Vaultwarden is a community-built, open-source server for Bitwarden that you can self-host. It can connect to all official Bitwarden apps and extensions, which means you don’t need to replace any of the Bitwarden apps and extensions you’ve already installed. You can just sign into them with your self-hosted instance of Vaultwarden.
Why you might want to self-host your Bitwarden
Data sovereignty and free perks
A premium Bitwarden subscription gives you the built-in 2FA authenticator feature. Normally, you’d manually copy 2FA codes from an app like Google or Microsoft Authenticator and paste them into the site you’re trying to log into. Bitwarden Premium lets you add those time-based one-time (TOTP) codes alongside login entries. That way, when you autofill your username and password with Bitwarden, it also copies the secret TOTP code to your clipboard. If you find 2FA annoying, this is the most convenient way to set it up.
You’d have to give up your credit card information and pay $10 a year for this feature, but you can get it for free by self-hosting the backend.
Things like vault health reports, file attachments for Bitwarden Send and vault items, the admin panel (to add and manage multiple users), support for hardware 2FA security keys also require a premium subscription. You can get all those features for free if you self-host. Self-hosting your vaults gives you total control over your data and metadata (when you log into Bitwarden and where). It’s more private.
Admittedly, this project isn’t for everyone. That said, if you enjoy tinkering or already have a homelab set up, a self-hosted Bitwarden vault will make an excellent addition.
Personally, I just like the idea of keeping my data local, as much as possible. It gives me some peace of mind. Plus, I really enjoy self-hosting stuff. I have built a tiny ecosystem consisting of a vault, notes, a time tracker, Spotify for my Kindle, a dashboard (with my work tasks, notifications, finances, bookmarks, and productivity stats) all on the same domain. I can access them anywhere with URLs that look like vault.mydomain.com or dashboard.mydomain.com.
The Bitwarden vaults are encrypted by default, so no one can read the contents inside them without your master password. However, you are responsible for backing up the vaults when self-hosting. You can set up an automatic backup system with a tool like rsync.
Everything you need
Three things you need to host a password manager
Vaultwarden is an open-source Rust-based implementation of the Bitwarden server backend. It’s incredibly popular (some 58k stars on the GitHub repo) and the community actively maintains it. It can run as a Docker container, so it’s easy to both run it and remove it.
In addition to Docker and Vaultwarden, you’ll need a server to host it. You can use your own hardware or get a VPS (some are free).
Pretty much any computer can be turned into a server. If you’re new to this, just use an old laptop if you have one lying around (it doesn’t even need to have a display or a working keyboard because you will be ssh-ing into it anyway.) Install a Linux server OS on it. Ubuntu Server works fine for most people. If you don’t want a headless, command-line interface, you can install something pretty like umbrelOS or casaOS. And if the computer is a potato, you can install something featherweight like DietPi (it’s what I use for my potato server and I have no complaints).
By default, Docker will serve Vaultwarden over a local HTTP address. Bitwarden clients will refuse to connect to plain HTTP connections because they are not safe. You need a secure HTTPS server address to log in with your official Bitwarden apps and extensions. There are two ways you can do this:
- If you already own a domain (or subdomain) or if you can get one, you can use a tool called Caddy (which runs as a Docker container as well).
- If you don’t want to get a domain name, you can use Tailscale. Tailscale provides you with a free subdomain and HTTPS security to boot. The catch is that you need to keep Tailscale on when you need to sync vaults with your server. Tailscale is one of the standard ways people access their home servers outside the local network, and the one I’ll be demonstrating.
Setting up Tailscale
Vaultwarden requires HTTPS
You will need to install Tailscale on the server, as well as the devices on which you want to use Bitwarden. To install it on your server, run this command.
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
You should see a link that takes you to the Tailscale website where you can sign up for a new account and get a magic DNS address. This address is where you’ll be able to access your Vaultwarden instance. Copy it or take note of it because we’ll need it in the next step.
Make sure MagicDNS and HTTPS Certificates are enabled on the Tailscale admin console.
Setting up Vaultwarden
Spinning up a Vaultwarden instance and serving it over Tailscale
Start by installing Docker on your server, if it’s not already set up. Then we create a new directory to keep Vaultwarden and a new Docker compose file.
mkdir ~/vaultwarden && cd ~/vaultwarden
Use nano or any other text editor of your choice to create the Docker compose file.
nano docker-compose.yaml
Paste this inside the Docker compose file. Replace the “DOMAIN” line with the domain Caddy or Tailscale is configured to use.
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
- DOMAIN=https://yourservername.random-word.ts.net
- SIGNUPS_ALLOWED=true
volumes:
- ./vw-data:/data
ports:
- "127.0.0.1:8080:80"
You can set SIGNUPS_ALLOWED to “false” once you’ve set up a Vaultwarden account.
Press Ctrl+O, then Enter to save and Ctrl+X to exit nano. Run this command to spin up the container.
docker compose up -d
You can verify that it’s running on port 8080 with this command.
docker ps
To server it over your Tailscale setup. Run this.
sudo tailscale serve --bg https+insecure://localhost:8080
You can verify that it’s working with this command.
tailscale serve status
Connecting your devices to the new Vaultwarden server
Official Bitwarden clients and extensions are compatible with Vaultwarden
Since we can only access Vaultwarden through the secure Tailscale address, we need to enable Tailscale on our devices as well. You can install the mobile app on your phone and the desktop clients on PC. On Windows and macOS, you can download the dedicated installers from the Tailscale website. On Linux machines, you can install it with the same command and run it in the background.
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
Login with the same account you already used and connect to the same Tailscale network. Once you’re connected to Tailscale, you can access the new Vaultwarden server.
Try opening the magicDNS address that Tailscale assigned you in your browser. It’ll probably be something random like this.
https://dietpi.orange-bottle.ts.net
If the Vaultwarden web portal opens, congratulations, your server is active and accessible over HTTPS. Create a new account for yourself. You can use any random, made-up email here, by the way. Set your master password here.
If it returns an error, make sure you are, in fact, connected to Tailscale and the Docker container is running.
Now let’s connect our Bitwarden apps and extensions to our personal Vaultwarden server instead of the official Bitwarden servers. You’ll see an “Accessing” button at the bottom of the login page where it lets you pick between Bitwarden’s servers or self-hosted servers. Select “Self-hosted.”
Selecting “self-hosted” should open this settings page. You just need to enter the Tailscale HTTPS address in the Server URL section. It’s the same Tailnet URL you used to log into the Vaultwarden web portal. Then hit “Save.” The login email and master password are the same ones you already set on the Vaultwarden portal.
You don’t need to be constantly connected to the Tailscale network in order to access your vaults because the apps and extensions keep a local cache of your encrypted vault. However, it won’t sync unless you are connected to your private Tailscale network via the Tailscale app.
8/10
- Supported Desktop Browsers
-
Chrome, Edge, Safari, Firefox, Opera, DuckDuckGo, Vivaldi, Brave, Tor
- Price
-
Starting at $10/year
- Free trial
-
Free account available
Your vaults stay on your device
You now have a self-hosted version of Bitwarden that gives you free access to all the premium Bitwarden features. Plus, your sensitive vault data never leaves your private network.
Stephan is the sports journalist for the Maple Grove Report.
