Please note if you are using DSM7.2 or higher you should use the Container Manager version of this guide from the menu.
This guide has reached the end of its updates as most people are now on the latest DSM update - This guide is correct as of 08/12/2023 however no further updates will be added.
Update | Date |
---|---|
Adjusted the Reverse Proxy for WebSockets | 28/08/2023 |
What is Vaultwarden/Bitwarden?
Vaultwarden is a rewrite of the official Bitwarden server using the Rust language, it was created to reduce the need for the number of containers required for the official server.
It is compatible with all the official Bitwarden apps and Browser extensions. It is a great way to self-host a password manager it gives you complete control over your passwords and allows you to have automatic syncing across web, desktop and mobile apps.
Let’s Begin
This guide contains three parts:
- Part 1 — Setting up the container via the DSM GUI
- Part 2 — Setting up DDNS, Reverse Proxy and SSL
- Part 3 — Setting up the Bitwarden Clients
Before we start head over to the short guide below to set up a Bridge Network
Part 1 — Container Set up (DSM GUI)
Downloading the Vaultwarden Image
Open up Docker within DSM and navigate to the ‘Registry’ section and search for ‘vaultwarden’ in the search box and download the ‘vaultwarden/server’ version
The pop-up box will ask which version you want to download, make sure you choose ‘Latest’ from the list of available versions.
You can check the status of the download over on the ‘Image’ tab.
Setting up the container
In Docker click on the ‘Image’ tab, in the list of your containers select the ‘vaultwarden/server’ image and click on ‘Launch’
You will be greeted with the Network screen, we will be using the ‘synobridge’ network we created earlier select it from the list and click Next.
General Settings
Next you will be greeted with the General Settings screen, this is where you can start specifying some of your preferences.
You can change the name of the container to anything you like, and you may want to enable Auto Restart as this will ensure the container starts automatically if you reboot your NAS.
You will also notice a Configure capabilities button — don’t change anything in here!
Next up we are going to click on the ‘Advanced Settings’ button, this will take you to a new window with a number of tabs which we are going to work through.
Environment
We need to add two additional variables, the first disables any random person signing up for an account on your personal hosted version, the second enables the Admin panel which allows you to invite users.
Argon2 Hashing
As of version 1.28 of Vaultwarden it is recommended to create an Argon2 hashed admin token rather than using a plaintext one. We will be doing this via the Argon2 Hash Generator online if you wish to do this via SSH follow the instructions here.
Go to https://argon2.online/ and enter the following variables into the form and then press ‘Generate Hash’.
Option | Variable to Select or Enter |
---|---|
Plain Text Input | Enter either a long string of characters or a secure long ‘password’ aka token, you will use this to log in to your admin panel, so it needs to be secure, and you must remember it! |
Salt | Press the Cog it will generate a random string of characters |
Parallelism Factor | 4 |
Memory Cost | 65540 |
Iterations | 3 |
Hash Length | 64 |
Three Argon Versions | Select Argon2id |
As you can see above we have generated our hash.
We can now enter the amended hash into our Environment section.
Variable | Value |
---|---|
SIGNUPS_ALLOWED | FALSE |
ADMIN_TOKEN | Your hashed admin token from above |
Links / Execution Command
You do not need to set up anything on these tabs.
Press ‘Save’ to go back to the initial setup screen, then press ‘Next’
Port Settings
As Vaultwarden uses port 80 for its web interface by default we need to change this to ensure we don’t have any conflicts with DSM’s web functions.
You will see the Container Port section prefilled you must not change these ports. Change the ‘Local ports’ from ‘Auto’ to the values below.
Local Port | Container Port | Type |
---|---|---|
3012 | 3012 | TCP |
8122 | 80 | TCP |
Volume Settings
We will now be specifying the directories where Vaultwarden will store its configuration files and database.
Click on Add Folder, click on the ‘docker’ share and create a new sub-folder called ‘vaultwarden’ click on this folder and click ‘select’
In the Mount path section for this folder enter ‘/data’ it should now look like the screenshot below, click next.
Summary
You have now completed the setup of the container.
You will be shown an overall summary of the settings we have specified, this is a good time to double-check everything is correct. Finally, click on Done and the container should start to boot.
You should now be able to access the web interface via the IP of your NAS followed by the port 8122
e.g 192.168.0.40:8122
You will not be able to register an account yet, as you must have a valid SSL certificate in place.
