Skip to content

Vaultwarden (Bitwarden) in Container Manager on a Synology NAS

Last updated on 4 February 2024

Important or Recent Updates
Historic UpdatesDate
New Guide for Container Manager20/05/2023
Edited Argon2 / Admin Token Section as $$ in the hash are not required via the Container Manager UI22/05/2023
Adjusted the Reverse Proxy for WebSockets28/08/2023
Migrated the guide from the Container Manager UI to Projects as provides much easier updates as well as the added ability to use more docker compose variables such as the security amends.
Added additional security option to the compose to restrict the container from gaining new privileges, including the container running using our restricted docker user.
25/10/2023
Updated formatting of guide in line with the recent updates across the site
Fixed a regression in the guide in relation to the Argon2 hash (my apologies) and added the creation of the log folder as it is required.
04/11/2023
Removed port 3012 as no longer required for WebSocket notifications 04/02/2024
Historic Updates


What is Vaultwarden/Bitwarden?

Vaultwarden is a rewrite of the official Bitwarden server using the Rust language, it was created to reduce the need for the number of containers required for the official server.

It is compatible with all the official Bitwarden apps and Browser extensions. It is a great way to self-host a password manager it gives you complete control over your passwords and allows you to have automatic syncing across web, desktop and mobile apps.

Let’s Begin

This guide contains three parts:

  • Part 1 — Setting up the container
  • Part 2 — Setting up DDNS, Reverse Proxy and SSL
  • Part 3 — Setting up the Bitwarden Clients

Before we start head over to the short guides below to set up a restricted Docker user and Bridge Network.

Part 1 — Container Set up

Folder Setup

Let’s start by getting some folders set up for the containers to use. Open up File Station create the following.

Folders
/docker/projects/vaultwarden-compose
/docker/vaultwarden
/docker/vaultwarden/log

Container Manager

Next we are going to set up a ‘Project’ in Container Manager. Open up Container Manager and click on Project then on the right-hand side click ‘Create’.

In the next screen we will set up our General Settings.

SectionSetting
Project Name:vaultwarden
Path:/docker/projects/vaultwarden-compose
Source:Create docker-compose.yml

Next we are going to drop in our docker compose configuration, copy all the code in the box below and paste it into line ‘1’ just like the screenshot.

YAML
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    user: UID:GID #AMEND AS PER GUIDE
    environment:
      ROCKET_ENV: staging
      ROCKET_PORT: 8080
      ROCKET_WORKERS: 10
      SIGNUPS_ALLOWED: FALSE
      ADMIN_TOKEN: #YOUR ARGON ADMIN TOKEN
      LOG_FILE: /data/log/my.log
    volumes:
      - /volume1/docker/vaultwarden:/data
    ports:
      - 8122:8080/tcp
    network_mode: synobridge
    security_opt:
      - no-new-privileges:true
    restart: unless-stopped

Making some amendments

We need to make some amendments to the compose information above to secure our instance.

VariableValue
user: UID:GID
(line 5)
This line controls the user the container runs as we want to ensure it uses the dockerlimited user and group, amend the UID and GID to the ones you noted in the earlier set up guide.
ADMIN_TOKEN:
Line 11
As of version 1.28 of Vaultwarden it is recommended to create an Argon2 hashed admin token rather than using a plaintext one. We will be doing this via the Argon2 Hash Generator online if you wish to do this via SSH follow the instructions here.

Go to https://argon2.online/ and enter the variables in the table below into the form and then press ‘Generate Hash’.

OptionVariable to Select or Enter
Plain Text InputEnter either a long string of characters or a secure long ‘password’ you will use this to log in to your admin panel, so it needs to be secure, and you must remember it!
SaltPress the Cog it will generate a random string of characters
Parallelism Factor4
Memory Cost65540
Iterations3
Hash Length64
Three Argon VersionsSelect Argon2id

As you can see above we have generated our hash, however we need to make an adjustment to it otherwise it will not be valid for the compose.

