How to Self-host the Password Manager Bitwarden on a Synology NAS!

Today we are going to look at how to self-host bitwarden on a Synology NAS!

Bitwarden is a password manager that can be self-hosted if desired. The benefit of self-hosting is that you are in control of your data and don’t need to rely on a third party to manage it. This doesn’t necessarily mean that there is an inherent security risk with using bitwarden’s hosting. We are just looking at an alternate option!

1. Self-host Bitwarden on Synology NAS Instructions

1. Download and install Docker from the Synology Package Center.

2. Before we get started, we need a directory where Bitwarden can add all of its files. Open “File Station”, navigate to the “docker” folder and create a subfolder named “bitwarden”.

0

5/3/21 Update: The bitwardenrs image has been deprecated and renamed to vaultwarden. For this reason, you will have to use that image name (as opposed to what the screenshots are showing).

3. Open Docker and install the vaultwarden/server:latest image from the Docker Registry.

bitwarden synology nas

4. After the item is downloaded, go to “Image” and double click the vaultwarden/server:latest item to launch the configuration tool.

bitwarden synology nas

5. Select “Advanced Settings”.

3 1

6. Select “Enable auto-restart” under the “Advanced Settings”. NOTE: This setting will allow the container to restart after an improper shutdown.

4 1

7. Under “Volume”, select “Add Folder” and add the bitwarden folder we created in step two (path should be docker/bitwarden). For the “Mount Path”, enter “/data”.

5 1

8. Under the “Port Settings”, change the local port from “Auto” to “5555” for the Container Port “80”. When done, select “Apply”. NOTE: This is just the port that you’d like to use. You don’t need to use port 5555, but you need to ensure you use a port that’s not currently being used.

6 1

9. Now that the “Advanced Settings” are complete, select “Next” and then “Apply” to create the container. The Bitwarden setup is now complete. We will now need to create a reverse proxy, certificate, and configure our firewall.

7 1

2. Reverse Proxy Setup Instructions

At this stage, you need to determine if you will be using a domain name. I will not be using a purchased domain name, but I will be using a free DuckDNS DDNS hostname. If you’d like to configure this, please check out our tutorial on how to configure this.

1. After you have your domain name configured, open the Synology “Control Panel”, select “Application Portal” and then “Reverse Proxy”.

2. Select “Create” to create a reverse proxy. At this stage, we will need to configure a few settings:

  • Description: bitwarden
  • Source:
    • Protocol: HTTPS
    • Hostname: This is where you will enter your domain name or DDNS hostname
    • Port: The default port is 443 and if you’re using your NAS as a reverse proxy server, you can use that port. I have a video on the reverse proxy function if you’re interested in learning more about it. If you are using that port, you will have to use something that’s not currently in use (I used 5554, but you can use whatever you’d like).
    • Check off “Enable HSTS”
    • Check off “Enable HTTP/2”
  • Destination:
    • Protocol: HTTP
    • Hostname: localhost
    • Port: 5555 (this is the port that we configured in step 8 of the bitwarden setup instructions).

bitwarden synology nas

The reverse proxy has now been configured. When you navigate to the hostname and port configured in the “Source” section of the reverse proxy, your NAS will forward the request to the “Destination”.

3. Let's Encrypt Certification Setup Instructions

Now that the reverse proxy is set up and Bitwarden is configured, we will need to create an SSL certificate using Let’s Encrypt. NOTE: If you are having trouble creating this certificate, create a port forwarding rule in your router settings to open port 80 traffic on your NAS. You can remove this when complete.

1. Navigate to the “Control Panel”, then “Security”, then “Certificate”. Select “Add”.

10

2. Select “Add a new certificate” and select “Next”.

11

3. Select “Get a certificate from Let’s Encrypt” and select “Next”.

12

4. Under the domain name, enter the hostname you used in the “Source” section of the reverse proxy setup. Enter your email and select “Apply” to create the certificate.

13

5. After the certificate has been created, select “Configure”. Ensure that the “hostname:[port]” is listed with the certificate that you just created.

14

The certificate has now been created and will auto-renew moving forward!

4. Firewall Setup Instructions

It’s very important to configure your Synology Firewall, especially if you intend on exposing your Bitwarden instance to the internet. The way that I manage my Synology firewall is that I allow all LAN traffic (192.168.1.0/24) access to my NAS, but all other traffic gets blocked. I then allow all traffic on port 5554. This ensures that I can access my NAS using my DDNS hostname + port.

1. Navigate to the “Control Panel”, “Security” and then “Firewall”. Enable the firewall if it isn’t currently enabled, and then select “Edit Rules”.

15

2. You will need to tweak the settings based on the applications running on your NAS and the ports selected, but the screenshot below has my settings. NOTE: It is important to note that firewall rules are processed from top to bottom, so you want to have all “Allow” rules at the top with the “deny all” rule at the bottom. Ensure that you set this up right before proceeding, as incorrect configuration can lock you out of your NAS.

