Skip to content

Bitwarden (Vaultwarden) in Docker on a Synology NAS

UpdateDate
New guide Published29/12/2021
Updated with Admin Panel Options30/12/2021
Changed the port number from 8112 to 8122 so it doesn’t conflict with Deluge01/01/2021

Bitwarden is a great way to self-host a password manager it gives you complete control over your passwords and allows you to have automatic syncing across web, desktop and mobile apps.

This guide contains three parts:

  • Part 1 — Setting up the container via the DSM GUI
  • Part 2 — Setting up DDNS, Reverse Proxy and SSL
  • Part 3 — Setting up the Bitwarden Clients

Part 1 — Container Set up (DSM GUI)

Downloading the Vaultwarden Image

Open up Docker within DSM and navigate to the ‘Registry’ section and search for ‘vaultwarden’ in the search box and download the ‘vaultwarden/server’ version

vaultwarden lightweight rust version

The pop-up box will ask which version you want to download, make sure you choose ‘Latest’ from the list of available versions.

Select ‘Latest’ from the tags

You can check the status of the download over on the ‘Image’ tab.

Setting up the container

In Docker click on the ‘Image’ tab, in the list of your containers select the ‘vaultwarden/server’ image and click on ‘Launch’

You will now see the initial setup screen, you can change the name of the container, we are not going to change the resource limitations or make any changes to the Configure capabilities options.

General Settings

Next up we are going to click on the ‘Advanced Settings’ button, this will take you to a new window with a number of tabs which we are going to work through.

On the first tab enable ‘Auto Restart’ this will ensure Vaultwarden will automatically start up whenever you reboot your NAS.

Auto Restart Enabled

Volumes / Mounts

We can now move onto the volume tab in which we will be specifying the directories where Vaultwarden will store its configuration files and database.

Click on Add Folder, click on the ‘docker’ folder and create a new sub-folder called ‘vaultwarden’ select this folder and click ‘select’

Create a Vaultwarden subdirectory in /docker

In the Mount path section for this folder enter ‘/data’ it should now look like the screenshot below

Mount path set up

Network

Don’t make any changes here.

Port Settings

As Vaultwarden uses port 80 for its web interface by default we need to change this to ensure we don’t have any conflicts with DSM’s web functions.

You will see the Container Port section prefilled you must not change these ports. Change the ‘Local ports’ from Auto to the values below.

Local PortContainer PortType
30123012TCP
812280TCP
Port Settings

Links

Don’t make any changes here.

Environment Variables

We need to add two additional variables, the first disables any random person signing up for an account on your personal hosted version, the second enables to Admin panel which allows you to invite users.

The Admin panel is secured by the value you enter for the ‘Admin Token’ variable so make sure it is completely random and not guessable the longer, the better!

variableValue
SIGNUPS_ALLOWEDFALSE
ADMIN_TOKENcreate a very long random string
You must come and change this to false later

Almost Done

You have now completed the setup of the container.

Click on Apply to move back to the initial settings screen and then click next, you will be shown an overall summary of the settings we have specified, this is a good time to double-check everything is correct. Finally, click on Done and the container should start to boot.

You should now be able to access the web interface via the IP of your NAS followed by the port 8122

e.g 192.168.0.40:8122

Successful start up

You will not be able to register an account yet, as you must have a valid SSL certificate in place.

Part 2 – DDNS, SSL and Reverse Proxy

Before we start, make sure you have registered for a Synology Account as we are going to be using their DDNS service. https://account.synology.com/en-uk/register/

In order to successfully use reverse DNS you will also need to forward port 443 to you NAS IP. (You will need to check how to do this on your own router) This port is used for secure web traffic.

DDNS

A DDNS address allows you to get external access to DSM via a subdomain provided by Synology, this is useful on home internet connections where your ISP will change your IP address on a regular basis.

In the DSM Control panel go to ‘External Access’ and then to the ‘DDNS’ tab

Click on ‘Add’, then fill out the following sections.

