I've been looking into this for hours today, trying out guides for running Vaultwarden on my NAS using Docker, and ending up just testing Bitwarden on their own servers. This is so well timed - thanks!
I've watched so many videos for self hosted servers, but never found anything that walks through the ways or Best ways to access these outside of my home.
Bitwarden was so easy to setup I was left wondering if I had missed something. LOL But it works great. Open source, free, and can be self-hosted. Just fantastic!
Very timely with the Last Pass disaster in the news. Not that Bitwarden is as careless as Last Pass, but it's always worth considering self-hosting options.
I didn’t realize there was a debate with Vaultwarden. I’m self hosting Vaultwarden on my Synology (which was much easier to setup then what was in this video). I setup 2FA, used admin page to block new signups, firewall setup etc. I feel pretty good about the security for personal use, but I’ll have to do some research on what Tom mentioned at 13:00.
There is literally no research to be done. Vaultwarden does not have a company attached to pay for commercial auditors to audit their code. The API is the same, however, so the API audits apply to both.
I switched to Self-Hosted Bitwarden over a year ago, and with everything happening with LastPass, I'm glad I did. It just works. Setup with Let's Encrypt, and behind the firewall (VPN). Simple, and secure.
This is one of the best things I've ever done. Even my wife loves it. Running it in a VM on my Hyper-V. Works perfect. But I wish I could upload my cards as .jpg
My fault for not reading FAQs but I remember sitting down and doing trial & error just to setup Bitwarden on Docker, setting up a reverse proxy config, etc. to discover that self-hosting Bitwarden does not unlock the paid features. So, I ended up installing Keeweb onto my existing Nextcloud instance. Been using ever since.
If you do the following, you're still good even if the cloud-based crypt is hacked. Don't store the entire passwords. Use the auto-generated strong passwords for storage in the crypt, BUT and some secret characters e.g., to the end of all passwords but don't store these in Bitwarden. So once the password is auto-filled add your secret characters them login. For a stored password like "stored-password" the actual password might be "stored-passwordBOB"
@@andrewbunch8973 as a software engineer, having the transparency of open source, i do trust it, because with LastPass they hide everything :( Plus our cyber security team had a huge look at their code before migrating from lastpass. Because one thing that needs to be clear if someone finds the hash for your vault passwords, depending on the hashing algorithm it will take a attacker more than his life to find a matching hash....thats why i trust them :0
@@martinlutherkingjr.5582so delete your RUclips account then, and instagram, delete everything cause you’re giving your passwords to a stranger, Bitwarden is the best program ever made to me since I always use a different password on every site so I keep forgetting them
Great video!! Thanks. Can you provide more information on the configuration if we would like to access it internally with a DNS name? And also more information about the certificate, proxy and other components required that you are using? I would like to setup and make it available only internally. I suppose that it would work even on the road and that devices would sync when coming back.
Used to run bitwarden-rs on the Synology with Docker behind HA-proxy on pfsense. Recently made a change to vaultwarden on a Proxmox VM getting access via Cloudlfare Tunnels. No more port forwards with HA-proxy. Easy certificate handling amongst other things. Am I cheap? yes. Do I trust the vaultwarden image? yes. Do I trust Cloudflare? yes. Are they 3rd parties? yes. Isn't just about everything a 3rd party? yes. Where can you really draw the line on "trust"? Just because it had a code review? GMAB
Trust should be based on the value of the data. If a compromise could mean the end of your own business as well as the businesses you manage, leading to litigation and other consequences then a verified source with an external audit is well worth the extra money / effort when possible.
@@metal-beard The CF tunnel, by itself, is security by obscurity. As it is a CNAME record, one would need to know the FQDN of the self-hosted service to get there as it is not accessible by the ISP provided public IP address. CF also does not publish the CNAME records to the public. Even if you knew the CF target of the CNAME record, you cannot access the resource from the target name. CF also blocks bad actors from creating a new CNAME record of your resource to prevent spoofing.
I set mine up with cloudflare zero trust. Super easy to set up and it handles all ssl certificates. You can even have multifactor authentication to even access the site for extra security
What was the point of making the bitwarden user and then not executing the shell script within that users directory? At least that's what Bitwardens own documentation says to do. I know it doesn't make a difference to you, but for people watching and copying you directly, they will miss the step to switch to the bitwarden user and run the shell scripts in that service accounts directory. Ultimately, not the end of the world but for consistency and management it does matter.
What's the advantage of installing Bitwarden on bare metal than, as example, Docker? I've switched from Proxmox back to ESXi and this would be a perfect LXC container case, but yeah :)
Looks nice, I did consider waiting to make this video until that version is our of beta, but I have a feeling people don't want to wait. Also, this version has a long history of working well.