16

3. The final step is to configure a port forwarding rule on your router. You will need to forward port 5554 (if you are using the same ports as I am) to your NAS so that you can access it from outside of your network. You will now be able to access Bitwarden with a properly installed SSL certificate! You can now create an account.

bitwarden synology nas

5. Deny Account Creations

After you’ve successfully created your account, it’s a good idea to deny future registrations. This will stop anyone from creating a new account moving forward.

1. Open Docker and turn off the container.

bitwarden synology nas

2. Edit the container, select “Environment” and create a new variable. The variable name should be “SIGNUPS_ALLOWED” and the value should be “false”.

19

3. Apply the environment and start the container. You will be able to access your account creation page, but no one will be able to create an account!

6. Conclusion - Synology NAS Bitwarden Installation

Self-hosting your bitwarden instance on a Synology NAS ensures that you control your data. There are many reasons why someone would want to self-host bitwarden on a Synology NAS, and the tutorial above shows you exactly how! Thanks for reading and leave any questions you might have in the comments!

This Post Has 130 Comments

  1. I had to open another subnet in my NAS firewall rules to enable Bitwarden to work after these instructions.
    I ALLOWED:
    172.17.0.0/255.255.0.0

    My problems were that after connecting locally (on my subnet) once the container would hang. The android app wouldn’t connect ever. Icons would not download properly.

    1. Glad you got it working and thank you for sharing. I didn’t have to do that on mine, but it’s good that other people are aware!

  2. Hi, searching for a few items in the net I landed on your videos…and found it to be the probably best guides which indeed work out.
    I installed Bitwarden on a Synology NAS in the docker, all good and working. However, there are following challenges:
    1. Your step “5. Deny Account Creations”: I did as recommended but still have the mask and button available to create new accounts. I also added as variable disableUserRegistration with value true, but still the same result. Or is the input mask visible but finally the accounts are not submitted? Where could I check which accounts exist and potentially delete?
    2. I installed the extensions (desktop Mac, browser extensions for safari, opera, edge. Entering login data for hotmail, gmail nothing happens, Bitwarden does not ask to save anything, even if I manually add the data to Bitwarden vault, clicking on the symbol next to the url entry, Bitwarden says that there is no login data available to this site. anything I did wrong? or how can I convince Bitwarden to recognize the login data for eg. these email accounts? Also when a site asks for more input fields like an account number, how can the extension work?

    1. Thanks for checking out the tutorial!

      1. The option will still be there, unfortunately. However, if you try and create an account, you should receive an error and it shouldn’t allow you to. Is that how it’s working?
      2. When you say that it doesn’t save, do you mean to the vault, or the vault isn’t properly writing the information to the login page when you select it?

  3. Hi. Many thanks for your tutorial. I tried to follow it and managed to get access to the bitwarden server on my NAS. But somehow https is not working properly. If I open “bw.xxxx.synology.me:5554” I only get a http connection and the browser tells me “not secure”.

    If I connect to DSM (xxxx.synology.me:70xx) I get a https connection.

    I don’t know where I’ve messed it up. Do you have an idea?

    1. Did you properly get a certificate for bw.xxxx.synology.me and apply it to the domain? Also, are you testing this internally or externally (of your network)?

      1. I can see the certificate for bw.xxxx.synology.me in DSM. It shows a green lock. For me it seems to be properly installed. I have choosen this certificate in “Configuration” for the service “bw.xxxx.synology.me:5554”.

        I tested both. From outside of my network and internally. It’s the same for both.

        1. Hi. You can ignore my question. The problem was that I didn’t forward the port in my router correctly…Now it works. Thank you for your tutorial.

          1. Glad you got it working!

  4. @WunderTech thanks for the tutorial really appreciate it.

    I followed your tutorial to the dot. The docker container port it is default to 80 and the local port is 5555. I have used the default DDNS service and set up mxxxx.synology.me which is working for me. Under router configuration I have custom port local port 5554 and router port 5554 setup. Tested the connection and it’s working. Under firewall I have allowed port 5554,5555 all connection from my country to allow. Deny all is right at the bottom. SSL certificate done and it was working fine before the tutorial so I just check that under the configuration tab services mxxxx.synology.me:5554 and certificate is selected. In my router port settings:
    ID Service Type External Port Internal IP Internal Port Protocol Status Modify
    1 Bitwarden 5554 192.168.0.128 5554 TCP

    The problem is when I navigate the browser to https://mxxxx.synology.me:5554/ I receive:
    Sorry, the page you are looking for is not found.

    What am I doing wrong?

    1. I have also setup reverse proxy setting. Source Hostname https://mxxxx.synology.me port 5554 and Destination hostname localhost 5555.

    2. When you say that you allowed traffic on your firewall, did you port forward it on your router as well? Can you check the port using this website to see if it’s opened? https://www.yougetsignal.com/tools/open-ports/

  5. @WunderTech, thanks for your reply. I fixed the problem. I had to restart the router and Set Up the Router one more time to get it up and running. Thanks for the tutorial and reply.

