-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Vaultwarden
Vaultwarden is an alternative implementation of the Bitwarden server API, written in Rust. It is compatible with upstream Bitwarden clients and perfect for self-hosted deployment.
Vaultwarden uses the Web Crypto API which requires a secure context (HTTPS). You must configure a reverse proxy with SSL before accessing the web interface, otherwise you will see a "secure context required" error.
- Go to Control Panel > Security > Certificate
- Add a certificate via Let's Encrypt or import your own
Navigate to the Reverse Proxy settings:
- DSM 7: Control Panel > Login Portal > Advanced > Reverse Proxy
- DSM 6: Control Panel > Application Portal > Reverse Proxy
Click Create and configure as follows:
| Field | Value |
|---|---|
| Description | Vaultwarden |
| Source Protocol | HTTPS |
| Source Hostname | Your domain (e.g., vault.yourdomain.com) |
| Source Port | 443 (or custom) |
| Destination Protocol | HTTP |
| Destination Hostname | localhost |
| Destination Port | 8180 |
WebSocket is required for live sync between Bitwarden clients.
- In the reverse proxy entry, go to the Custom Header tab
- Click Create > WebSocket
- Click Save to apply the configuration
- Go to Control Panel > Security > Certificate
- Click Settings (DSM 7) or Configure (DSM 6)
- Assign your certificate to the Vaultwarden reverse proxy entry
If you prefer not to use a reverse proxy, Vaultwarden supports built-in TLS:
- Generate or obtain SSL certificates (e.g., via Let's Encrypt)
- Edit the environment file:
/var/packages/vaultwarden/var/.env - Add or uncomment:
ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"} - Restart the package
| Port | Protocol | Description |
|---|---|---|
| 8180 | TCP | Web interface and API |
| File | Description |
|---|---|
/var/packages/vaultwarden/var/.env |
Environment configuration |
/var/packages/vaultwarden/var/config.json |
Runtime configuration (editable via admin UI) |
Vaultwarden supports multiple database backends:
- SQLite (default) - No additional configuration needed
-
MySQL/MariaDB - Set
DATABASE_URLin.env -
PostgreSQL - Set
DATABASE_URLin.env
The admin interface is available at /admin (e.g., https://vault.yourdomain.com/admin). You need the admin token set during installation to access it.
If you didn't copy the token during installation and want to disable admin access, edit /var/packages/vaultwarden/var/config.json and set:
"disable_admin_token": trueEnsure you are accessing Vaultwarden via HTTPS. See the reverse proxy setup above.
Make sure WebSocket headers are configured in your reverse proxy.
Check that the package is running: Package Center > Vaultwarden > Run
- Home
-
Packages
- Adminer
- Aria2
- Beets
- BicBucStriim
- Borgmatic
- cloudflared
- Comskip
- Debian Chroot
- Deluge
- Duplicity
- dnscrypt-proxy
- FFmpeg
- FFsync
- Flexget
- Gstreamer
- Google Authenticator
- Home Assistant Core
- Jellyfin
- Kiwix
- [matrix] Synapse homeserver
- MinIO
- Mono
- Mosh
- Mosquitto
- Node-Exporter
- OpenList
- ownCloud
- Radarr/Sonarr/Lidarr/Jackett
- rclone
- ruTorrent (rTorrent)
- SaltStack
- SickBeard Custom
- SynoCLI-Disk
- SynoCLI-Devel
- SynoCLI-File
- SynoCLI-Kernel
- SynoCLI-Misc.
- SynoCLI-Monitor
- SynoCLI-NET
- Synogear
- Vaultwarden
- Concepts
- Development
- Resources