Skip to content

Vaultwarden (Bitwarden) in Docker on a Synology NAS

Please note if you are using DSM7.2 or higher you should use the Container Manager version of this guide from the menu.
UpdateDate
Adjusted the Reverse Proxy for WebSockets28/08/2023
Historic updates now at the end of the guide.


What is Vaultwarden/Bitwarden?

Vaultwarden is a rewrite of the official Bitwarden server using the Rust language, it was created to reduce the need for the number of containers required for the official server.

It is compatible with all the official Bitwarden apps and Browser extensions. It is a great way to self-host a password manager it gives you complete control over your passwords and allows you to have automatic syncing across web, desktop and mobile apps.

Let’s Begin

This guide contains three parts:

  • Part 1 — Setting up the container via the DSM GUI
  • Part 2 — Setting up DDNS, Reverse Proxy and SSL
  • Part 3 — Setting up the Bitwarden Clients

Before we start head over to the short guide below to set up a Bridge Network

Part 1 — Container Set up (DSM GUI)

Downloading the Vaultwarden Image

Open up Docker within DSM and navigate to the ‘Registry’ section and search for ‘vaultwarden’ in the search box and download the ‘vaultwarden/server’ version

The pop-up box will ask which version you want to download, make sure you choose ‘Latest’ from the list of available versions.

Select ‘Latest’ from the tags

You can check the status of the download over on the ‘Image’ tab.

Setting up the container

In Docker click on the ‘Image’ tab, in the list of your containers select the ‘vaultwarden/server’ image and click on ‘Launch’

You will be greeted with the Network screen, we will be using the ‘synobridge’ network we created earlier select it from the list and click Next.

General Settings

Next you will be greeted with the General Settings screen, this is where you can start specifying some of your preferences.

You can change the name of the container to anything you like, and you may want to enable Auto Restart as this will ensure the container starts automatically if you reboot your NAS.

You will also notice a Configure capabilities button — don’t change anything in here!

Next up we are going to click on the ‘Advanced Settings’ button, this will take you to a new window with a number of tabs which we are going to work through.

Environment

We need to add two additional variables, the first disables any random person signing up for an account on your personal hosted version, the second enables the Admin panel which allows you to invite users.

Argon2 Hashing

As of version 1.28 of Vaultwarden it is recommended to create an Argon2 hashed admin token rather than using a plaintext one. We will be doing this via the Argon2 Hash Generator online if you wish to do this via SSH follow the instructions here.

Go to https://argon2.online/ and enter the following variables into the form and then press ‘Generate Hash’.

OptionVariable to Select or Enter
Plain Text InputEnter either a long string of characters or a secure long ‘password’ aka token, you will use this to log in to your admin panel, so it needs to be secure, and you must remember it!
SaltPress the Cog it will generate a random string of characters
Parallelism Factor4
Memory Cost65540
Iterations3
Hash Length64
Three Argon VersionsSelect Argon2id

As you can see above we have generated our hash.

We can now enter the amended hash into our Environment section.

VariableValue
SIGNUPS_ALLOWEDFALSE
ADMIN_TOKENYour hashed admin token from above
You must come and change this to false later

You do not need to set up anything on these tabs.

Press ‘Save’ to go back to the initial setup screen, then press ‘Next’

Port Settings

As Vaultwarden uses port 80 for its web interface by default we need to change this to ensure we don’t have any conflicts with DSM’s web functions.

You will see the Container Port section prefilled you must not change these ports. Change the ‘Local ports’ from ‘Auto’ to the values below.

Local PortContainer PortType
30123012TCP
812280TCP
Port Settings

Volume Settings

We will now be specifying the directories where Vaultwarden will store its configuration files and database.

Click on Add Folder, click on the ‘docker’ share and create a new sub-folder called ‘vaultwarden’ click on this folder and click ‘select’

In the Mount path section for this folder enter ‘/data’ it should now look like the screenshot below, click next.

Summary

You have now completed the setup of the container.