Part 2 – DDNS, SSL and Reverse Proxy
Before we start, make sure you have registered for a Synology Account as we are going to be using their DDNS service. https://account.synology.com/en-uk/register/
In order to successfully use the reverse proxy you will also need to forward port 443 to you NAS IP. (You will need to check how to do this on your own router) This port will be used for secure web traffic.
DDNS
A DDNS address allows you to get external access to Vaultwarden and other services via a subdomain provided by Synology, this is useful on home internet connections where your ISP may change your IP address on a regular basis.
Note: If you want to access DSM via this new address you will either need to create an additional Reverse Proxy for it or open port 5001 on your router.
In the DSM Control panel go to ‘External Access’ and then to the ‘DDNS’ tab
Click on ‘Add’, then fill out the following sections.
Section | Value |
---|---|
Service Provider | Synology |
Hostname | This can be anything it will be used to access your NAS externally |
Email: | Log into your Synology account |
External Address (IPv4) | This should be filled in automatically |
External Address (IPv6) | This should be filled in automatically if your ISP is using IPv6 |
Get a Cert from Let’s Encrypt | Tick this box |
Enable Heartbeat | Tick this box |
Now press OK, DSM will apply your settings. It can take a few moments to set up and the DSM interface will refresh. You will likely receive a certificate error which you will need to accept to get back into DSM.
Reverse Proxy
So you don’t have to open up additional ports on your router for Vaultwarden we are going to set up a reverse proxy subdomain. This means you can access Vaultwarden without using a port number as it will route all traffic through the secure 443 port.
This can be used for any service on your NAS, it will see the address asked for and internally redirect the request to the port number specified.
Go back into the Control Panel and access the ‘Login Portal’ then in the ‘Advanced’ tab click ‘Reverse Proxy’ and then click on ‘Create’.
We are now going to enter some rules, so when you access the URL specified you will automatically be sent to Vaultwarden web UI.
Use the settings below, you will need to amend the Hostname section in line with the hostname you registered earlier, and the IP of your NAS.
Setting | Value |
---|---|
Reverse Proxy Name: | bitwarden |
Protocol: | HTTPS |
Hostname: | bitwarden.xxx.synology.me (change the part after ‘bitwarden.’ to your own hostname you registered earlier. |
Port: | 443 |
Protocol: | HTTP |
Hostname: | Your NAS IP |
Port: | 8122 |
Next click on the ‘Custom Header’ tab and click Create ‘WebSocket’ and then press Save.
You should now be able to access the Bitwarden (Vaultwarden) web UI by going to https://bitwarden.yourhostname it will be a secure connection, and you should have no SSL errors.
Setting up the Admin Settings
As we disabled sign-ups via the main log in screen you will need to invite yourself and any other users from the admin panel.
Go to bitwarden.yourhostname.me/admin
Enter the admin token which is the string of text or ‘password’ you used to create the Argon2 token (you don’t use the actual Argon2 string).
We need to change a few options to enable user sign up emails. (Please note that you will not be able to use Gmail SMTP in this step as they have disabled ‘unsecure’ 3rd party application login. Also, if you plan on using Yahoo you will need to set up an app specific password – as shown in this guide)
In General Settings. Amend the Domain URL to your own.
Next you will need to amend your own email settings in the SMTP Email Settings section.
This will need to be in line with your email provider, once you have entered the details click Save at the bottom of the screen, you can then send a test email to yourself to ensure its working.
The final step will be to send yourself an invitation email via the Users’ panel at the top of the page. This allows you to create an account by clicking the link in the email.
You have now successfully set up Vaultwarden.
Part 3 — Setting Up the Bitwarden Clients.
Now you have set up Vaultwarden you can use the various Mobile, Desktop or Browser Add-ons.
It’s very easy to point these to your personal self-hosted version. In the main login screen click the ‘Logging in on:’ and select ‘Self-hosted’
In the pop-up screen enter your full address for the server e.g. https://vaultwarden.xyz.synology.me
You have now completed the guide.
FAQ
Q) I am receiving the notice “You are using a plain text ADMIN_TOKEN
which is insecure.”
A) A recent update changed the Admin Token used to access the admin panel to make it more secure. You can follow the next steps to migrate over.
- Follow the section of the guide to create the Argon2 token, you can use the existing ‘password’ aka admin token for this as it will still be used for the actual admin login screen, Important: when you get to the part that asks you to add the additional $ into the token skip that and come back here.
