionware]

I've set up a VM with guacamole and vaultwarden in my environment, it has podman installed in an Alpine environment, with both guac and vault running in podman in an ipv6 only environment behind nat64. This would be easier to send you details if github hadn't removed their DM feature thing. How can I send you the login details?

[BlackDex]

Sorry, i just see this message right now.
I have tested this on my own server using https://nat64.net/public-providers
That does make it clear for me what the issue is.

Ill see if i can address this in a good way :).
It is at least not a breaking item for the workings of the web-vault it self.

[BlackDex]

FYI this should be fixed in the current testing tagged containers.

[fabiopicchi]

Sorry for the necrobump, but I am still facing similar issues with the latest version of vaultwarden.
This is my support string:

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.34.3
• Web-vault version: v2025.7.0
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: SQLite
• Database version: 3.50.2
• Uses config.json: false
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: false
• Internet access via a proxy: false
• DNS Check: true
• TZ environment: Europe/Helsinki
• Browser/Server Time Check: true
• Server/NTP Time Check: n/a
• Domain Configuration Check: false
• HTTPS Check: false
• Websocket Check: false
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "****://*********",
  "domain_origin": "****://*********",
  "domain_path": "",
  "domain_set": false,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/data/bitwarden.log",
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

In my case, I just wanted to be able to download icons, but all of them will simply timeout. The issue seems to be DNS related as I can get into the container and curl the exact same URL that vaultwarden tries to fetch for the icon.

root@toaster:~# docker exec -it 2f1c641c169d /bin/bash69d /bin/bash
root@2f1c641c169d:/# curl -L https://secure.backblaze.com/favicon.ico --output icon.png
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  4286  100  4286    0     0   4228      0  0:00:01  0:00:01 --:--:--     0
root@2f1c641c169d:/#
exit
root@toaster:~# docker ps
CONTAINER ID   IMAGE                       COMMAND                  CREATED          STATUS                    PORTS                                                                      NAMES
294f3b99c2aa   nginx                       "/docker-entrypoint.…"   33 minutes ago   Up 33 minutes             0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   nginx
2f1c641c169d   vaultwarden/server:latest   "/start.sh"              33 minutes ago   Up 33 minutes (healthy)   80/tcp                                                                     bitwarden

I am not super familiar with networking, so I am not sure how I can debug this further. Any help is appreciated.

[stefan0xC]

• Domain Configuration Check: false
• HTTPS Check: false

You might want to fix this first by enabling HTTPS and setting a DOMAIN

vaultwarden/.env.template

Lines 194 to 206 in a2ad1dc

	## Domain settings
	## The domain must match the address from where you access the server
	## It's recommended to configure this value, otherwise certain functionality might not work,
	## like attachment downloads, email links and U2F.
	## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
	## To use HTTPS, the recommended way is to put Vaultwarden behind a reverse proxy
	## Details:
	## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS
	## - https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
	## For development
	# DOMAIN=http://localhost
	## For public server
	# DOMAIN=https://vw.domain.tld

Regarding the internet access: do you use IPv6? Do you have IPv6 enabled in Docker? etc. etc.

[fabiopicchi]

Oh, thanks for the quick reply. I will try that :)

However, I have debugged this a bit further with debug level logs and I think that the issue is that reqwest (or better hickory) defaults to IPv4 addresses and my VPC can't make IPv4 requests to the internet (I am on one of those cheap Hetzner servers and want to stay that way).

Check these logs:

[2025-09-18 16:44:50.282][request][INFO] GET /icons/secure.backblaze.com/icon.png
[2025-09-18 16:44:50.302][reqwest::connect][DEBUG] starting new connection: https://secure.backblaze.com/
[2025-09-18 16:44:50.306][hickory_proto::xfer::dns_handle][DEBUG] querying: secure.backblaze.com. A
[2025-09-18 16:44:50.310][hickory_resolver::name_server::name_server_pool][DEBUG] sending request: [Query { name: Name("secure.backblaze.com."), query_type: A, query_class: IN }]
[2025-09-18 16:44:50.313][hickory_resolver::name_server::name_server][DEBUG] reconnecting: NameServerConfig { socket_addr: 127.0.0.11:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: false, bind_addr: None }
[2025-09-18 16:44:50.316][hickory_proto::xfer][DEBUG] enqueueing message:QUERY:[Query { name: Name("secure.backblaze.com."), query_type: A, query_class: IN }]
[2025-09-18 16:44:50.318][hickory_proto::udp::udp_client_stream][DEBUG] final message: ; header 37119:QUERY:RD:NoError:QUERY:0/0/0
; query
;; secure.backblaze.com. IN A

[2025-09-18 16:44:50.322][hickory_proto::udp::udp_stream][DEBUG] created socket successfully
[2025-09-18 16:44:50.330][hickory_proto::udp::udp_client_stream][DEBUG] received message id: 37119
[2025-09-18 16:44:50.332][hickory_proto::error][DEBUG] response: ; header 37119:RESPONSE:RD,RA:NoError:QUERY:2/0/0
; query
;; secure.backblaze.com. IN A
; answers 2
secure.backblaze.com. 300 IN A 104.17.5.3
secure.backblaze.com. 300 IN A 104.17.6.3
; nameservers 0
; additionals 0

