How to Self-host the Password Manager Bitwarden on a Synology NAS!

Today we are going to look at how to self-host bitwarden on a Synology NAS!

Bitwarden is a password manager that can be self-hosted if desired. The benefit of self-hosting is that you are in control of your data and don’t need to rely on a third party to manage it. This doesn’t necessarily mean that there is an inherent security risk with using bitwarden’s hosting. We are just looking at an alternate option!

1. Self-host Bitwarden on Synology NAS Instructions

1. Download and install Docker from the Synology Package Center.

2. Before we get started, we need a directory where Bitwarden can add all of its files. Open “File Station”, navigate to the “docker” folder and create a subfolder named “bitwarden”.

0

5/3/21 Update: The bitwardenrs image has been deprecated and renamed to vaultwarden. For this reason, you will have to use that image name (as opposed to what the screenshots are showing).

3. Open Docker and install the vaultwarden/server:latest image from the Docker Registry.

bitwarden synology nas

4. After the item is downloaded, go to “Image” and double click the vaultwarden/server:latest item to launch the configuration tool.

bitwarden synology nas

5. Select “Advanced Settings”.

3 1

6. Select “Enable auto-restart” under the “Advanced Settings”. NOTE: This setting will allow the container to restart after an improper shutdown.

4 1

7. Under “Volume”, select “Add Folder” and add the bitwarden folder we created in step two (path should be docker/bitwarden). For the “Mount Path”, enter “/data”.

5 1

8. Under the “Port Settings”, change the local port from “Auto” to “5555” for the Container Port “80”. When done, select “Apply”. NOTE: This is just the port that you’d like to use. You don’t need to use port 5555, but you need to ensure you use a port that’s not currently being used.

6 1

9. Now that the “Advanced Settings” are complete, select “Next” and then “Apply” to create the container. The Bitwarden setup is now complete. We will now need to create a reverse proxy, certificate, and configure our firewall.

7 1

2. Reverse Proxy Setup Instructions

At this stage, you need to determine if you will be using a domain name. I will not be using a purchased domain name, but I will be using a free DuckDNS DDNS hostname. If you’d like to configure this, please check out our tutorial on how to configure this.

1. After you have your domain name configured, open the Synology “Control Panel”, select “Application Portal” and then “Reverse Proxy”.

2. Select “Create” to create a reverse proxy. At this stage, we will need to configure a few settings:

  • Description: bitwarden
  • Source:
    • Protocol: HTTPS
    • Hostname: This is where you will enter your domain name or DDNS hostname
    • Port: The default port is 443 and if you’re using your NAS as a reverse proxy server, you can use that port. I have a video on the reverse proxy function if you’re interested in learning more about it. If you are using that port, you will have to use something that’s not currently in use (I used 5554, but you can use whatever you’d like).
    • Check off “Enable HSTS”
    • Check off “Enable HTTP/2”
  • Destination:
    • Protocol: HTTP
    • Hostname: localhost
    • Port: 5555 (this is the port that we configured in step 8 of the bitwarden setup instructions).

bitwarden synology nas

The reverse proxy has now been configured. When you navigate to the hostname and port configured in the “Source” section of the reverse proxy, your NAS will forward the request to the “Destination”.

3. Let's Encrypt Certification Setup Instructions

Now that the reverse proxy is set up and Bitwarden is configured, we will need to create an SSL certificate using Let’s Encrypt. NOTE: If you are having trouble creating this certificate, create a port forwarding rule in your router settings to open port 80 traffic on your NAS. You can remove this when complete.

1. Navigate to the “Control Panel”, then “Security”, then “Certificate”. Select “Add”.

10

2. Select “Add a new certificate” and select “Next”.

11

3. Select “Get a certificate from Let’s Encrypt” and select “Next”.

12

4. Under the domain name, enter the hostname you used in the “Source” section of the reverse proxy setup. Enter your email and select “Apply” to create the certificate.

13

5. After the certificate has been created, select “Configure”. Ensure that the “hostname:[port]” is listed with the certificate that you just created.

14

The certificate has now been created and will auto-renew moving forward!

4. Firewall Setup Instructions

It’s very important to configure your Synology Firewall, especially if you intend on exposing your Bitwarden instance to the internet. The way that I manage my Synology firewall is that I allow all LAN traffic (192.168.1.0/24) access to my NAS, but all other traffic gets blocked. I then allow all traffic on port 5554. This ensures that I can access my NAS using my DDNS hostname + port.

1. Navigate to the “Control Panel”, “Security” and then “Firewall”. Enable the firewall if it isn’t currently enabled, and then select “Edit Rules”.

15

2. You will need to tweak the settings based on the applications running on your NAS and the ports selected, but the screenshot below has my settings. NOTE: It is important to note that firewall rules are processed from top to bottom, so you want to have all “Allow” rules at the top with the “deny all” rule at the bottom. Ensure that you set this up right before proceeding, as incorrect configuration can lock you out of your NAS.

16

3. The final step is to configure a port forwarding rule on your router. You will need to forward port 5554 (if you are using the same ports as I am) to your NAS so that you can access it from outside of your network. You will now be able to access Bitwarden with a properly installed SSL certificate! You can now create an account.

bitwarden synology nas

5. Deny Account Creations

After you’ve successfully created your account, it’s a good idea to deny future registrations. This will stop anyone from creating a new account moving forward.

1. Open Docker and turn off the container.

bitwarden synology nas

2. Edit the container, select “Environment” and create a new variable. The variable name should be “SIGNUPS_ALLOWED” and the value should be “false”.

