Last updated on 1 January 2025
Important or Recent Updates
Historic Updates | Date |
---|---|
New Guide for Container Manager | 20/05/2023 |
Edited Argon2 / Admin Token Section as $$ in the hash are not required via the Container Manager UI | 22/05/2023 |
Adjusted the Reverse Proxy for WebSockets | 28/08/2023 |
Migrated the guide from the Container Manager UI to Projects as provides much easier updates as well as the added ability to use more docker compose variables such as the security amends. Added additional security option to the compose to restrict the container from gaining new privileges, including the container running using our restricted docker user. | 25/10/2023 |
Updated formatting of guide in line with the recent updates across the site Fixed a regression in the guide in relation to the Argon2 hash (my apologies) and added the creation of the log folder as it is required. | 04/11/2023 |
Removed port 3012 as no longer required for WebSocket notifications | 04/02/2024 |
What is Vaultwarden/Bitwarden?
Vaultwarden is a rewrite of the official Bitwarden server using the Rust language, it was created to reduce the need for the number of containers required for the official server.
It is compatible with all the official Bitwarden apps and Browser extensions. It is a great way to self-host a password manager it gives you complete control over your passwords and allows you to have automatic syncing across web, desktop and mobile apps.
Let’s Begin
This guide contains three parts:
- Part 1 — Setting up the container
- Part 2 — Setting up DDNS, Reverse Proxy and SSL
- Part 3 — Setting up the Bitwarden Clients
Before we start head over to the short guides below to set up a restricted Docker user and Bridge Network.
Part 1 — Container Set up
Folder Setup
Let’s start by getting some folders set up for the containers to use. Open up File Station create the following.
/docker/projects/vaultwarden-compose
/docker/vaultwarden
/docker/vaultwarden/log
Container Manager
Next we are going to set up a ‘Project’ in Container Manager. Open up Container Manager and click on Project then on the right-hand side click ‘Create’.
In the next screen we will set up our General Settings.
Section | Setting |
---|---|
Project Name: | vaultwarden |
Path: | /docker/projects/vaultwarden-compose |
Source: | Create docker-compose.yml |
Next we are going to drop in our docker compose configuration, copy all the code in the box below and paste it into line ‘1’ just like the screenshot.
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
user: UID:GID #AMEND AS PER GUIDE
environment:
ROCKET_ENV: staging
ROCKET_PORT: 8080
ROCKET_WORKERS: 10
SIGNUPS_ALLOWED: FALSE
ADMIN_TOKEN: #YOUR ARGON ADMIN TOKEN
LOG_FILE: /data/log/my.log
volumes:
- /volume1/docker/vaultwarden:/data
ports:
- 8122:8080/tcp
network_mode: synobridge
security_opt:
- no-new-privileges:true
restart: unless-stopped
Making some amendments
We need to make some amendments to the compose information above to secure our instance.
Variable | Value |
---|---|
user: UID:GID (line 5) | This line controls the user the container runs as we want to ensure it uses the dockerlimited user and group, amend the UID and GID to the ones you noted in the earlier set up guide. |
ADMIN_TOKEN: Line 11 | As of version 1.28 of Vaultwarden it is recommended to create an Argon2 hashed admin token rather than using a plaintext one. We will be doing this via the Argon2 Hash Generator online if you wish to do this via SSH follow the instructions here. Go to https://argon2.online/ and enter the variables in the table below into the form and then press ‘Generate Hash’. |
Option | Variable to Select or Enter |
---|---|
Plain Text Input | Enter either a long string of characters or a secure long ‘password’ you will use this to log in to your admin panel, so it needs to be secure, and you must remember it! |
Salt | Press the Cog it will generate a random string of characters |
Parallelism Factor | 4 |
Memory Cost | 65540 |
Iterations | 3 |
Hash Length | 64 |
Three Argon Versions | Select Argon2id |
As you can see above we have generated our hash, however we need to make an adjustment to it otherwise it will not be valid for the compose.