[2025-09-18 16:44:50.339][hickory_proto::error][DEBUG] response: ; header 37119:RESPONSE:RD,RA:NoError:QUERY:2/0/0
; query
;; secure.backblaze.com. IN A
; answers 2
secure.backblaze.com. 300 IN A 104.17.5.3
secure.backblaze.com. 300 IN A 104.17.6.3
; nameservers 0
; additionals 0

[2025-09-18 16:44:50.343][hyper_util::client::legacy::connect::http][DEBUG] connecting to 104.17.5.3:443
[2025-09-18 16:44:50.346][reqwest::connect][DEBUG] starting new connection: http://secure.backblaze.com/
[2025-09-18 16:44:50.347][hyper_util::client::legacy::connect::http][DEBUG] connecting to 104.17.5.3:80
[2025-09-18 16:44:50.348][vaultwarden::api::icons][DEBUG] [get_icon_url]: Trying without subdomains 'backblaze.com'
[2025-09-18 16:44:50.350][reqwest::connect][DEBUG] starting new connection: https://backblaze.com/
[2025-09-18 16:44:50.351][hickory_proto::xfer::dns_handle][DEBUG] querying: backblaze.com. A
[2025-09-18 16:44:50.351][hickory_resolver::name_server::name_server_pool][DEBUG] sending request: [Query { name: Name("backblaze.com."), query_type: A, query_class: IN }]
[2025-09-18 16:44:50.353][hickory_resolver::name_server::name_server][DEBUG] existing connection: NameServerConfig { socket_addr: 127.0.0.11:53, protocol: Udp, tls_dns_name: None, http_endpoint: None, trust_negative_responses: false, bind_addr: None }
[2025-09-18 16:44:50.354][hickory_proto::xfer][DEBUG] enqueueing message:QUERY:[Query { name: Name("backblaze.com."), query_type: A, query_class: IN }]
[2025-09-18 16:44:50.354][hickory_proto::udp::udp_client_stream][DEBUG] final message: ; header 43983:QUERY:RD:NoError:QUERY:0/0/0
; query
;; backblaze.com. IN A

[2025-09-18 16:44:50.357][hickory_proto::udp::udp_stream][DEBUG] created socket successfully
[2025-09-18 16:44:50.365][hickory_proto::udp::udp_client_stream][DEBUG] received message id: 43983
[2025-09-18 16:44:50.365][hickory_proto::error][DEBUG] response: ; header 43983:RESPONSE:RD,RA:NoError:QUERY:2/0/0
; query
;; backblaze.com. IN A
; answers 2
backblaze.com. 300 IN A 104.17.6.3
backblaze.com. 300 IN A 104.17.5.3
; nameservers 0
; additionals 0

[2025-09-18 16:44:50.367][hickory_proto::error][DEBUG] response: ; header 43983:RESPONSE:RD,RA:NoError:QUERY:2/0/0
; query
;; backblaze.com. IN A
; answers 2
backblaze.com. 300 IN A 104.17.6.3
backblaze.com. 300 IN A 104.17.5.3
; nameservers 0
; additionals 0

[2025-09-18 16:44:50.371][hyper_util::client::legacy::connect::http][DEBUG] connecting to 104.17.6.3:443
[2025-09-18 16:44:53.410][reqwest::connect][DEBUG] starting new connection: http://backblaze.com/
[2025-09-18 16:44:53.410][hyper_util::client::legacy::connect::http][DEBUG] connecting to 104.17.6.3:80
[2025-09-18 16:44:56.450][reqwest::connect][DEBUG] starting new connection: https://secure.backblaze.com/
[2025-09-18 16:44:56.450][hyper_util::client::legacy::connect::http][DEBUG] connecting to 104.17.5.3:443
[2025-09-18 16:44:59.490][vaultwarden::api::icons][WARN] Unable to download icon: Req.
[CAUSE] reqwest::Error {
    kind: Request,
    url: "https://secure.backblaze.com/favicon.ico",
    source: hyper_util::client::legacy::Error(
        Connect,
        ConnectError(
            "tcp connect error",
            104.17.5.3:443,
            Os {
                code: 101,
                kind: NetworkUnreachable,
                message: "Network is unreachable",
            },
        ),
    ),
}
[2025-09-18 16:44:59.495][response][INFO] (icon_internal) GET /icons/<domain>/icon.png => 200 OK

It never tries to resolve the domain to an IPv6 address somehow.

[BlackDex]

I think you need a NAT64 dns server, since if you use that, it shouldn't do that. For example, GitHub doesn't have IPv6 at all.
So, there is no way for anything to connect to it if there is no IPv6.

[fabiopicchi]

I would be fine with it not working when no IPv6 exists, but it should work if it does. I wonder if it is possible to configure hickory's strategy?
https://docs.rs/hickory-resolver/latest/hickory_resolver/config/enum.LookupIpStrategy.html

I opened an issue related to that.