    I ran into another issue. After I have registered an account under my Self Hosted Bitwarden site. I think I screwed up the sign up process and now I am unable to login into Bitwarden with the master password. I received “Unexpected Error” message. Is there a way for me to uninstall all Bitwarden Docker instances and reinstall it to get a clean self host Bitwarden without any user accounts?

    1. Yes, you will have to delete the contents inside of the “bitwarden” Docker folder on your Synology NAS. Once those are deleted, you can recreate the container. You might want to just move them to a different folder until you confirm everything is working, though.

  6. Thanks for your very useful guide I’m jumping from lastpass like a million other people!
    I’ve got the bitwardennrs server set up in docker on my nas as per your instructions with container ports set, the reverse proxy source and destination settings set. My Let’s encrypt cert is set up and showing the same port as the reverse proxy “source”
    and the firewall rules set up as per the instructions. The problem I had was it took me ages to get into the bitwarden server login and account creation page. Attempts to point a browser at https://insertsillynamehere.duckdns.org:reverseproxysourceport from behind my home router just timed out all the time. I tried to connect using my mobile phone data connection and it worked immediately and I was able to set up an account and import my .csv . I found to make the desktop/laptop browser plugins work behind my home router I had to use http://synologynaslocal_IP:reverseproxydestinationport for the self hosted environment server field. It all works nicely but anyone have any idea why I can’t use/see the https duckdns url from inside my home network? I wondered if it might be some DNS cache lag, or rubbish router from my ISP. Thought my problem and workaround might help others. Thanks again Sam

    1. It sounds like you set everything up properly. Are you using a local DNS server, by any chance? Any firewall rules (limiting traffic to your local country, for example)?

  7. Thank you for the very detailed setup instructions. I have setup the server and everything works well. I am able to access my endpoint from inside the home network( using pihole), from the internet, and on the app.

    The only problem is on my ios app, I don’t see recently added entries in the vault. I have to refresh manually to see the new vault items. Is this expected behavior? any solution that can automate the refresh on mobile app?

    1. When you say that you have to refresh manually, do you mean that you need to “sync” manually? If you completely close out the app and reopen it, does it sync on its own?

      1. I tried killing ios app, and reopening. Right after login I searched for the newly added item I could not find it.

        I changed settings on app, Settings>sync>Enable sync on refresh = yes.

        Now when I pull down in the vault it triggers refresh and sync, after sync happens I can find the newly added item.

        1. That sounds like it might be an app issue. If everything is working as expected when you sync manually, the connection to the server is working properly. While it’s not ideal, I would wait for the app to be updated to see if there are any bugs that are resolved.

          1. I don’t think that Live Sync is what’s causing your issue. Your issue sounds like it’s not syncing at all unless you manually do it. It’s supposed to sync when you open the app. It could be an app issue – at least that’s what it sounds like to me.

      2. I tried killing the ios app, and reopening doesn’t sync. I have enabled option sync on refresh, so when I do pull-down action on the vault it does sync. But I have to do that manually if I want to see any updates on my ios client app.

  8. Question on this Docker container. You’re using the bitwardenrs/server container. How does this differ from the official bitwarden/setup container on DockerHub? Has this container been vetted as backdoor free? I’ve looked at the github page, https://github.com/dani-garcia/bitwarden_rs and I don’t see anything nasty, but I’m no expert.
    Would you consider doing another tutorial using the official container?
    Thanks!

    1. You can technically set up the official Bitwarden instance, but it requires higher resources and is significantly more complex from what I remember. I can’t speak to the tests that bitwardenrs has been through, but I know it’s the most widely used Bitwarden container (not to say that makes it to be secure). I would say that you should go with your gut, and if you’re concerned, the official Bitwarden instance hosted in the cloud has been thoroughly tested and can be trusted, in my opinion.

      I will look into the official image for a future tutorial!

  9. Hi Wundertech, thanks. I can confirm I have bitwarden up and running in a Docker container on my Synology NAS with reverse proxy and Let’s Encrypt certificates. Question: how can I use the bitwarden mobile app or Windows desktop client to access my local instance? It seems I need an organization ID. How does that work?

    1. When you launch the application, you will see a “gear” icon in the top left. Click that and then you should be able to enter in the custom information. Let me know if you have any trouble!

  10. Hi, Wundertech. Thank you so much for putting together such helpful video. I have followed it and successfully set up mine on my Synology NAS. It is working as expected on my Android Bitwarden app and my wife’s iPhone as well as a browser extension. The only thing I found not working is the Bitwarden Windows desktop app. When trying to connect to my self-hosted Bitwarden, I got ‘Failed to fetch’ error. Do you have any idea how to make the desktop app work?

    1. Glad to hear you got it partially working! As far as the windows application, do you have a firewall on or anything like that (on the NAS)? If so, it could be blocking the connection. Let me know and we can continue troubleshooting!

Comments are closed.

Close Menu