Skip to content

Bitwarden (Vaultwarden) in Docker on a Synology NAS

UpdateDate
New guide Published29/12/2021
Updated with Admin Panel Options30/12/2021
Changed the port number from 8112 to 8122 so it doesn’t conflict with Deluge01/01/2021
Updated screenshots and steps for DSM7.1 17/06/2022
Added new port settings and Docker Bridge Network23/07/2022


What is Bitwarden/Vaultwarden?

Bitwarden (Vaultwarden) is a great way to self-host a password manager it gives you complete control over your passwords and allows you to have automatic syncing across web, desktop and mobile apps.

Let’s Begin

This guide contains three parts:

  • Part 1 — Setting up the container via the DSM GUI
  • Part 2 — Setting up DDNS, Reverse Proxy and SSL
  • Part 3 — Setting up the Bitwarden Clients

Before we start head over to the short guide below to set up a Bridge Network

Part 1 — Container Set up (DSM GUI)

Downloading the Vaultwarden Image

Open up Docker within DSM and navigate to the ‘Registry’ section and search for ‘vaultwarden’ in the search box and download the ‘vaultwarden/server’ version

The pop-up box will ask which version you want to download, make sure you choose ‘Latest’ from the list of available versions.

Select ‘Latest’ from the tags

You can check the status of the download over on the ‘Image’ tab.

Setting up the container

In Docker click on the ‘Image’ tab, in the list of your containers select the ‘vaultwarden/server’ image and click on ‘Launch’

You will be greeted with the Network screen, we will be using the ‘synobridge’ network we created earlier select it from the list and click Next.

General Settings

Next you will be greeted with the General Settings screen, this is where you can start specifying some of your preferences.

You can change the name of the container to anything you like, and you may want to enable Auto Restart as this will ensure the container starts automatically if you reboot your NAS.

You will also notice a Configure capabilities button — don’t change anything in here!

Next up we are going to click on the ‘Advanced Settings’ button, this will take you to a new window with a number of tabs which we are going to work through.

Environment

We need to add two additional variables, the first disables any random person signing up for an account on your personal hosted version, the second enables the Admin panel which allows you to invite users.

The Admin panel will be secured by the value you enter for the ‘Admin Token’ variable so make sure it is completely random and not guessable the longer, the better!

VariableValue
SIGNUPS_ALLOWEDFALSE
ADMIN_TOKENcreate a very long random string
You must come and change this to false later

You do not need to set up anything on these tabs.

Press ‘Save’ to go back to the initial setup screen, then press ‘Next’

Port Settings

As Vaultwarden uses port 80 for its web interface by default we need to change this to ensure we don’t have any conflicts with DSM’s web functions.

You will see the Container Port section prefilled you must not change these ports. Change the ‘Local ports’ from ‘Auto’ to the values below.

Local PortContainer PortType
30123012TCP
812280TCP
Port Settings

Volume Settings

We will now be specifying the directories where Vaultwarden will store its configuration files and database.

Click on Add Folder, click on the ‘docker’ share and create a new sub-folder called ‘vaultwarden’ click on this folder and click ‘select’

In the Mount path section for this folder enter ‘/data’ it should now look like the screenshot below, click next.

Summary

You have now completed the setup of the container.

You will be shown an overall summary of the settings we have specified, this is a good time to double-check everything is correct. Finally, click on Done and the container should start to boot.

You should now be able to access the web interface via the IP of your NAS followed by the port 8122

e.g 192.168.0.40:8122

Successful start up

You will not be able to register an account yet, as you must have a valid SSL certificate in place.

Part 2 – DDNS, SSL and Reverse Proxy

Before we start, make sure you have registered for a Synology Account as we are going to be using their DDNS service. https://account.synology.com/en-uk/register/

In order to successfully use reverse DNS you will also need to forward port 443 to you NAS IP. (You will need to check how to do this on your own router) This port will be used for secure web traffic.

DDNS

A DDNS address allows you to get external access to Vaultwarden and other services via a subdomain provided by Synology, this is useful on home internet connections where your ISP may change your IP address on a regular basis.

Note: If you want to access DSM via this new address you will either need to create an additional Reverse Proxy for it or open port 5001 on your router.

