Self Hosting Local Only Vault Warden

Hey there.
I am looking at switching either to the free bitwarden account or self host a vault warden instance on my unraid server.

Despite the good rep of bitwarden and how secure they are known to be I deeply distrust the idea to put any info in the cloud, especially passwords hence i don’t want to use bitwarden.

I’d like to run a local only version of vaultwarden and sync to the devices only on lan as this is pretty much all that I need.

Can i ignore the https set up for vault warden and simply use http or is it bad even for local only access?
If it is far from ideal could you please point me in the direction of the simplest local only set up?

Would really appreciate any input since this is stretching my understanding of self hosting into uncomfy areas.

1 Like

Local http would be as safe as your local network is, as far as I understand. If no one is snooping locally it is fine, otherwise not so.

Bit/vaultwarden use client side encryption, so even if http gets snooped there should not be any critical info leaked. The same applies if the server gets hacked. Of course, the encryption is only as strong as your master password!

I have been using vaultwarden self hosted for a couple months and I’m happy so far. Mine is behind a wireguard VPN on my home server. I have https via Traefik, which is not too difficult to set up.

1 Like

I’d strongly suggest using HTTPS. You can either use self-signed, or a Let’s Encrypt cert using DNS authentication (which requires owning a public domain name). And yes, you can use a private domain internally, while publishing DNS challenges publicly.

If using a self-signed cert, you can add it to be trusted by bitwarden clients manually. Certificate Options | Bitwarden Help Center

Though looking at that last page, it sounds like HTTPS may be required after all (Required if using the bitwarden client at least. Vaultwarden can also be used through a web browser directly)… " If you opt to use no certificate, you must front your installation with a proxy that serves Bitwarden over SSL. This is because Bitwarden requires HTTPS; trying to use Bitwarden without the HTTPS protocol will trigger errors.".

3 Likes

I have performed this type of work for a client in the past. I utilized a Docker container via Docker Desktop on a Windows 10 machine to get this accomplished. In order to use the applications you HAVE to have a valid SSL certificate (as @cowphrase said). If you run Tailscale and don’t open it up to anywhere else, that’s a quick and easy way to get yourself a certificate without having to go with Let’s Encrypt and have a domain name. There are easy ways to do this of course, but I am not savvy of those to be completely honest.

This would be a great write-up though after everything is all said and done. It will also help you have a “lessons learned” review and gives you something to look back on!

1 Like

Wow that’s an interesting feature I hadn’t seen before. Enabling HTTPS · Tailscale Docs

1 Like

For anyone coming across this later on - personally ended up using keepass xc and only local sync with syncthing. Works like a charm, straightforward set-up

Can highly reccomend