If you see below the hash contains 5 occurrences of $ we need to escape these out by doubling them to $$
Original
ADMIN_TOKEN: $argon2id$v=19$m=65540,t=3,p=4$QjdsUHBuUjVUd211RXJSRg$+z7E2XQ7GzBaIlvdvV/eC7GiWVgAVkwWDEkdtQNLmSl+BPsA/TUnxSNhb6bPZPY0vQM0wVGO9oiqz9VfT3EdKQ
Updated
ADMIN_TOKEN: $$argon2id$$v=19$$m=65540,t=3,p=4$$QjdsUHBuUjVUd211RXJSRg$$+z7E2XQ7GzBaIlvdvV/eC7GiWVgAVkwWDEkdtQNLmSl+BPsA/TUnxSNhb6bPZPY0vQM0wVGO9oiqz9VfT3EdKQ
Once you have made the edits and added into the correct line in the yaml you can click ‘Next’
You do not need to enable anything on the ‘Web portal settings’ screen click ‘Next’ again.
On the final screen click ‘Done’ which will begin the download of the container images and once downloaded they will be launched!
You should now be able to access the web interface via the IP of your NAS followed by the port 8122
e.g. 192.168.0.30:8122
You will not be able to register an account yet, as you must have a valid SSL certificate in place.
Firewall Exceptions
(Skip if you don’t have the Firewall configured)
If you have the Synology Firewall enabled please see this additional guide for further info on exceptions and correct set up.
External Access
You have some choices when it comes to making your new container accessible from outside your home network, these come with different levels of security and convenience. This mini section is generic but covers the basics of getting this guide up and running and is entirely optional.
- Synology’s DDNS (Dynamic Domain Name System) with a TLS Certificate and Reverse Proxy
This is useful if you have some family members or friends that need access to something like Overseerr or Jellyseer and is covered below. - Tailscale or Wireguard VPN
If just you are accessing these services, and you don’t want to expose them to the internet this would be the more secure choice. See my other separate guides. - Cloudflare Tunnels
I don’t currently use these, so I would recommend watching the Wundertech guide on how they work.
A note on Double NAT or CGNAT
Unfortunately more ISPs are moving to these methods of address allocation as the IPv4 address space is getting low on available addresses. If your ISP is doing this your choices are more limited.
You can test if this is the case by checking the WAN IP on your Router/Modem settings and then comparing it to the one shown on portchecker.co. If they are different you are likely Double NAT and will either need to see if you can pay your ISP for a standard IPv4 address or use Tailscale or Cloudflare Tunnels for access.
Using the built-in tools on DSM
The first step of this process is to forward port 443 on your Router to your NAS IP Address, how you do this will depend on your router model, so please refer to its manual.
Router (External):443 > NASIP (Internal):443
Next make sure you have registered for a Synology Account as we are going to be using their DDNS service. https://account.synology.com/en-uk/register/ If you already have this set up move to the next step.
DDNS (Dynamic Domain Name System)
A DDNS address allows you to get external access to your container via an address provided by Synology, this is useful on home internet connections where your ISP will change your IP address on a semi-regular basis.
In the DSM Control panel go to ‘External Access’ and then to the ‘DDNS’ tab
Click on ‘Add’, then fill out the following sections.
Section | Value |
---|---|
Service Provider | Synology |
Hostname | This will be the unique address just for you so keep the name generic. minecraft.synology.me = BAD myawesomenas.synology,me =GOOD |
Email: | Log into your Synology account |
External Address (IPv4) | This should be filled in automatically |
External Address (IPv6) | This should be filled in automatically if your ISP is using IPv6 |
Get a Cert from Let’s Encrypt | Tick this box |
Enable Heartbeat | Tick this box |
Now press OK, DSM will apply your settings. It can take a few moments to set up and the DSM interface will refresh. You will likely receive a certificate error which you will need to accept to get back into DSM.
Reverse Proxy
We are going to set up a reverse proxy subdomain for the address you just register. This means you and your users can access the container without using a port number as it will route all traffic through the secure 443 port.
Go back into the Control Panel and access the ‘Login Portal’ then in the ‘Advanced’ tab click ‘Reverse Proxy’ and then click on ‘Create’.