If you see below the hash contains 5 occurrences of $ we need to escape these out by doubling them to $$

Example
Original
ADMIN_TOKEN: $argon2id$v=19$m=65540,t=3,p=4$QjdsUHBuUjVUd211RXJSRg$+z7E2XQ7GzBaIlvdvV/eC7GiWVgAVkwWDEkdtQNLmSl+BPsA/TUnxSNhb6bPZPY0vQM0wVGO9oiqz9VfT3EdKQ

Updated
ADMIN_TOKEN: $$argon2id$$v=19$$m=65540,t=3,p=4$$QjdsUHBuUjVUd211RXJSRg$$+z7E2XQ7GzBaIlvdvV/eC7GiWVgAVkwWDEkdtQNLmSl+BPsA/TUnxSNhb6bPZPY0vQM0wVGO9oiqz9VfT3EdKQ

Once you have made the edits and added into the correct line in the yaml you can click ‘Next’

You do not need to enable anything on the ‘Web portal settings’ screen click ‘Next’ again.

On the final screen click ‘Done’ which will begin the download of the container images and once downloaded they will be launched!

You should now be able to access the web interface via the IP of your NAS followed by the port 8122

e.g. 192.168.0.30:8122

Successful start up

You will not be able to register an account yet, as you must have a valid SSL certificate in place.

Firewall Exceptions

(Skip if you don’t have the Firewall configured)

If you have enabled and configured the Synology Firewall you will need to create exceptions for any containers that have a Web UI or have any incoming or outgoing connections. This section covers the basics of how to add these. (Please note this is a generic section and will not show the specific ports used in this guide however it applies in the same way)

Also, I would like to refer people to the great guide on getting the Firewall correctly configured over on WunderTechs site.

Head into the Control Panel> Security > Firewall, from here click Edit Rules for the profile you set up when you enabled the Firewall.

Next click on Create and you will see the screen below. Source IP and Action will be automatically selected to All and Allow, I will leave it up to you as to your own preference on whether you want to lock down specific Source IPs from having access. In this example we will leave as All.

You will now choose ‘Custom‘ and then the Custom button

Now select Destination from the drop-down menu, most web based containers require TCP access but check the guide as it will show the port and protocol. Then add comma separated ports. Then press OK.

Click OK a couple of times to get back to the main screen. You will see by default the new rule is added to the bottom of the list. You must always have your Block All rule last in the list as the rules are applied top down so move your container up.

You have now completed the Firewall changes and can continue with the guide.

Part 2 – DDNS, SSL and Reverse Proxy

Before we start, make sure you have registered for a Synology Account as we are going to be using their DDNS service. https://account.synology.com/en-uk/register/

In order to successfully use the reverse proxy you will also need to forward port 443 to you NAS IP. (You will need to check how to do this on your own router) This port will be used for secure web traffic.

DDNS

A DDNS address allows you to get external access to Vaultwarden and other services via a subdomain provided by Synology, this is useful on home internet connections where your ISP may change your IP address on a regular basis.

Note: If you want to access DSM via this new address you will either need to create an additional Reverse Proxy for it or open port 5001 on your router.

In the DSM Control panel go to ‘External Access’ and then to the ‘DDNS’ tab

Click on ‘Add’, then fill out the following sections.

SectionValue
Service ProviderSynology
HostnameThis can be anything it will be used to access your NAS externally
Email:Log into your Synology account
External Address (IPv4)This should be filled in automatically
External Address (IPv6)This should be filled in automatically if your ISP is using IPv6
Get a Cert from Let’s EncryptTick this box
Enable HeartbeatTick this box

Now press OK, DSM will apply your settings. It can take a few moments to set up and the DSM interface will refresh. You will likely receive a certificate error which you will need to accept to get back into DSM.

Reverse Proxy

So you don’t have to open up additional ports on your router for Vaultwarden we are going to set up a reverse proxy subdomain. This means you can access Vaultwarden without using a port number as it will route all traffic through the secure 443 port.

This can be used for any service on your NAS, it will see the address asked for and internally redirect the request to the port number specified.

Go back into the Control Panel and access the ‘Login Portal’ then in the ‘Advanced’ tab click ‘Reverse Proxy’ and then click on ‘Create’.

We are now going to enter some rules, so when you access the URL specified you will automatically be sent to Vaultwarden web UI.

Use the settings below, you will need to amend the Hostname section in line with the hostname you registered earlier, and the IP of your NAS.

