Hello, I’ve been looking at many guides but I’m having trouble understanding how to selfhost VaultWarden locally. Could someone help me understand how I could achieve this considering,
- I don’t have a domain
- It would be nice to do something like vaultwarden.local or vaultwarden.homelab.local instead of typing in the homelab’s pc static ip and the port vaultwarden is on
- I don’t want to expose anything outside of my local network
- Security reasons
- I am now well versed in networking so I don’t want to risk leaving an entry point for unwanted users or hackers
I also learned that I would need to sign certificates to be able to access it on some browsers and the additional security. I learned that Traefik offers self-signed certificates, but every video I have seen starts talking about needing a domain and cloudflare tunneling and I get lost.
It would be nice if I could get help or advice from the r/selfhosted community because I am new to all of this but want to learn and host more applications and services locally. Thank you.
Use a self signed SSL cert
Use nginx to reverse proxy the vaultwarden instance
Use the hostname.local address to access the device or add a DNS override to your router. If that’s not an option update your hosts file on the machines you intend to use it from.
You can use a free domain from noip or similar. Then letsencrypt to get a cert, and then firewall/nginx config to prevent external access to vaultwarden?
For a proper trusted certificate you’re best to have a domain. That doesn’t mean you need to expose anything to the internet. If you have Traefik or HAproxy they can auto issue certificates from LetsEncrypt with the right config. Just don’t allow external access to those front ends. I have the same sort of thing setup with pfsense and the site is internal only via HAproxy to the docker container. Works great.
For that, use dns challenge and get a let’s encrypt cert. Then, in your pihole or dns solution point the public domain to a private ip.
Problem solved.
That doesn’t mean you need to expose anything to the internet
Really? How do you do this? Do you just not forward any of the ports on your router? If that’s the case then I’ll go ahead and purchase a domain and get started.
Another option which I’ve used in the past is that you can set your domain up with Cloudflare and then either utilize a Tunnel, or restrict the domain to your own IP address and it will block all external traffic. I’ve utilized it for several projects and it has always worked flawlessly. Haven’t tried the Traefik / HAproxy method.
But Certbot / LetsEncrypt is extremely easy to use.
Btw if you want a really cheap domain search 1.111B class XYZ domains, these consist on [6to8numbers.xyz] and cost less than a USD a year
Let’s Encrypt uses what is called “ACME protocol” for proof of owner when generating certificates.
There are various challenges they use to prove ownership of the domain. The default one just places a special file on your web server that Let’s Encrypt then reads.
However there are a number of different types of challenges.
If you don’t want to expose anything to the internet then a common one to use is ‘DNS Challenge’.
With DNS challenge the certbot uses your DNS server/provider’s API to update DNS records as a response to the challenge. Let’s Encrypt reads the special TXT response and verifies that you own the domain.
So to use this you need two things:
-
A DNS domain
-
A DNS domain provider that has a API that certbot can use.
AWS Route53 is a good one to use. But I have used Digital Ocean’s free DNS Service, Bind servers, Njalla, and other things. Most commonly used DNS providers are supported one way or the other.
You can also get fancy and designate sub domains or other domains to respond to the challenges. So if your DNS is locked down you can still add a record to point to a different one on a different server.
The big win for going with DNS Challenge is that you can do wildcard certificates.
So say you are setting up a reverse proxy that will serve vault.home.example.com, fileshare.home.example.com, torrent.home.example.com, and a bunch of others… all you need to do is configure your reverse proxy with a single *.home.example.com cert and it’ll handle anything you throw at it.
You can’t do that with the normal http challenge. Which makes doing the DNS challenge worth it, IMO, even if you do have a public-facing web server.
-
I’m using the cloudfare tunnel. That way i don’t have to deal with any certificate.
That is the right thing, I use the same.
DuckDNS provides you with xxx.duckdns.org for free and gives you ability to generate wildcard certificates. What I suggest you do is
1a) host VW locally only 1b) host it so that is accessible only with VPN.
2. In duckdns set ip to you local ip that VW is being hosted on (ie 192.168.1.20) or vpn ip
2. Use Traefik or NPM (or any other reverse proxy) to generate wildcard certificate with dns challange
3. Use Traefik or NPM to point on your device to the port VW is accessible onIf you never set up Traefik I suggest you use Nginx Proxy Manager, it’s waaaay easier to set up, especially if you don’t need the flexibility of Traefik.
I tried npm and it’s good for simple things…however with anything complex you actually have to know nginx pretty well which at that point I’d just use the swag container. I agree traefik is much more complex to learn initially…like I struggled for days until like finally a lighbulb went on and I kind of figured it out. It would be tough to start out with traefik without some background configuring a different reverse proxy. A lot of users sware by caddy so to its ease of use but then again it doesn’t provide a gui. I do really enjoy traefiks dashboard as to verify the configuration is set appropriately however
Your router is exposed to public internet as long as it gets a public ip address. Domain is just an alias of ip easy to remember. Set strong policy on router will protects your local network on most scenarios.
What I did on self hosting is:
- Purchase a domain, add record pointing to my router’s public ip.
- Expose ports for non-sensitive or authentication-capable application on home server. Those apps can be accessed from anywhere using public domain directly in browser.
- Deploy an OpenVPN server on home server, generate SSL certificates, install OpenVPN client and import certificates on my devices. Then set series of policies on router, to let data packets from OpenVPN’s subnet can be routered to home server with certain ports. Whenever a sensitive app or app without login portal need to be accessed (from public internet), just start OpenVPN client at first.
- Make sure some critical apps could only be access from local network, even not for OpenVPN’s subnet, such router’s portal.
If you’re bothered to tweak config on router, you could also use Cloudflare’s tunnel, to manually add second level domain record for each service, if there are not many.
Besides, I use caddy to auto regenerate Let’s Encrypt’s certificate. It default requires that 80 port of you network is accessiable, not blocked by ISP. Or you can use dns verification in Let’s Encrypt’s config, just provide your domain provider’s API credential to it.
If you don’t want to buy a domain I recommend you use to nip.io as temporary
https://drfrankenstein.co.uk/2023/05/20/vaultwarden-bitwarden-in-container-manager-on-a-synology-nas/ is a great guide if you have Synology
I see many people advocating for a publicly trusted cert, but if you want to get some practice using privately signed certs it is also an option. Many companies have private CAs so you might as well get in some practice.
Technically, you don’t need a domain or a cloud flare tunnel. You do however need to make sure the certificate you generate and the name you use to connect to you. You will need to add the local authority as a trusted root if you do not obtain publicly trusted certificates.
Reverse proxies like Caddy can also act as their own CA. It also makes it easy to configure the name. As long as you add it as a trust root to your clients, any certificate generated by Caddy will be trusted by the client.
This way, you don’t need an external domain name.
- buy some cheap domain
- point an a record to the private ip of your Bitwarden server
- Get your LE Certificate with DNS-Challenge
Can try duckdns