We are now going to enter some rules, so when you or your users access the URL specified the request will automatically be sent to the containers web UI.
Use the settings below, you will need to amend the Hostname sections in line with the hostname you registered earlier, and the IP of your NAS.
Setting | Value |
---|---|
Reverse Proxy Name: | Give it a meaningful name in line with the container you are setting up. |
Protocol: | HTTPS |
Hostname: | containername.xxx.synology.me ‘containername‘ will be the name you want to use to access this container ‘.xxx.synology.me‘ will be the exact name you registered earlier |
Port: | 443 |
Protocol: | HTTP |
Hostname: | ‘localhost’ or your NAS IP address |
Port: | The UI Port Number from the yaml in the guide you are following |
On the second tab ‘Custom Header’ click on Create then WebSocket, this will add two entries for WebSockets to function correctly, you can now press save.
You should now be able to access the web UI of the container by going to the address you just set up in the reverse proxy, it will be a secure connection, and you should have no certificate errors.
You should now be able to access the Bitwarden (Vaultwarden) web UI by going to https://bitwarden.yourhostname it will be a secure connection, and you should have no SSL errors.
Setting up the Admin Settings
As we disabled sign-ups via the main log in screen you will need to invite yourself and any other users from the admin panel.
Go to bitwarden.yourhostname.me/admin
Enter the admin token which is the string of text or ‘password’ you used to create the Argon2 token (you don’t use the actual Argon2 string).
We need to change a few options to enable user sign up emails. (Please note that you will not be able to use Gmail SMTP in this step as they have disabled ‘unsecure’ 3rd party application login. Also, if you plan on using Yahoo you will need to set up an app specific password – as shown in this guide)
In General Settings. Amend the Domain URL to your own.
Next you will need to amend your own email settings in the SMTP Email Settings section.
This will need to be in line with your email provider, once you have entered the details click Save at the bottom of the screen, you can then send a test email to yourself to ensure its working.
The final step will be to send yourself an invitation email via the Users’ panel at the top of the page. This allows you to create an account by clicking the link in the email.
You have now successfully set up Vaultwarden.
Part 3 — Setting Up the Bitwarden Clients.
Now you have set up Vaultwarden you can use the various Mobile, Desktop or Browser Add-ons.
It’s very easy to point these to your personal self-hosted version. In the main login screen click the ‘Logging in on:’ and select ‘Self-hosted’
In the pop-up screen enter your full address for the server e.g. https://vaultwarden.xyz.synology.me
You have now completed the guide.
FAQ
Q) I am receiving the notice “You are using a plain text ADMIN_TOKEN
which is insecure.”
A) A recent update changed the Admin Token used to access the admin panel to make it more secure. You can follow the next steps to migrate over.
- Follow the section of the guide to create the Argon2 token, you can use the existing ‘password’ aka admin token for this as it will still be used for the actual admin login screen, Important: when you get to the part that asks you to add the additional $ into the token skip that and come back here.
- Stop the Project and then edit the yaml and completely remove the existing
ADMIN_TOKEN
variable. - Start the container again and login to the admin panel with your usual admin password. Scroll down to the bottom of the General Settings section and paste your Argon2 hash into the
Admin token/Argon2 PHC
option and save the settings. - Restart the project again, and you will now be using the new hash and can log in with your usual password
How do I use GMAIL for SMTP?
Thanks to Dirtchamber Sessions for these steps
https://myaccount.google.com/apppasswords
You need to turn on 2FA in your Google account. At the bottom of the 2FA settings there is a section for App Password, create one and use that in the settings for your email password instead of your normal Gmail password.
Here are the settings that worked for me:
- Host: smtp.gmail.com
- Secure SMTP: starttls
- Port: 587
- From Address: username@gmail.com
- Username: username@gmail.com
- Password: your generated App Password from 2FA section of Google account
- SMTP Auth mechanism: Plain
- SMTP connection timeout: 15
Looking for some help, join our Discord community
If you are struggling with any steps in the guides or looking to branch out into other containers join our Discord community!