SettingValue
Reverse Proxy Name:bitwarden
Protocol:HTTPS
Hostname:bitwarden.xxx.synology.me (change the part after ‘bitwarden.’ to your own hostname you registered earlier.
Port:443
Protocol:HTTP
Hostname:Your NAS IP or localhost
Port:8122

Next click on the ‘Custom Header’ tab and click Create ‘WebSocket’ and then press Save.

You should now be able to access the Bitwarden (Vaultwarden) web UI by going to https://bitwarden.yourhostname it will be a secure connection, and you should have no SSL errors.

SSL Working

Setting up the Admin Settings

As we disabled sign-ups via the main log in screen you will need to invite yourself and any other users from the admin panel.

Go to bitwarden.yourhostname.me/admin

Enter the admin token which is the string of text or ‘password’ you used to create the Argon2 token (you don’t use the actual Argon2 string).

Admin Token

We need to change a few options to enable user sign up emails. (Please note that you will not be able to use Gmail SMTP in this step as they have disabled ‘unsecure’ 3rd party application login. Also, if you plan on using Yahoo you will need to set up an app specific password – as shown in this guide)

In General Settings. Amend the Domain URL to your own.

Domain URL

Next you will need to amend your own email settings in the SMTP Email Settings section.

This will need to be in line with your email provider, once you have entered the details click Save at the bottom of the screen, you can then send a test email to yourself to ensure its working.

The final step will be to send yourself an invitation email via the Users’ panel at the top of the page. This allows you to create an account by clicking the link in the email.

Users settings screen

You have now successfully set up Vaultwarden.

Part 3 — Setting Up the Bitwarden Clients.

Now you have set up Vaultwarden you can use the various Mobile, Desktop or Browser Add-ons.

It’s very easy to point these to your personal self-hosted version. In the main login screen click the ‘Logging in on:’ and select ‘Self-hosted’

In the pop-up screen enter your full address for the server e.g. https://vaultwarden.xyz.synology.me

You have now completed the guide.

FAQ

Q) I am receiving the notice “You are using a plain text ADMIN_TOKEN which is insecure.”

A) A recent update changed the Admin Token used to access the admin panel to make it more secure. You can follow the next steps to migrate over.

  1. Follow the section of the guide to create the Argon2 token, you can use the existing ‘password’ aka admin token for this as it will still be used for the actual admin login screen, Important: when you get to the part that asks you to add the additional $ into the token skip that and come back here.
  2. Stop the Project and then edit the yaml and completely remove the existing ADMIN_TOKEN variable.
  3. Start the container again and login to the admin panel with your usual admin password. Scroll down to the bottom of the General Settings section and paste your Argon2 hash into the Admin token/Argon2 PHC option and save the settings.
  4. Restart the project again, and you will now be using the new hash and can log in with your usual password


Buy Me a Coffee or a Beer

If you have found my site useful please consider pinging me a tip as it helps cover the cost of running things or just lets me get the odd beverage. Plus 10% goes to the devs of the apps I do guides for every year.

Published inDockerOther Tools 7.2Synology

16 Comments

  1. Phillip Deackes Phillip Deackes

    Just received an email from Daniel Garcia about the latest version of Vaultwarden. He says:

    “The WebSockets service for live sync has been integrated in the main HTTP server, which means simpler proxy setups that don’t require a separate rule to redirect WS traffic to port 3012. Please check the updated examples in the wiki. It’s recommended to migrate to this new setup as using the old server on port 3012 is deprecated, won’t receive new features and will be removed in the next release.”

    He goes on to recommend an implementation using Caddy. Does your tutorial take account of these changes?

  2. Wolfgang Wolfgang

    Hey Doc, please allow me one addition to your guide. Maybe others didn’t have the problem, but for me it were some interesting 5 minutes, till I figured it out. I had an existing vaultwarden container which showed me the Admin_Token message you mentioned. With an existing installation, you must not add the double $ signs when doing FAQ step4! It has to be the original hash, otherwise it will be regarded as another non valid plain text value and u cant login with the correct password! I did have to login with the complete modified hash with the escaped $ signs and the add the original version.
    That is all. Please enjoy the coffees. Everyone of them is earned ….

    • Dr_Frankenstein Dr_Frankenstein

      Hey double thanks in that case! I will get that step amended! – Thanks again for the coffee!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

drfrankenstein.co.uk – writing Synology Docker Guides since 2016 – Join My Discord!