Vaultwarden Self Host

📢 Note: This project was known as Bitwarden_Self_Host and has been renamed to separate itself from the official Bitwarden server in the hopes of avoiding confusion and trademark/branding issues. Please see #23 for more explanation.

For more details please read blog here

This project is aimed at creating a private Vaultwarden instance on your local LAN for devices on your personal network to be able to access. The docker-compose files contains 3 containers, the bitwarden unoffical rust backend, an nginx reverse proxy for HTTPS, and a backup container. To faciliate the connection with Bitwarden's iOS apps via HTTPS, we are going to create our own private CA, so we can create trusted certificates, since self-signed certs won't work with the native app.

PLEASE NOTE THAT THIS SETUP USES Vaultwarden WHICH IS AN UNOFFICAL COMMUNITY CREATED BACKEND. IT IS REGULARLY UPDATED AND HAS SEVERAL ADVANTAGES INCLUDING ABILITY TO RUN ON RASPBERRY PI, A MUCH LOWER OVERALL RESOURCE FOOTPRINT, AND FULL BITWARDEN FUNCTIONALITY, INCLUDING PREMIUM FEATURES

To install

Note: to install on a Raspberry Pi, you will need up update the tags for the containers in docker-compose.yml with the values in the comments of that page

1. git clone https://github.com/JulianRunnels/Vaultwarden_Self_Host.git
2. cd Vaultwarden_Self_Host
3. chmod +x ./setup.sh

From here there are three different installation paths, depending on your existing setup and needs

• No docker/docker-compose installed, want to create a full private CA and client certificate:
  • sudo ./setup.sh - This will install docker and docker-compose and has option to guide you through creating the needed CA and certs
• Docker/docker-compose installed, want to create a full private CA and client certificate:
  • sudo ./create_ssl.sh - This will just create the needed SSL certificates
• Don't want to install docker or create certs, just spin up containers:
  • sudo docker-compose pull && sudo docker-compose up -d - This will just spin up the containers, you will need to supply your own cert in ./data/ssl/certs

Once you have all the setup done, you will need to download the personal CA created, which should be called myCA.crt and install it as a trusted root in each client you want to connect to the bitwarden instance. The good news is that once you install this CA, any further personal certs you make with the CA will be automatically trusted and validated, without having to load new certs in.

To download, I recommend just using scp or any other file transfer: scp myCA.crt user@external:~

To revoke and recreate SSL certificates when expired

1. Identify the serial number of the cert in use. Can view the cert in web server or just look and see what file exists in /data/ssl/newcerts (default is 1000)
2. renew_cert.sh 1000 will automatically revoke and replace the existin bitwarden.crt certificate using the existing root CA. You will not need to add a new root CA to devices.

• Each time the certificate is renewed, the serial number will increase by 1, so the 2nd time the command renew_cert.sh 1001 will need to be run instead.

3. Restart sudo docker-compose down && sudo docker-compose up -d --build

Note for iOS installation

After you transfer the cert over to iOS, to have it work with native Bitwarden app, you will need to enable full trust. To do this:

• Make sure the certificate is installed
• Go to Settings -> General -> About -> Certificate Trust Settings or just search for Trusted Certificates
• Click the switch next to the certificate you installed to switch it to full trust

Once you have the CA installed where you want it, spin up the containers:

• sudo docker-compose pull && sudo docker-compose up -d

You should now be able to access your instance at https://hostname

Accessing outside of your personal LAN

While having an internal password vault is all good, being able to access accounts while outside the house is equally important.

For my access I have a Raspberry Pi running PiHole, Unbound, and more importantly PiVPN, which allows me to create a split tunnel VPN to send all local LAN request and DNS request back to my home network. This means that for things like my phone and external devices, as long as I have this VPN up, I can access my vault, just like normal.

A good guide to setup PiVPN is here: https://www.smarthomeblog.net/raspberry-pi-vpn/ Once you have PiPVN, or any OpenVPN based solution set up you can enable a split tunnel, so that only DNS traffic and local based traffic is sent back to you home network rather than routing everything through it:

• sudo vim /etc/openvpn/server.conf
• Add the following lines
  • push "route 192.168.1.0 255.255.255.0" (Change the 192 value to your personal private ip range)
• Comment out #push "redirect-gateway def1"

Obviously this does put a little bit of a barrier in the way of using Bitwarden, but it is a small tradeoff to have full and complete control over your passwords and other important data. Of course, its very easy to adapt this repo to create a full publicly accessible instance, simply by adding port forwarding in your router, or running it in the cloud. Personally, I would stay away from both of those options, as they defeat the whole purpose of setting up this instance to have a private vault.

Backups

A backup file will be created at /opt/Bitwarden-Backup/backup.sqlite3 with root permissions. Personally I use rclone to sync a folder with OneDrive, then copy that backup into the OneDrive folder daily, but however you want to move that backup folder out works.