SectionValue
Service ProviderSynology
HostnameThis can be anything it will be used to access your NAS externally
Email:Log into your Synology account
External Address (IPv4)This should be filled in automatically
External Address (IPv6)This should be filled in automatically if your ISP is using IPv6
Get a Cert from Let’s EncryptTick this box
Enable HeartbeatTick this box

Now press OK, DSM will apply your settings. It can take a few moments to set up and the DSM interface will refresh. You will likely receive a certificate error which you will need to accept to get back into DSM.

You should now test that you can access your Diskstation via the hostname you requested and not receive any SSL errors.

Reverse Proxy

So you don’t have to open up additional ports on your router for Vaultwarden we are going to set up a reverse proxy subdomain. This means you can access Bitwarden without using a port number as it will route all traffic through the secure 443 port.

Go back into the Control Panel and access the ‘Login Portal’ then in the ‘Advanced’ tab click ‘Reverse Proxy’ and then click on ‘Create’.

We are now going to enter some rules, so when you access the URL specified you will automatically be sent to Bitwarden web UI.

Use the settings below, you will need to amend the Hostname sections in line with the hostname you registered earlier, and the IP of your NAS.

SettingValue
Reverse Proxy Name:bitwarden
Protocol:HTTPS
Hostname:bitwarden.xxx.synology.me (change the part after ‘bitwarden.’ to your own hostname you registered earlier.
Port:443
Protocol:HTTP
Hostname:Your NAS IP
Port:8122

You should now be able to access the Bitwarden (Vaultwarden) web UI by going to https://bitwarden.yourhostname it will be a secure connection, and you should have no SSL errors.

SSL Working

As we disabled sign-ups via the main log in screen you will need to invite yourself and any other users from the admin panel.

Go to bitwarden.yourhostname.me/admin

Enter the admin token that you entered into the Environment Variables earlier to log in.

Admin Token

We need to change a few options to enable user sign up emails.

In General Settings. Amend the Domain URL to your own

Domain URL

Next you will need to amend your own email settings in the SMTP Email Settings section.

This will need to be in line with your email provider, once you have entered the details click Save at the bottom of the screen, you can then send a test email to yourself to ensure its working.

SMTP Email Settings

The final step will be to send yourself an invitation email via the Users’ panel at the top of the page. This allows you to create an account by clicking the link in the email.

Users settings screen

You have now successfully set up Vaultwarden.

Part 3 — Setting Up the Bitwarden Clients.

Now you have set up Vaultwarden you can use the various Mobile, Desktop or Browser Add-ons.

It’s very easy to point these to your personal self-hosted version. In the main login screen click the Cog icon, then in the Server URL section enter the full URL for your web UI.

Self Hosted Server URL

You have now completed the guide.

Docker Compose

You can use the below code saved as vaultwarden.yml in ‘/docker/vaultwarden’ which you will need to create, this will do the entire process above in one quick command via SSH.

You will then need to follow the guide from Part 2 Onwards

version: "3.2"
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    environment:
      - ROCKET_ENV=staging
      - ROCKET_PORT=80
      - ROCKET_WORKERS=10
      - SIGNUPS_ALLOWED=FALSE
      - ADMIN_TOKEN=YOUROWNLONGSTRING
    volumes:
      - /volume1/docker/vaultwarden:/data
    ports:
      - 3012:3012/tcp
      - 8122:80/tcp
    restart: unless-stopped
sudo docker-compose -f /volume1/docker/vaultwarden/vaultwarden.yml up -d

Throw me some bits or buy me a coffee?