In the DSM Control panel go to ‘External Access’ and then to the ‘DDNS’ tab

Click on ‘Add’, then fill out the following sections.

SectionValue
Service ProviderSynology
HostnameThis can be anything it will be used to access your NAS externally
Email:Log into your Synology account
External Address (IPv4)This should be filled in automatically
External Address (IPv6)This should be filled in automatically if your ISP is using IPv6
Get a Cert from Let’s EncryptTick this box
Enable HeartbeatTick this box

Now press OK, DSM will apply your settings. It can take a few moments to set up and the DSM interface will refresh. You will likely receive a certificate error which you will need to accept to get back into DSM.

Reverse Proxy

So you don’t have to open up additional ports on your router for Vaultwarden we are going to set up a reverse proxy subdomain. This means you can access Vaultwarden without using a port number as it will route all traffic through the secure 443 port.

This can be used for any service on your NAS, it will see the address asked for and internally redirect the request to the port number specified.

Go back into the Control Panel and access the ‘Login Portal’ then in the ‘Advanced’ tab click ‘Reverse Proxy’ and then click on ‘Create’.

We are now going to enter some rules, so when you access the URL specified you will automatically be sent to Vaultwarden web UI.

Use the settings below, you will need to amend the Hostname section in line with the hostname you registered earlier, and the IP of your NAS.

SettingValue
Reverse Proxy Name:bitwarden
Protocol:HTTPS
Hostname:bitwarden.xxx.synology.me (change the part after ‘bitwarden.’ to your own hostname you registered earlier.
Port:443
Protocol:HTTP
Hostname:Your NAS IP
Port:8122

You should now be able to access the Bitwarden (Vaultwarden) web UI by going to https://bitwarden.yourhostname it will be a secure connection, and you should have no SSL errors.

SSL Working

Setting up the Admin Settings

As we disabled sign-ups via the main log in screen you will need to invite yourself and any other users from the admin panel.

Go to bitwarden.yourhostname.me/admin

Enter the admin token that you entered into the Environment Variables earlier to log in.

Admin Token

We need to change a few options to enable user sign up emails.

In General Settings. Amend the Domain URL to your own.

Domain URL

Next you will need to amend your own email settings in the SMTP Email Settings section.

This will need to be in line with your email provider, once you have entered the details click Save at the bottom of the screen, you can then send a test email to yourself to ensure its working.

SMTP Email Settings

The final step will be to send yourself an invitation email via the Users’ panel at the top of the page. This allows you to create an account by clicking the link in the email.

Users settings screen

You have now successfully set up Vaultwarden.

Part 3 — Setting Up the Bitwarden Clients.

Now you have set up Vaultwarden you can use the various Mobile, Desktop or Browser Add-ons.

It’s very easy to point these to your personal self-hosted version. In the main login screen click the Cog icon, then in the Server URL section enter the full URL for your web UI.

Self Hosted Server URL

You have now completed the guide, I have added an FAQ to page 2 of this guide.

Docker Compose

You can use the below code saved as vaultwarden.yml in ‘/docker/vaultwarden’ which will get the container set up, You will then need to follow the guide from Part 2 onwards.

version: "3.8"
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    environment:
      - ROCKET_ENV=staging
      - ROCKET_PORT=80
      - ROCKET_WORKERS=10
      - SIGNUPS_ALLOWED=FALSE
      - ADMIN_TOKEN=YOUROWNLONGSTRING
    volumes:
      - /volume1/docker/vaultwarden:/data
    network_mode: synobridge
    ports:
      - 3012:3012/tcp
      - 8122:80/tcp
    restart: unless-stopped
sudo docker-compose -f /volume1/docker/vaultwarden/vaultwarden.yml up -d


Throw me some bits or buy me a coffee?

If you have found my site useful please consider pinging me a tip as it helps cover the cost of running the site, you can even buy me a coffee 🙂

Buy Me A Coffee
Doge / Ethereum / Bitcoin

Pages: 1 2

Published inDockerSynology

42 Comments

  1. Hoolsten Hoolsten

    Thanks for the awesome tutorial, but for some reason i´m struggeling hard with the reverse proxy I guess.