19

3. Apply the environment and start the container. You will be able to access your account creation page, but no one will be able to create an account!

6. Conclusion - Synology NAS Bitwarden Installation

Self-hosting your bitwarden instance on a Synology NAS ensures that you control your data. There are many reasons why someone would want to self-host bitwarden on a Synology NAS, and the tutorial above shows you exactly how! Thanks for reading and leave any questions you might have in the comments!

This Post Has 130 Comments

  1. Hi WunderTech, based on your description the installation was seamless and perfect, thank you! I have realized that the developer changed the name of the container (as you highlighted). I would like to update the container. Should I install the new, renamed container on the same way than before and point to the same file/folder (data/bitwarden) to have all of the passwords? I don’t want to lose the data. Thanks to your suggestions.

    1. That would be my recommendation! I believe that there are other ways of doing it, but since it’s so easy to create the container, it doesn’t hurt to just set it up again.

      1. Worked like a charm, thank you! 🙂

    1. That is correct! I added a note when it first happened in May (in written instructions), but haven’t had a chance to update the screenshots. It is the same application, just a new name.

  2. Hi

    I have succesfully managed to have a running bW server following your instructions…farewell lastpass!!!
    I have a problem with the ios app…it doesn’t want to connect….connection timeout after about a minute of waiting on the connecting prompt….any ideas as to what could be going wrong?
    All other methods of accessing the vault work perfectly….

    Thanks

    1. When you try and access the application, are you inside or outside of your local network? Any specific situation where it’s working and then it stops working, or is it only on the iOS app? Also, did you configure the iOS app to use your local server?

  3. Hi
    Is there a way to backup all the data in the vault (perhaps as a vault export) to say Google Drive/iCloud/Dropbox or something. Make it perhaps a monthly task.
    This is just in case something happens to my NAS.

    1. You can, but it’s probably easier to do on the Synology side with something like Hyper Backup. You’ll have to back up the “bitwarden” folder and can back it up to any provider you’d like. Just keep in mind that you’ll need a docker instance to “restore” it.

  4. Hi,
    Thank you again for all your videos!
    After I followed all the steps when I type xxxxx.domain.com it doesn’t redirect to me to bitwarden/vaultwarden (thanks to reverse proxy) and It opens Synology Login Portal. What can be the issue?
    However, if I enter xxxxx.domain.com:5554 it worked. But is the main point of the reverse proxy to not type the ports ?

    Another issue that I have is when I open port 443 on my router (Ubiquiti UDM) I can’t longer login to the router locally.

    I really appreciate any help you can provide

    Cheers,

    Nicolas

    1. Change the port to 443 rather than 5554 (if you don’t want to type it in), then ensure 443 is open on your router and it should work the way you’re expecting it to!

  5. Hi!
    Thanks for the great work!
    I guess everything works just fine. But i cannot login into mobile Apps or Browser-extensions. I click at the “setting” gear-symbol and enter the DDNS-Name with Port like https://xxxxx.myddns.me:5554. Then i enter the registration name and password, but nothing happens, sometimes i get strange errors.
    Do you have any advice?

    Greetings

    1. Thanks! Are you on an external network at that point? If you try and access the bitwarden URL from a webpage instead, does it work?

  6. Hi there,

    Thank you very much for the extensive guide on how to set up the server.

    I as many others I also recently migrated from LastPass to bitwarden.
    At the moment I had not seen this article on how to host the locker on my own NAS so I have just been using bitwardens vault.
    This means that I created an account at bitwarden already that I am using in my browser extensions and mobile apps.
    I have not yet created my bitwarden account on my own nas.
    I am very fond of using these extensions and apps however, now that I have set up my own bitlocker vault, how do I configure these extentions and apps to point to my own bitwarden server?

      1. Glad you figured it out!

  7. Following your guide – thank you -I have successfully installed bitwarden in a docker container.
    Where are the data files stored locally?
    I mounted the /data directory in the docker/bitwarden directory – however I am unable to find the data folder i using File Manager.

    1. When you start the container and access the “bitwarden” folder on your NAS, do you see any of the files? It should all be stored inside of the “bitwarden” folder (you will see a bunch of files there if it works properly).

      1. Thank you for your prompt reply.
        Thanks to your tutorial, everything appears to be working well with my installation.
        Here are the files on my NAS in the docker/bitwarden directory.
        rsa_key.pub.pem
        rsa_key.pem
        db.sqlite3-wal
        db.sqlite3-shm
        db.sqlite3
        Plus the folder…
        icon_cache
        Which of these files contain my data files?

        1. Glad you got it working! The short answer is all of them. Those files collectively make up the config of Bitwarden. If you want to restore this on a different device, you will need to use all of those when creating the new container.

          1. Thanks – for your prompt responses and valued support.
            Regarding future updates to Bitwarden – will I receive a docker notification? Or do I have to check for Bitwarden updates manually.

          2. Glad to try and help! Unfortunately, you’ll have to check the versions manually. You generally don’t have to update on every version (meaning you don’t have to check all the time), but once a month should be enough.

  8. Thanks for this tutorial. Might I request a follow up to this with possible backups that can be done?

    1. I will add this to my list!

  9. Hi, I Installed Bitwarden and it is working. However I can only access Bitwarden Login with http and not https. Message is Secure Connection Failed. xxxxx.PR_END_OF_FILE_EROOR.
    Is my certificate not valid ?

    1. Are you using Nginx Proxy Manager and can you access the webpage outside of your local network?

Comments are closed.

Close Menu