If you have found my site useful please consider pinging me a tip as it helps cover the cost of running the site, you can even buy me a coffee 🙂

Buy Me A Coffee
  • Bitcoin
  • Ethereum
  • Tether
  • Cardano
  • Polkadot
  • Binance coin
  • Litecoin
  • Bitcoin cash
  • Dogecoin
  • Monero
  • Omisego
Scan to Donate Bitcoin to bc1qfq8ccs2yar7aa60fye8wdpanwtvpqzvrys4h6u

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Tag/Note:- Donations
Scan to Donate Ethereum to 0x7C5A441a6Dd520a796442DC6DeFeFE88d79D95f3

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Tether to 0x7C5A441a6Dd520a796442DC6DeFeFE88d79D95f3

Donate Tether to this address

Scan the QR code or copy the address below into your wallet to send some Tether

Scan to Donate Cardano to addr1qysaldwdyqu9u8y9a0l5d35sqv202xr4768se8wevlexatepm76u6gpctcwgt6llgmrfqqc575v8ta50pjwajeljd6hsa6ggvv

Donate Cardano to this address

Scan the QR code or copy the address below into your wallet to send some Cardano

Scan to Donate Polkadot to 14R7Xr3587UKYsnnLhvBd7YfVgXkW9i3FU4kHP8DocsdLSha

Donate Polkadot to this address

Scan the QR code or copy the address below into your wallet to send some Polkadot

Scan to Donate Binance coin to bnb14ye5rju74u5ythneaum2rjvp8eqep6wq8flghx

Donate Binance coin to this address

Scan the QR code or copy the address below into your wallet to send some Binance coin

Scan to Donate Litecoin to LfNfer3aSqLx4p8KfbbkT96ArXLXLDPxoD

Donate Litecoin to this address

Scan the QR code or copy the address below into your wallet to send some Litecoin

Scan to Donate Bitcoin cash to qqz9pgaxdz4mtdxqxnlk7apqmsn6qzw9j5pn5jpvrc

Donate Bitcoin cash to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin cash

Scan to Donate Dogecoin to DCwbNzfYHx22MDSyEVLWgfjxziYHtcgwAM

Donate Dogecoin to this address

Scan the QR code or copy the address below into your wallet to send some Dogecoin

Scan to Donate Monero to 45qwFr42XiA8egC5z2HdSQ2FzzP9VR1MvD5Sicg4EhGvdvTutx9GsF6DeU8DHAsTZy2ShBERjCB5rdy8iQ9CFnFu9Z6Adgw

Donate Monero to this address

Scan the QR code or copy the address below into your wallet to send some Monero

Scan to Donate Omisego to 0x162fc7781D3C6c6f27197A3A92567b5DAF258f19

Donate Omisego to this address

Scan the QR code or copy the address below into your wallet to send some Omisego

Published inDockerSynology

6 Comments

  1. Hey there. Thanks for the guide. I’ve been running Bitwarden now for a couple of days, but began wondering if I was running the “latest” version. A Google search led me here to your guide (which would’ve been waaaay easier to follow compared to the guides I used). Anyhoo… dumb question: how do we make sure that our container is running the latest and greatest version of Bitwarden? Is there anything we need to do? Do updates to Valutwarden get pushed automagically?

    • Dr_Frankenstein Dr_Frankenstein

      Hey, you will need to either pull manual updates or setup watchtower to do it for you, both guides can be found on the left hand menu on this site

  2. OMG, so easy.
    First, you have to enable the Admin page, thus giving you access to various settings, like SMTP.
    To do this, stop the container, EDIT the environment Variables and add a new ADMIN_TOKEN and with any value (eg: 12345679)
    Start the container, navigate to https;//your bitwarden host/admin and there, enter the value of the ADMIN_TOKEN
    Now you will be able to configure SMTP settings

    • Dr_Frankenstein Dr_Frankenstein

      Your timing is perfect, I just updated the guide with the same

  3. Hi,

    Another great guide, as always!

    Is there anyway that I can make Bitwarden to send emails to people that I invite?
    I cannot seem to find a way to accomplish this.

    • Dr_Frankenstein Dr_Frankenstein

      Hey, glad you asked this, as from reading the read me it sounded like this was within the main users control panel. Let me do a little digging as it seems to have changed.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.