You will be shown an overall summary of the settings we have specified, this is a good time to double-check everything is correct. Finally, click on Done and the container should start to boot.

You should now be able to access the web interface via the IP of your NAS followed by the port 8122

e.g 192.168.0.40:8122

Successful start up

You will not be able to register an account yet, as you must have a valid SSL certificate in place.

External Access

You have some choices when it comes to making your new container accessible from outside your home network, these come with different levels of security and convenience. This mini section is generic but covers the basics of getting this guide up and running and is entirely optional.

  • Synology’s DDNS (Dynamic Domain Name System) with a TLS Certificate and Reverse Proxy
    This is useful if you have some family members or friends that need access to something like Overseerr or Jellyseer and is covered below.

  • Tailscale or Wireguard VPN
    If just you are accessing these services, and you don’t want to expose them to the internet this would be the more secure choice. See my other separate guides.

  • Cloudflare Tunnels
    I don’t currently use these, so I would recommend watching the Wundertech guide on how they work.

A note on Double NAT or CGNAT
Unfortunately more ISPs are moving to these methods of address allocation as the IPv4 address space is getting low on available addresses. If your ISP is doing this your choices are more limited.

You can test if this is the case by checking the WAN IP on your Router/Modem settings and then comparing it to the one shown on portchecker.co. If they are different you are likely Double NAT and will either need to see if you can pay your ISP for a standard IPv4 address or use Tailscale or Cloudflare Tunnels for access.

Using the built-in tools on DSM

The first step of this process is to forward port 443 on your Router to your NAS IP Address, how you do this will depend on your router model, so please refer to its manual.

Router (External):443 > NASIP (Internal):443

Next make sure you have registered for a Synology Account as we are going to be using their DDNS service. https://account.synology.com/en-uk/register/ If you already have this set up move to the next step.

DDNS (Dynamic Domain Name System)

A DDNS address allows you to get external access to your container via an address provided by Synology, this is useful on home internet connections where your ISP will change your IP address on a semi-regular basis.

In the DSM Control panel go to ‘External Access’ and then to the ‘DDNS’ tab

Click on ‘Add’, then fill out the following sections.

SectionValue
Service ProviderSynology
HostnameThis will be the unique address just for you so keep the name generic.
minecraft.synology.me = BAD
myawesomenas.synology,me =GOOD
Email:Log into your Synology account
External Address (IPv4)This should be filled in automatically
External Address (IPv6)This should be filled in automatically if your ISP is using IPv6
Get a Cert from Let’s EncryptTick this box
Enable HeartbeatTick this box

Now press OK, DSM will apply your settings. It can take a few moments to set up and the DSM interface will refresh. You will likely receive a certificate error which you will need to accept to get back into DSM.

Reverse Proxy

We are going to set up a reverse proxy subdomain for the address you just register. This means you and your users can access the container without using a port number as it will route all traffic through the secure 443 port.

Go back into the Control Panel and access the ‘Login Portal’ then in the ‘Advanced’ tab click ‘Reverse Proxy’ and then click on ‘Create’.

We are now going to enter some rules, so when you or your users access the URL specified the request will automatically be sent to the containers web UI.

Use the settings below, you will need to amend the Hostname sections in line with the hostname you registered earlier, and the IP of your NAS.

SettingValue
Reverse Proxy Name:Give it a meaningful name in line with the container you are setting up.
Protocol:HTTPS
Hostname:containername.xxx.synology.me
containername‘ will be the name you want to use to access this container
.xxx.synology.me‘ will be the exact name you registered earlier
Port:443
Protocol:HTTP
Hostname:‘localhost’ or your NAS IP address
Port:The UI Port Number from the yaml in the guide you are following

On the second tab ‘Custom Header’ click on Create then WebSocket, this will add two entries for WebSockets to function correctly, you can now press save.

You should now be able to access the web UI of the container by going to the address you just set up in the reverse proxy, it will be a secure connection, and you should have no certificate errors.