Saw the news of Bitwarden unified yesterday and thought, i will wait until tom will make a video about it, then i saw your video about bitwarden today and was kind of surprised that’s related to the „old“ method.
Been testing it for some time now, there are some blocking issues at the moment, but nothing that cannot be fixed. When it's released this should be a mayor improvement when run without mssql.
One nitpick: I personally don't like how you suggested that vaultwarden "didn't write the code", they did write their own server backend. From Scratch.
@@kjeldschouten-lebbing6260you don’t know how well their code was written. It’s not gone under audits like bitwarden so it’s fair to seer clear of it in a production environment or if your are very security conscious.
Been testing it for some time now, there are some blocking issues at the moment, but nothing that cannot be fixed. When it's released this should be a mayor improvement when run without mssql.
@@feo786 insanely memory inefficient, also running a MariaDB instance that already serves dozens of other systems and is offsite replicated and backed up.
This video put me in the mindset that converting from LastPass to BitWarden is too much trouble last year. Is this actually a lot simpler? Am I fine using their servers rather than my self-hosted setup or should I 100% go self-hosted?
one thing is I don't understand what is the advantage of self-hosted Bitwarden vs having Bitwarden host it on your behalf on Microsoft Azure Cloud. Sidenote I use Bitwarden.
As a nobody you are not going to be a very good target for hacking groups that are focused on hacking companies for big $$$. If you aren't pants on head retarded in terms of your home server security you should be safer than having it in the cloud. Remember that if you don't hold the vault then you don't own the vault.
Reducing the risk of having your vault stolen in the event of an attack vs self-hosting it would have to be a targeted attack. (This is exactly what happened with LastPass)
@@heavy1metalcounterpoint user might not be as good as bitwarden at locking down their environment. An improperly secured environment is what got last pass.
Lol, your video prompted me to lookup bitwarden and then to see "vaultwarden" in the Archlinux software repository. None of these tools do I use in a corporate environment. So for a number of years have been using Keepass, but honestly it's a pain in the butt keeping things smoothly going between just my wife and I through synchronization. We do have a number of attachements, does the $0 cost mean you can't have *any* attachments for personal use? Or, just you don't get to have any encrypted ones? And, if I self-host, does none of that apply at all? I can have my cake and eat it too?
You have an account on Bitwardens site where you buy the licence which has an export option to create a file that you import via the self hosted web interface.
I cannot get this working with the iPhone IOS, SSL Error........... and a browser addon ....... won't connect as not secure type thing. Works fine from website, any fix?
Interesting but a bit too complicated for little old me 😀I have a Synology NAS but it's too small to handle Docker. Can anyone suggest a suitable size NAS that would be adequate for this, or a small home server that could be used as a NAS and to run other services? Thanks!
What is the difference between Lastpass' and Bitwardens servers (NOT self host) in terms of security? Is there actually a difference other than LastPass already having been attacked heavily? With all the things my personal hardware does, I am more comfortable relying on huge datacenters to host my services tbh.
Why is Bitwarden better than putting a KeePass vault file on Cloud Storage? KISS principle seems to apply here, KeePass has served me well for years and I have full control of everything.
For cloud setup would you recommend a vm running bitwarden with only ip access from a reverse proxy. and then that reverse proxy only allows ip access from the vpn ip?
Cloudflare, Cloudflare, Cloudflare, - I love Cloudflare for their FREE ssl wildcard cert along with there domain hosting. And then there is the CloudflareD tunnels and proxying. When used with Authentik I believe that is a great way to self host everything. I am a long time paid subscriber to Bitwarden ($10.00 a year). I have used the self hosting solution but feel safer using their servers. Love your videos and Thank you. :-)
Im getting an error on the installing step after steps 1-7 its saying that on line49 docker: command not found, is there anything I can try to fix this?
If I am not wrong. Vaultwarden is a fork of Bitwarden. They had to change the name because of legal issues on using the same name. But I could be wrong.
Yeah they rebuilt it in rust and doesn’t have the same limitations the normal Bitwarden app does. But, you can use the default Bitwarden apps with the vaultwarden server just the same.
It's not a fork. But yes, the backend is written in Rust. Frontend is 99% from Bitwarden themselves. However encryption happens on client side. So the server never gets/should not get unencrypted confidential data. But I agree with Tom 13:00
Has anything changed recently with the Bitwarden install files? I'm following your steps exactly with the latest version but it doesn't work, I cannot create my acccount, shows an error on the webpage. In the logs i'm getting an error relating to the mssql db login. Using Debian 12. Also it looks like some spaces have been added for the mssql login string for TrustServerCertificate=True and MultipleActiveResultSets=False but removing the spaces didn't resolve my problem.
hes a horrible instructionist, he skips right over the key parts, doesnt actually show how to just shows us just how he did it without showing key steps lmaoo pure garbage
They break out everything in separate containers so only the containers that need to be updated are updated. They have their new version in beta that consolidates the containers so that will be an option soon.