- Stop the Project and then edit the yaml and completely remove the existing
ADMIN_TOKEN
variable. - Start the container again and login to the admin panel with your usual admin password. Scroll down to the bottom of the General Settings section and paste your Argon2 hash into the
Admin token/Argon2 PHC
option and save the settings. - Restart the project again, and you will now be using the new hash and can log in with your usual password
Buy Me a Coffee or a Beer
If you have found my site useful please consider pinging me a tip as it helps cover the cost of running things or just lets me get the odd beverage. Plus 10% goes to the devs of the apps I do guides for every year.
Historic Updates | Date |
---|---|
New guide Published | 29/12/2021 |
Updated with Admin Panel Options | 30/12/2021 |
Changed the port number from 8112 to 8122 so it doesn’t conflict with Deluge | 01/01/2021 |
Updated screenshots and steps for DSM7.1 | 17/06/2022 |
Added new port settings and Docker Bridge Network | 23/07/2022 |
Note added about not using gmail/google/ email for setup and a note about a app specific password for yahoo | 05/12/2022 |
Compose version number removed and small wording amendments | 09/04/2023 |
Amended the path to save the compose file – this is for security, so the container has no access to the file contents. | 14/04/2023 |
Update to Admin_Token to use Argon2 Hash | 24/04/2023 |
Hi, little question, how to upgrade vaultwarden after installation ? Mine is installed since few month and there is a new version of vaultwxarden available but I don’t know how to upgrade it without loosing all inside (password, accounts)
Hey, you can use a couple of methods, see the left hand menu of the site for a guide.
Thanks for the great tutorial ! that was my rescue, especially the part syno ddns and lets encrypt in connection. Excellent Gentleman !
I have made it all the way through setting up the reverse proxy. However when I attempt to navigate to bitwarden.(my hostname).synology.me, my web browser is redirecting me to the same URL but it includes port 5552, and I get ERR_CONNECTION_REFUSED on my browser window.
In my Control Panel, under the Login Portal and DSM tab, port 5552 is called out as being my HTTPS Web Service port.
Also, when I am logged into my Synology through https://(nas ip address):5552 my browser is warning my that the connection is not secure with a reason that my certificate is not valid.
I suspect this may all be related as to why I cannot navigate to the bitwarden url, but I have no clue where to go to fix this.
Small update, I read the Synology Knowledge center article about the https error and I ended up forwarding port 5552 and that resolved the issue.
However, now when I navigate to bitwarden.(my hostname).synology.me it is still re-routing me to port 5552 and it just logs me into DSM. What could I be missing here?
So you can close that port again, it is likely DSM is hijacking your HTTP request and forwarding you to the HTTPS port for DSM. First thing is to just make sure you use HTTPS:// in your URL when going to your Vaultwarden domain name and second disable this option in DSM to stop it overriding your Reverse Proxy settings.
https://fileshare.drfrankenstein.co.uk/images/firefox_HM2x4lwyki.png
Hi Dr_Frankenstein, thank you for the reply!
So I deleted my port forwarding rule for port 5552 and I couldn’t connect to my NAS using the my hostname. Only by entering my NAS’s IP address manually.
I re-enabled the forwarding rule and I was able to connect again with the .
I did go in and unchecked the automatically redirect, no change in behavior.
Check through the following:
Also worth checking 443 is being answered https://portchecker.co/check as it sounds like nothing is responding on the other end of the port.
Hi
How secure can be the synology Reverse Proxy? If we want to filter based on geo location of source IP, or even block brute force attack on the bitwarden instance?
So your question is quite timely as I am starting to play with Fail2Ban (literally in the last couple of hours!). To be honest I think that it is pretty unlikely that someone would bother trying to brute force the login as it could be almost any combination of email and password. I think it would be far more likely that someone would harness an exploit in the Web interface. – Also quick add on, make sure you also enable 2factor!
I am currently reviewing my Firewall Config to see what fits. My limited testing so far I have not even managed to block the IP of my VPN provider on one of their exit nodes… one for the weekend!
How can i set dns / reverse peixe to get https on LAN using VPN to connect to my synology ?
Hey, this is a pretty mixed question.
The reverse proxy in the guide allows you to use Vaultwarden with https inside your LAN just use the address you set up for the reverse proxy.
However, if you are looking to not use the reverse proxy and have https while you VPN into your LAN this is a completely different kettle of fish – it’s not something I even run on my home setup.
If you are looking for a good VPN solution for getting back into your LAN 100% recommend Tailscale.