Bitwarden is a password manager that can be self-hosted if desired. The benefit of self-hosting is that you are in control of your data and don’t need to rely on a third party to manage it. This doesn’t necessarily mean that there is an inherent security risk with using bitwarden’s hosting. We are just looking at an alternate option!
1. Self-host Bitwarden on Synology NAS Instructions
1. Download and install Docker from the Synology Package Center.
2. Before we get started, we need a directory where Bitwarden can add all of its files. Open “File Station”, navigate to the “docker” folder and create a subfolder named “bitwarden”.
3. Open Docker and install the “bitwardenrs/server:latest” application from the Docker Registry.
4. After the item is downloaded, go to “Image” and double click the “bitwardenrs/server:latest” item to launch the configuration tool.
5. Select “Advanced Settings”.
6. Select “Enable auto-restart” under the “Advanced Settings”. NOTE: This setting will allow the container to restart after an improper shutdown.
7. Under “Volume”, select “Add Folder” and add the bitwarden folder we created in step two (path should be docker/bitwarden). For the “Mount Path”, enter “/data”.
8. Under the “Port Settings”, change the local port from “Auto” to “5555” for the Container Port “80”. When done, select “Apply”. NOTE: This is just the port that you’d like to use. You don’t need to use port 5555, but you need to ensure you use a port that’s not currently being used.
9. Now that the “Advanced Settings” are complete, select “Next” and then “Apply” to create the container. The Bitwarden setup is now complete. We will now need to create a reverse proxy, certificate, and configure our firewall.
2. Reverse Proxy Setup Instructions
At this stage, you need to determine if you will be using a domain name. I will not be using a purchased domain name, but I will be using a free DuckDNS DDNS hostname. If you’d like to configure this, please check out our tutorial on how to configure this.
1. After you have your domain name configured, open the Synology “Control Panel”, select “Application Portal” and then “Reverse Proxy”.
2. Select “Create” to create a reverse proxy. At this stage, we will need to configure a few settings:
- Description: bitwarden
- Protocol: HTTPS
- Hostname: This is where you will enter your domain name or DDNS hostname
- Port: I will be using port 5554, but the default port is 443. If you are using port 443, you will need to enter a different port.
- Check off “Enable HSTS”
- Check off “Enable HTTP/2”
- Protocol: HTTP
- Hostname: localhost
- Port: 5555 (this is the port that we configured in step 8 of the bitwarden setup instructions).
The reverse proxy has now been configured. When you navigate to the hostname and port configured in the “Source” section of the reverse proxy, your NAS will forward the request to the “Destination”.
3. Let's Encrypt Certification Setup Instructions
Now that the reverse proxy is set up and Bitwarden is configured, we will need to create an SSL certificate using Let’s Encrypt. NOTE: If you are having trouble creating this certificate, create a port forwarding rule in your router settings to open port 80 traffic on your NAS. You can remove this when complete.
1. Navigate to the “Control Panel”, then “Security”, then “Certificate”. Select “Add”.
2. Select “Add a new certificate” and select “Next”.
3. Select “Get a certificate from Let’s Encrypt” and select “Next”.
4. Under the domain name, enter the hostname you used in the “Source” section of the reverse proxy setup. Enter your email and select “Apply” to create the certificate.
5. After the certificate has been created, select “Configure”. Ensure that the “hostname:[port]” is listed with the certificate that you just created.
The certificate has now been created and will auto-renew moving forward!
4. Firewall Setup Instructions
It’s very important to configure your Synology Firewall, especially if you intend on exposing your Bitwarden instance to the internet. The way that I manage my Synology firewall is that I allow all LAN traffic (192.168.1.0/24) access to my NAS, but all other traffic gets blocked. I then allow all traffic on port 5554. This ensures that I can access my NAS using my DDNS hostname + port.
1. Navigate to the “Control Panel”, “Security” and then “Firewall”. Enable the firewall if it isn’t currently enabled, and then select “Edit Rules”.
2. You will need to tweak the settings based on the applications running on your NAS and the ports selected, but the screenshot below has my settings. NOTE: It is important to note that firewall rules are processed from top to bottom, so you want to have all “Allow” rules at the top with the “deny all” rule at the bottom. Ensure that you set this up right before proceeding, as incorrect configuration can lock you out of your NAS.
3. The final step is to configure a port forwarding rule on your router. You will need to forward port 5554 (if you are using the same ports as I am) to your NAS so that you can access it from outside of your network. You will now be able to access Bitwarden with a properly installed SSL certificate! You can now create an account.
5. Deny Account Creations
After you’ve successfully created your account, it’s a good idea to deny future registrations. This will stop anyone from creating a new account moving forward.
1. Open Docker and turn off the container.
2. Edit the container, select “Environment” and create a new variable. The variable name should be “SIGNUPS_ALLOWED” and the value should be “false”.
3. Apply the environment and start the container. You will be able to access your account creation page, but no one will be able to create an account!
6. Conclusion - Synology NAS Bitwarden Installation
Self-hosting your bitwarden instance on a Synology NAS ensures that you control your data. There are many reasons why someone would want to self-host bitwarden on a Synology NAS, and the tutorial above shows you exactly how! Thanks for reading and leave any questions you might have in the comments!