All of that for a handful of users certainly is a bit cumbersome. I can only assume that this is a bit of a facsimile of their production environment where they host a gazillion users. Separating things out like this let's them scale the various bits of the infra more granularly than if everything ran in one native process. For self-hosting, it's definitely overkill. But if the containers are all deployed as separate auto-scaling deployments in kubernetes or something like that, it's probably very cost effective, manageable, and more easily monitored when your usage spikes are in the hundreds of thousands of requests per second.
This version runs 11 containers in the end. You can start with 1 core 2gb and just simply see how it runs... Beautiful thing about VMs, it's easy to add RAM and CPUs..
Hi Tom, I might be a bit late to the subjecta nd I hope you can help, but is there a way to install bitwarden natively without using docker or any other container environment?
Hi, thanx for the video, what i dont understand here, if you setup bitwarden locally and use vpn to be more secure, you cant use the bitwarden outside of your home network?! otherwise you need to build bridge outside each time you want to use bitwarden..?! do you still recommending it this way or am i getting something wrong? do you think it is a bad idea to expose e.g. cloudflare tunnel?
@@TheOGShelbyLee Due to the work involved in testing a password manager I don't know if I will be reviewing it anytime soon. Most of my reviews are products we use all the time.
is there a way not to setup smtp and declare my user/pwd on admin side? im the only one who gonna use this and if i want someone to use it like my wife i will setup an account manually is that possible?
I keep running into an issue where the install script cannot find Docker. (internal error, please report: running "docker.compose" failed: cannot find installed snap "docker" at revision 1458: missing file /snap/docker/1458/meta/snap.yaml) I think it's because I installed Docker natively in Ubuntu and not through Snap. I would uninstall Docker and reinstall it through Snap, but I have my Plex server running on it, and I don't want to rebuild the libraries. Any solution for this?
@@LAWRENCESYSTEMS Thanks for your quick response 😊 I asked because I’m in a mission of removing and avoiding Docker on our servers with the most sensitive / security related data.
Paying for Dashlane at the moment. If I self host this, will this then be completely free for multiple users, or do I still need to pay something for the client's apps or other services?
Nice tutorial but i can't get it to work properly. When i register a new user it gives me an error "an unhandled server error has occurred" Anyone knows what i'm doing wrong?
@@LAWRENCESYSTEMS finally got time to mess around with it. a self hosted bitwarden can be done with a gmail email address you just have to get a app password setup. self signed cert and gmail email i got it all up and running. to make things a little easier a free domain with duckdns works as well. i set one up with duckdns LAN only and with a cloudflare domain LAN only with a gmail email and its working good. so buying a domain and having a smtp email server or whatever is not a need. if your using it for a company or large scale sure probably worth it but a 1-5 person setup for home super easy to do it for free with no smtp or domain stuff.
Non-Docker Install... Hi Tom thx for another great setup-video! Is there any chance to get bitwarden running self-hosted without docker? I'm aware, that there's different dependencies db, nginx, etc. but shouldn't it be possible to set it up manually w/o docker?
@@LAWRENCESYSTEMS but still a nice challenge, riiiiiiiight? lol Thx tho, will keep chipping at it and document it the moment I get it working, but just in case... I mean... ;)
if I set this up on a old laptop connected to power running 24/7, whats the risk of the server going down? Is this a good idea or should I invest in a real server for this project.
Not needed - just backup the database. The client caches a copy of the vault file which eliminates the need for 24/7 uptime. So you'll have plenty of time to spin up a new instance and attach the database in the event of failure.
I just spent the weekend setting up Vaultwarden, CloudFlare, Lets Entrypt and Nignix Proxy on my Unraid box. But you mentioned self signed cert, but then you had an error with the browser plug in due to SSL error. How did you get past the error? I have wireguard on my pfsense router working and with only a few apps on my phone allowed. So I could use self signed cert. How did you get past it or did you?
@David Brown If you are using Cloudflare and Nginx you can use Cloudflare cert to protect your environment instead. I use this in my setup. You can find many videos on RUclips on this. Check the Ibracorp videos.
@@M.4y any good user friendly firewalls that allow easy geo-based ip range blocks? So like only USA ips can even possibly connect or only certain carriers or US states?
And vaultwarden is not audited. You are risking all of your passwords using that docker container. It would be better for you to use Bitwarden unified.
pfsense HA Proxy Video
ruclips.net/video/jpyUm53we-Y/видео.html
Bitwarden install documentation
bitwarden.com/help/install-on-premise-linux/
Bitwarden backup documentation
bitwarden.com/help/backup-on-premise/
I've been looking into this for hours today, trying out guides for running Vaultwarden on my NAS using Docker, and ending up just testing Bitwarden on their own servers. This is so well timed - thanks!