    My network contains some security cams wich are also avaiable via the internet, this is why port 443 is already used. So I followed your tutorial and when i noticed that the port is already used I switched to 8443.
    I replaced the port everywhere i could think of i n this regard … but the bitwarden.mydomain.synology.me is still leading to the GUI of the cam …
    Im about to lose my sanity over this one ^^’

    Any Idea why this is happening?

    • Dr_Frankenstein Dr_Frankenstein

      Hey, you must use port 443 as it is what all http SSL connection use and the port where the DNS server will send any requests to your network, you can get around this by using two reverse proxies.

      Port forward 443 away from you cameras to your NAS and create a reverse proxy such as cams.yoursynodomain.cloud this then points to the address for your cameras, I am making the assumption they all sit on a single webui? This then frees the port up for as many reverse proxy addresses you want. Reach out on email or Discord if you have any trouble.

    • Dr_Frankenstein Dr_Frankenstein

      Glad we sorted this out

  2. Tyler Tyler

    Hi there, great tutorial. Just a quick question related to getting the Bitwarden App on mobile to connect to my Nas server as I’m having some problems.

    I have the docker container running successfully already, there’s no issues with that. I have a Synology DDNS address and have set it up and I can access my Vaultwarden instance on my desktop computer and using the web browser of my mobile phone (I’m on Android 10). My firewall is routing properly as I can access the instance so shouldnt be any issues there. I’m using Nginx Proxy Manager on Synology as opposed to Synology’s Reverse Proxy.

    My issue is trying to get the Bitwarden App on my Android Phone to connect to my Vaultwarden Instance. Everytime I try to login to my instance, I get the following error:

    “An error has occured. Exception message: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.”

    This error is driving me crazy and I cant figure out why. Can you please shed ANY light why this is please? I would be eternally grateful.

    • Dr_Frankenstein Dr_Frankenstein

      Hey – I am also using Nginx Proxy Manager in my personal setup without any workarounds, however this sounds like this issue.

      https://community.bitwarden.com/t/android-client-login-bitwarden-https-cert-problem/12132/11

      Before you do that when you connect with your Browser check who signed the certificate it should be Let’s Encrypt make sure It’s still not showing as a self-signed certificate.

      See the solution at the bottom of the page on the link above around installing the Let’s Encrypt Intermediate cert on your phone

  3. Travis Travis

    So after I setup the reverse proxy and try to access the URL, I’m getting that an error from Pfsense that reads, “Potential DNS Rebind attack deteced, see (DNS Rebinding wiki page), Try accessing the router by IP address instead of by hostname

      • Travis Travis

        This issue was fixed. I input a host override for the URL and had to flush my DNS. Now I’m confused as to what all I need to put in for the SMTP settings. I’m just trying to send from gmail for now for context

        • Travis Travis

          To be more specific, the SMTP Email Settings look slightly different for me. I have a field for Secure SMTP in which ‘starttls’ was autofilled. I assume that means its using TLS. According to gmail’s smtp document, TLS should be on port 587 which was also autofilled correctly. Using my email for the From Address as well as the username. SMTP Auth Mechanism is left blank. When I try to send a test email I get an error stating that an application-specific password is required.

          • Travis Travis

            Looks like I can’t comment on the post below but that worked for me! Everything is now functioning properly. Thanks for all the help!

          • Dr_Frankenstein Dr_Frankenstein

            Glad it’s working, been multi-tasking tonight so run out of hands to come back earlier.

  4. Will8475 Will8475

    cannot get this to work. It keeps redirecting me to DSM login page.

      • Will8475 Will8475

        Yes I’ve used the https://bitwarden.mydomain.me. It just keeps redirecting me to DSM. I even reverse proxied another container to see if I was doing something wrong. It worked perfectly.

        • Dr_Frankenstein Dr_Frankenstein

          Have you managed to get to the admin panel yet to update it with your domain name.

          • Will8475 Will8475

            I just fixed it. I had to clear the cache on Chrome for it to work. Thank You for responding

          • Dr_Frankenstein Dr_Frankenstein

            Ahh glad it was a simple fix

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

drfrankenstein.co.uk – writing Synology Docker Guides since 2016 – Join My Discord!