Today we are going to look at how to set up Bitwarden on a Synology NAS!
Bitwarden is a password manager that can be self-hosted if desired. The benefit of self-hosting is that you are in control of your data and don’t need to rely on a third party to manage it.
This doesn’t necessarily mean that there is an inherent security risk with using Bitwarden’s hosting. We are just looking at an alternate option on how to set up Bitwarden on a Synology NAS!
Please keep in mind that this utilizes Vaultwarden, a low-resourced, Docker container version of Bitwarden. You can learn more about Vaultwarden vs. Bitwarden here.
This is an older video from DSM 6 that explains how to set up Bitwarden on a Synology NAS, but a lot of the settings look different in DSM 7, so you’ll have to follow the written instructions below.
1. How to Set Up Bitwarden on a Synology NAS
The instructions below will show how to set up Bitwarden on a Synology NAS. This tutorial utilizes the latest version of DSM (v7.2) and Container Manager.
1. Download and install Container Manager from the Synology Package Center.
2. Before we get started, we need a directory where Bitwarden can add all of its files. Open File Station, navigate to the docker folder, and create a subfolder named bitwarden.
3. Open Container Manager and select Project, then Create.
4. Enter the Name, then select the bitwarden path, and then select Create docker-compose.yml. From there, paste in the Docker Compose file listed below. You can then continue to create the container!
NOTE: This will use the host port 5555 (if you’d like to alter it, you can here). You can also change the timezone and volume number if you’re using something other than Volume 1.
version: "3"
# Instructions: https://www.wundertech.net/how-to-self-host-the-password-manager-bitwarden-on-a-synology-nas/
services:
bitwarden:
container_name: bitwarden
image: vaultwarden/server:latest
ports:
- "5555:80/tcp"
network_mode: bridg
environment:
TZ: 'America/Chicago'
volumes:
- '/volume1/docker/bitwarden:/data'
restart: unless-stopped
5. Proceed through the steps and create the project!
1.1 Reverse Proxy Setup: How to Set Up Bitwarden on a Synology NAS
At this stage, you need to determine if you will be using a domain name. I will not be using a purchased domain name, but I will be using a free DuckDNS DDNS hostname. If you’d like to configure this, please check out our tutorial on how to configure this.
1. After you have your domain name configured, open the Synology “Control Panel”, select “Application Portal” and then “Reverse Proxy”.
2. Select “Create” to create a reverse proxy. At this stage, we will need to configure a few settings:
- Description: bitwarden
- Source:
- Protocol: HTTPS
- Hostname: This is where you will enter your domain name or DDNS hostname
- Port: The default port is 443 and if you’re using your NAS as a reverse proxy server, you can use that port. I have an article on the reverse proxy function if you’re interested in learning more about it. If you are using that port, you will have to use something that’s not currently in use.
- Check off “Enable HSTS”
- Check off “Enable HTTP/2”
- Destination:
- Protocol: HTTP
- Hostname: IP Address of your Synology NAS (or localhost if it’s the local device)
- Port: 5555 (this is the port that we configured in step 8 of the bitwarden setup instructions).
The reverse proxy has now been configured. When you navigate to the hostname and port configured in the “Source” section of the reverse proxy, your NAS will forward the request to the “Destination”.
The settings below are from DSM 6, but the settings are the exact same.
1.2 Let’s Encrypt Setup – How to Setup Bitwarden on a Synology NAS
Now that the reverse proxy is set up and Bitwarden is configured, we will need to create an SSL certificate using Let’s Encrypt. NOTE: If you are having trouble creating this certificate, create a port forwarding rule in your router settings to open port 80 traffic on your NAS. You can remove this when complete.
1. Navigate to the “Control Panel”, then “Security”, then “Certificate”. Select “Add”.
2. Select “Add a new certificate” and select “Next”.
3. Select “Get a certificate from Let’s Encrypt” and select “Next”.
4. Under the domain name, enter the hostname you used in the “Source” section of the reverse proxy setup. Enter your email and select “Apply” to create the certificate.
5. After the certificate has been created, select “Configure”. Ensure that the “hostname:[port]” is listed with the certificate that you just created.
The certificate has now been created and will auto-renew moving forward!
1.2 Firewall Setup Instructions: Bitwarden on a Synology NAS
It’s very important to configure your Synology Firewall, especially if you intend on exposing your Bitwarden instance to the internet. The way that I manage my Synology firewall is that I allow all LAN traffic (192.168.1.0/24) access to my NAS, but all other traffic gets blocked. I then allow all traffic on port 5554. This ensures that I can access my NAS using my DDNS hostname + port.
1. Navigate to the “Control Panel”, “Security” and then “Firewall”. Enable the firewall if it isn’t currently enabled, and then select “Edit Rules”.
2. You will need to tweak the settings based on the applications running on your NAS and the ports selected, but the screenshot below has my settings. NOTE: It is important to note that firewall rules are processed from top to bottom, so you want to have all “Allow” rules at the top with the “deny all” rule at the bottom. Ensure that you set this up right before proceeding, as incorrect configuration can lock you out of your NAS.
3. The final step is to configure a port forwarding rule on your router. You will need to forward port 443 (if you are using the same ports as I am) to your reverse proxy server so that you can access it from outside of your network.
You will now be able to access Bitwarden with a properly installed SSL certificate! You can now create an account.
1.3 Deny Account Creations – How to Setup Bitwarden on a Synology NAS
After you’ve successfully created your account, it’s a good idea to deny future registrations. This will stop anyone from creating a new account moving forward.
1. Open Container Manager and stop the Project. Then select Details on the Project.
2. Edit the YAML Configuration File and add an environment variable. The name should be “SIGNUPS_ALLOWED” and the value should be “false”.