You should now be able to access the Bitwarden (Vaultwarden) web UI by going to https://bitwarden.yourhostname it will be a secure connection, and you should have no SSL errors.

SSL Working

Setting up the Admin Settings

As we disabled sign-ups via the main log in screen you will need to invite yourself and any other users from the admin panel.

Go to bitwarden.yourhostname.me/admin

Enter the admin token which is the string of text or ‘password’ you used to create the Argon2 token (you don’t use the actual Argon2 string).

Admin Token

We need to change a few options to enable user sign up emails. (Please note that you will not be able to use Gmail SMTP in this step as they have disabled ‘unsecure’ 3rd party application login. Also, if you plan on using Yahoo you will need to set up an app specific password – as shown in this guide)

In General Settings. Amend the Domain URL to your own.

Domain URL

Next you will need to amend your own email settings in the SMTP Email Settings section.

This will need to be in line with your email provider, once you have entered the details click Save at the bottom of the screen, you can then send a test email to yourself to ensure its working.

The final step will be to send yourself an invitation email via the Users’ panel at the top of the page. This allows you to create an account by clicking the link in the email.

Users settings screen

You have now successfully set up Vaultwarden.

Part 3 — Setting Up the Bitwarden Clients.

Now you have set up Vaultwarden you can use the various Mobile, Desktop or Browser Add-ons.

It’s very easy to point these to your personal self-hosted version. In the main login screen click the ‘Logging in on:’ and select ‘Self-hosted’

In the pop-up screen enter your full address for the server e.g. https://vaultwarden.xyz.synology.me

You have now completed the guide.

FAQ

Q) I am receiving the notice “You are using a plain text ADMIN_TOKEN which is insecure.”

A) A recent update changed the Admin Token used to access the admin panel to make it more secure. You can follow the next steps to migrate over.

  1. Follow the section of the guide to create the Argon2 token, you can use the existing ‘password’ aka admin token for this as it will still be used for the actual admin login screen, Important: when you get to the part that asks you to add the additional $ into the token skip that and come back here.
  2. Stop the Project and then edit the yaml and completely remove the existing ADMIN_TOKEN variable.
  3. Start the container again and login to the admin panel with your usual admin password. Scroll down to the bottom of the General Settings section and paste your Argon2 hash into the Admin token/Argon2 PHC option and save the settings.
  4. Restart the project again, and you will now be using the new hash and can log in with your usual password

Looking for some help, join our Discord community

If you are struggling with any steps in the guides or looking to branch out into other containers join our Discord community!

Buy me a beverage!

If you have found my site useful please consider pinging me a tip as it helps cover the cost of running things or just lets me stay hydrated. Plus 10% goes to the devs of the apps I do guides for every year.

Historic UpdatesDate
New guide Published29/12/2021
Updated with Admin Panel Options30/12/2021
Changed the port number from 8112 to 8122 so it doesn’t conflict with Deluge01/01/2021
Updated screenshots and steps for DSM7.1 17/06/2022
Added new port settings and Docker Bridge Network23/07/2022
Note added about not using gmail/google/ email for setup and a note about a app specific password for yahoo05/12/2022
Compose version number removed and small wording amendments09/04/2023
Amended the path to save the compose file – this is for security, so the container has no access to the file contents.14/04/2023
Update to Admin_Token to use Argon2 Hash24/04/2023
Historic Updates
Published inDockerOther Tools 7.1Synology

121 Comments

  1. Tyler Pittman Tyler Pittman

    Hi! Thanks for the guide. I struggled a bit getting the web server to redirect properly, but I should have realized it was I was following the instructions. In the container setup, you have the local port set up as 8122, and in the reverse proxy setup, the instructions say to use 5055. It needs to be the same port as the container local port.