Buy me a beverage!
If you have found my site useful please consider pinging me a tip as it helps cover the cost of running things or just lets me stay hydrated. Plus 10% goes to the devs of the apps I do guides for every year.
Hi Dr. Frankenstein,
Just wanted to let you know there is a way to use gmail for SMTP.
You need to turn on 2FA in your google account and at the bottom of the 2FA settings there is a section for App Password, create one and use that in the settings for your email password instead of your normal gmail password.
Here are the settings that worked for me:
Host: smtp.gmail.com
Secure SMTP: starttls
Port: 587
From Address: username@gmail.com
Username: username@gmail.com
Password: your generated App Password from 2FA section of Google account
SMTP Auth mechanism: Plain
SMTP connection timeout: 15
I hope this helps other people using your guide.
Thanks again for the guides!
Thanks for the update! I will put this in the FAQ!
Hi following up on this, for whatever reason I cannot access the App passwords section in the way Google’s instructions tell me to find it (i.e. Clicking on 2FA, finding it in a submenu…)
With that said, a search informed me that if you go directly to the app passwords link, I found it that way instead.
https://myaccount.google.com/apppasswords
I found this working on a different issue and figured I would share if anyone else runs into the same.
Thanks! I will add this to the FAQ section
can someone please share the SMPT email settings over gmail?
i get SMTP 5xx error: permanent error (534): 5.7.9 Application specific
Host smtp.gmail.com
Secure SMTP starttls
Port 587
From Address ********@gmail.com
From Name vaultwarden
Username *********@gmail.com
Password *******************
SMTP Auth mechanism ?
SMTP connection timeout 15
thanks
Hey, you unfortunately can’t use Gmail as an SMTP client that stopped allowing it some time back. You will have to use a different provider that allows SMTP access.
I’m not sure what I’m doing wrong but I can’t save any new password or log back into my vault when I’m not on the local network. If I’m already logged in then I can access what I’m assuming is the cached vault on my devices, but as soon as I try to save something new it just sits there with the wheel spinning “saving” until it times out. I’m assuming there is something wrong with the reverse proxy, but can’t figure out what it could be as I configured it the same way as other containers that are working properly.
Hey Chris
It sounds like the Proxy is not working in that case – can you try to access the web login (not via the app) when you are off LAN and see what if any error message you receive.
Just received an email from Daniel Garcia about the latest version of Vaultwarden. He says:
“The WebSockets service for live sync has been integrated in the main HTTP server, which means simpler proxy setups that don’t require a separate rule to redirect WS traffic to port 3012. Please check the updated examples in the wiki. It’s recommended to migrate to this new setup as using the old server on port 3012 is deprecated, won’t receive new features and will be removed in the next release.”
He goes on to recommend an implementation using Caddy. Does your tutorial take account of these changes?
Well this is good news one less port to expose. I missed that note in 1.29 and will get the guide updated immediately! From looking at the documentation the existing proxy set up should still work fine especially that the http server is doing the work now. DSM is using nginx under the hood.
https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
Thank you for your hard work in writing another tutorial to address these changes. I now have it set up and working. The only thing which didn’t work for me was setting up and using the ‘synobridge’ network. It accepted it when I added it, but wouldn’t use it in the docker-compose file. I reverted to ‘bridge’ and it’s fine. Not sure why that happened.
You may have missed the initial step setting up the synobridge, however if it is working on the standard bridge you are fine 🙂
Hey Doc, please allow me one addition to your guide. Maybe others didn’t have the problem, but for me it were some interesting 5 minutes, till I figured it out. I had an existing vaultwarden container which showed me the Admin_Token message you mentioned. With an existing installation, you must not add the double $ signs when doing FAQ step4! It has to be the original hash, otherwise it will be regarded as another non valid plain text value and u cant login with the correct password! I did have to login with the complete modified hash with the escaped $ signs and the add the original version.
That is all. Please enjoy the coffees. Everyone of them is earned ….
Hey double thanks in that case! I will get that step amended! – Thanks again for the coffee!