Vault Server UI Not accessible outside localhost

I’m attempting to setup Hashicorp Vault on a server for the first time. I’m simply trying to see the UI from somewhere besides the localhost. After reading the instructions on the vault setup tutorial I walk away thinking about how simple this is going to be.

However I’ve yet to be able to actually see the UI outside of the localhost and I’m not sure if the problem is in my config.hcl file for vault, or if the problem lies somewhere in my Debian linux configuration (Or if anyone knows what the typical gotchas are that block vault on a vanilla Debian installation if that really is what’s happening.)

I’ve tried a series of configurations shown below:

Config A (Is it a Mask?)

Configuration

ui = true
storage "inmem" {}
// TCP Listener
listener "tcp" {
  address = "10.0.0.0:8200"
  tls_disable = "true"
}

Response

  • Connection refused on localhost
    • curl 127.0.0.1:8200/ui/
  • Remote never resolves
    • http://10.175.18.49:8200/ui/

Config B (Can I open up ‘everything’?)

Configuration

ui = true
storage "inmem" {}
// TCP Listener
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = "true"
}

Response

  • HTML populates on localhost!! (yay!)
    • curl 127.0.0.1:8200/ui/
  • Remote never resolves
    • http://10.175.18.49:8200/ui/

Config C (Do I just hardcode the IP?)

Configuration

ui = true
storage "inmem" {}
// TCP Listener
// Assumes machine pings on 10.175.18.49
listener "tcp" {
  address = "10.175.18.49:8200"
  tls_disable = "true"
}

Response

  • Connection refused on localhost
    • curl 127.0.0.1:8200/ui/
  • Remote never resolves
    • http://10.175.18.49:8200/ui/

:notebook: NOTE: I’m launching Vault into a container using this command:
docker run --cap-add=IPC_LOCK -p 8200:8200 -v /tmp/vault:/tmp/vault -d --name=dev-vault vault server -config /tmp/vault/config.hcl

:notebook: NOTE: I’ve masked the IPs in this post.

I think you want
address = "0.0.0.0:8200"
in order to bind to all interfaces. Which is your B option.
When you say remote, do you mean the container’s host or trying from another computer?

Ah, when I say “local” I meant the container’s host machine.

When I say “remote” I’m trying from another computer on the same network. I can ping between the machines, ssh between them, even launch nginx sample containers and view them in browser.

Running a firewall between or iptables?

1 Like

It’s nice to have the sanity check on my configuration. Thank you.

I suppose it’s down to me and a fine tooth comb. :rescue_worker_helmet:

Found it. ACL between the subnets. Wuff.

Thank you @mikegreen!