    Also, I got SMTP working with Gmail – you need to create an “app password” for your Google account, and use that as the password for your Gmail address.

    https://support.google.com/accounts/answer/185833?hl=en

    • Dr_Frankenstein Dr_Frankenstein

      Nice one – I just recently swapped the previous proxy/VPN sections out for a generic set of instructions to use across the guides – I will make that bit more explicit to say use the port from the yaml

  2. shutter count check shutter count check

    Thanks for this guide! I was able to successfully install Vaultwarden on my Synology NAS. The instructions were clear and easy to follow, even for a Docker newbie like me. I’m now enjoying the peace of mind that comes with having a centralized password manager running on my NAS.

  3. Ben Ben

    Great Manual, in the last weeks it works fine.

    But now I got a problem.

    If I try to connect vaultwarden in my local wifi-network (bitwarden.xxxxxx.synology), I can’t reach the web vault. I get the message in the web browser ERR_CONNECTION_TIMED_OUT.
    The same if I use the Client on any device. I can’t save any items or add new items.
    Port 443 is open, DDNS is the same.

    BUT If I use a mobile connection over my phone (bitwarden.xxxxxx.synology) or the mobile Bitwarden app I can add and change items.

    What’s the problem in my local network? Any idea?

    • Dr_Frankenstein Dr_Frankenstein

      Hey, if you are struggling to connect internally have you set up or changed anything Firewall wise? Do you have any other DDNS addresses set up and are they working? Has anything changed Router wise as it could also relate to Hairpinning (Loopback) is there a setting on the Router in relation to this?

      • Ben Ben

        I have no other DDNS adresses.

        The only thing is that I want to rebuild my pi-hole on a raspberry. I delete the DNS configuration from my router, too. Everything works fine.

        Possible reason?

        • Dr_Frankenstein Dr_Frankenstein

          Is the DDNS address reporting as ‘Normal’ in Control Panel > External Access > DDNS

          Also check the IP address it lists matches with https://whatismyipaddress.com/ if not click Update and see if it lines up..

          Also, to try to rule out DNS issues, in Control Panel > Network set a ‘Manually Configure DNS Server’ and set them to 9.9.9.9 and 8.8.8.8 (This is Quad9 and Google)

          • Ben Ben

            – Control Panel > External Access > DDNS = “normal”
            – IP Adresses checked = all right
            – Control Panel > Network set a ‘Manually Configure DNS Server’ set, but nothing change (ERR_CONNECTION_TIMED_OUT)

        • Dr_Frankenstein Dr_Frankenstein

          Sorry I must have misread this the first time around, are you saying without the PiHole the address works fine internally

          If thats the case set a local DNS record in order to enable the loopback

          PiHole – admin – dns_records.php

          • Ben Ben

            WITH PI-Hole everythings works fine. PiHole was on a raspberrypi.

            I have to delete my raspberry (other reason) and now I don’t reinstall pi hole there.

            I delete the DNS configuration from my router.

    • Dr_Frankenstein Dr_Frankenstein

      Would you mind pinging me an email via my Help Me! Page it will be a bit easier than via the comments 🙂

      Essentially we just need to get your domain pointing at your WAN IP using a DDNS script / use the NAS to do that, and then set up a subdomain…

  4. JG JG

    I’ve followed your instructions and still cant get my container to work.

    I tried using your ports. But I’ve had to delete everything and restart again. Docker is now telling me that those ports are already in use when I go back to setup the container again. I’ve checked and those ports are not in my router settings or anywhere else. The only place I can see 3012 is on my certificate settings.

    Any idea whats going on here? Thanks

    • Dr_Frankenstein Dr_Frankenstein

      If Container Manager / Docker is saying the port is in use, first make sure the Container has actually gone from the list. If it has and still saying the port is in use try restarting the whole NAS to flush the ports. (This assumes nothing else is using it!)

      • jg jg

        So I managed to get internal access to the container, but because it is not secure traffic, the container won’t let me move forward. My setup is a little different in that I don’t use synology’s hosted system; Ive registered my own domain and everything.

        But I still cant get external access even using the external ports. Still troubleshooting.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

drfrankenstein.co.uk – writing Synology Docker Guides since 2016 – Join My Discord!