SIGNUPS_ALLOWED: false
3. Save the Project and recreate the container. You won’t be able to create new accounts now!
2. Conclusion: How to Set Up Bitwarden on a Synology NAS
This tutorial looked at how to set up Bitwarden on a Synology NAS. Self-hosting your Bitwarden instance on a Synology NAS ensures that you control your data. Keep in mind that this utilizes Vaultwarden, which is a great, lightweight option for setting up Bitwarden on a Synology NAS.
There are many reasons why someone would want to self-host Bitwarden on a Synology NAS, and the tutorial above shows you exactly how!
Thanks for checking out the tutorial on how to set up Bitwarden on a Synology NAS! If you have any questions on how to set up Bitwarden on a Synology NAS, please leave them in the comments!
Hi WunderTech, based on your description the installation was seamless and perfect, thank you! I have realized that the developer changed the name of the container (as you highlighted). I would like to update the container. Should I install the new, renamed container on the same way than before and point to the same file/folder (data/bitwarden) to have all of the passwords? I don’t want to lose the data. Thanks to your suggestions.
That would be my recommendation! I believe that there are other ways of doing it, but since it’s so easy to create the container, it doesn’t hurt to just set it up again.
Worked like a charm, thank you! 🙂
Hello, seems that at this time bitwardenrs has been deprecated ( https://registry.hub.docker.com/r/bitwardenrs/server/) and there a new version https://registry.hub.docker.com/r/vaultwarden/server/ Any comment?
That is correct! I added a note when it first happened in May (in written instructions), but haven’t had a chance to update the screenshots. It is the same application, just a new name.
Hi
I have succesfully managed to have a running bW server following your instructions…farewell lastpass!!!
I have a problem with the ios app…it doesn’t want to connect….connection timeout after about a minute of waiting on the connecting prompt….any ideas as to what could be going wrong?
All other methods of accessing the vault work perfectly….
Thanks
When you try and access the application, are you inside or outside of your local network? Any specific situation where it’s working and then it stops working, or is it only on the iOS app? Also, did you configure the iOS app to use your local server?
Hi
Is there a way to backup all the data in the vault (perhaps as a vault export) to say Google Drive/iCloud/Dropbox or something. Make it perhaps a monthly task.
This is just in case something happens to my NAS.
You can, but it’s probably easier to do on the Synology side with something like Hyper Backup. You’ll have to back up the “bitwarden” folder and can back it up to any provider you’d like. Just keep in mind that you’ll need a docker instance to “restore” it.
Hi,
Thank you again for all your videos!
After I followed all the steps when I type xxxxx.domain.com it doesn’t redirect to me to bitwarden/vaultwarden (thanks to reverse proxy) and It opens Synology Login Portal. What can be the issue?
However, if I enter xxxxx.domain.com:5554 it worked. But is the main point of the reverse proxy to not type the ports ?
Another issue that I have is when I open port 443 on my router (Ubiquiti UDM) I can’t longer login to the router locally.
I really appreciate any help you can provide
Cheers,
Nicolas
Change the port to 443 rather than 5554 (if you don’t want to type it in), then ensure 443 is open on your router and it should work the way you’re expecting it to!
Hi!
Thanks for the great work!
I guess everything works just fine. But i cannot login into mobile Apps or Browser-extensions. I click at the “setting” gear-symbol and enter the DDNS-Name with Port like https://xxxxx.myddns.me:5554. Then i enter the registration name and password, but nothing happens, sometimes i get strange errors.
Do you have any advice?
Greetings
Thanks! Are you on an external network at that point? If you try and access the bitwarden URL from a webpage instead, does it work?
Hi there,
Thank you very much for the extensive guide on how to set up the server.
I as many others I also recently migrated from LastPass to bitwarden.
At the moment I had not seen this article on how to host the locker on my own NAS so I have just been using bitwardens vault.
This means that I created an account at bitwarden already that I am using in my browser extensions and mobile apps.
I have not yet created my bitwarden account on my own nas.
I am very fond of using these extensions and apps however, now that I have set up my own bitlocker vault, how do I configure these extentions and apps to point to my own bitwarden server?
Sorry found it already:
https://bitwarden.com/help/article/change-client-environment/
Glad you figured it out!
Following your guide – thank you -I have successfully installed bitwarden in a docker container.
Where are the data files stored locally?
I mounted the /data directory in the docker/bitwarden directory – however I am unable to find the data folder i using File Manager.
When you start the container and access the “bitwarden” folder on your NAS, do you see any of the files? It should all be stored inside of the “bitwarden” folder (you will see a bunch of files there if it works properly).
Thank you for your prompt reply.
Thanks to your tutorial, everything appears to be working well with my installation.
Here are the files on my NAS in the docker/bitwarden directory.
rsa_key.pub.pem
rsa_key.pem
db.sqlite3-wal
db.sqlite3-shm
db.sqlite3
Plus the folder…
icon_cache
Which of these files contain my data files?
Glad you got it working! The short answer is all of them. Those files collectively make up the config of Bitwarden. If you want to restore this on a different device, you will need to use all of those when creating the new container.
Thanks – for your prompt responses and valued support.
Regarding future updates to Bitwarden – will I receive a docker notification? Or do I have to check for Bitwarden updates manually.
Glad to try and help! Unfortunately, you’ll have to check the versions manually. You generally don’t have to update on every version (meaning you don’t have to check all the time), but once a month should be enough.
Thanks for this tutorial. Might I request a follow up to this with possible backups that can be done?
I will add this to my list!
Hi, I Installed Bitwarden and it is working. However I can only access Bitwarden Login with http and not https. Message is Secure Connection Failed. xxxxx.PR_END_OF_FILE_EROOR.
Is my certificate not valid ?
Are you using Nginx Proxy Manager and can you access the webpage outside of your local network?