Glad I could help!
I use Vaultwarden with Portainer and nginx proxy. Everything running on a small PC and it was easy to Setup. If you need help I may help you out.
One thing to note and I like better is using cloudflare tunnels (in docker) vs opening ports up in a reverse proxy on my NAS.
@@LAWRENCESYSTEMS any plans of doing a Vaultwarden install video on Scale like this one? You lost me at shell lol
I've watched so many videos for self hosted servers, but never found anything that walks through the ways or Best ways to access these outside of my home.
After seeing your last couple videos on Bitwarden, I’ve switched over to it and am self hosting with the family plan. So far I couldn’t be happier.
Bitwarden was so easy to setup I was left wondering if I had missed something. LOL But it works great.
Open source, free, and can be self-hosted. Just fantastic!
That’s how I feel right now😂
Moved from Lastpass to Bitwarden with thier recent issues. I'm very happy with my transition.
Really loving these new video how-to's. Very useful for people learning and getting into these things. This is one I will follow for sure.
After becoming enthusiastic by your video, I've just installed selfhosted bitwarden. So far it seems well put together. Nice video btw.
Very timely with the Last Pass disaster in the news. Not that Bitwarden is as careless as Last Pass, but it's always worth considering self-hosting options.
I didn’t realize there was a debate with Vaultwarden. I’m self hosting Vaultwarden on my Synology (which was much easier to setup then what was in this video). I setup 2FA, used admin page to block new signups, firewall setup etc. I feel pretty good about the security for personal use, but I’ll have to do some research on what Tom mentioned at 13:00.
There is literally no research to be done.
Vaultwarden does not have a company attached to pay for commercial auditors to audit their code.
The API is the same, however, so the API audits apply to both.
I switched to Self-Hosted Bitwarden over a year ago, and with everything happening with LastPass, I'm glad I did. It just works. Setup with Let's Encrypt, and behind the firewall (VPN). Simple, and secure.
Same here.
This is one of the best things I've ever done. Even my wife loves it. Running it in a VM on my Hyper-V. Works perfect. But I wish I could upload my cards as .jpg
Oh YEAH! Was hoping for a video from TOM with exactly this topic! Thanks kind sir!
You answered all the questions I've been racking up on BitWarden
I am going to work on this for my home and family. This would be a good project to put on my resume.
My fault for not reading FAQs but I remember sitting down and doing trial & error just to setup Bitwarden on Docker, setting up a reverse proxy config, etc. to discover that self-hosting Bitwarden does not unlock the paid features. So, I ended up installing Keeweb onto my existing Nextcloud instance. Been using ever since.
thanks! this video is going to come in handy tomorrow because i will be setting up my home lab tomorrow :)
For $10 a year I'll stick to premium. I trust the people that made it to be more knowledgeable in security than I am.
Given what just happened with last pass do you still think this.
If you do the following, you're still good even if the cloud-based crypt is hacked. Don't store the entire passwords. Use the auto-generated strong passwords for storage in the crypt, BUT and some secret characters e.g., to the end of all passwords but don't store these in Bitwarden. So once the password is auto-filled add your secret characters them login. For a stored password like "stored-password" the actual password might be "stored-passwordBOB"
Great idea, give all your password data to some stranger on the internet.
@@andrewbunch8973 as a software engineer, having the transparency of open source, i do trust it, because with LastPass they hide everything :(
Plus our cyber security team had a huge look at their code before migrating from lastpass. Because one thing that needs to be clear if someone finds the hash for your vault passwords, depending on the hashing algorithm it will take a attacker more than his life to find a matching hash....thats why i trust them :0
@@martinlutherkingjr.5582so delete your RUclips account then, and instagram, delete everything cause you’re giving your passwords to a stranger, Bitwarden is the best program ever made to me since I always use a different password on every site so I keep forgetting them
Great video!! Thanks. Can you provide more information on the configuration if we would like to access it internally with a DNS name? And also more information about the certificate, proxy and other components required that you are using? I would like to setup and make it available only internally. I suppose that it would work even on the road and that devices would sync when coming back.
liked! thanks tom. currently using keepass with syncthing, but gonna switch to self hosted bitwarden eventually.
I'd be damn!! I was just talking about this at work and bam here you are making a video!? You are even more powerful than Amazon,Alphabet or Meta 😂
Used to run bitwarden-rs on the Synology with Docker behind HA-proxy on pfsense. Recently made a change to vaultwarden on a Proxmox VM getting access via Cloudlfare Tunnels. No more port forwards with HA-proxy. Easy certificate handling amongst other things. Am I cheap? yes. Do I trust the vaultwarden image? yes. Do I trust Cloudflare? yes. Are they 3rd parties? yes. Isn't just about everything a 3rd party? yes. Where can you really draw the line on "trust"? Just because it had a code review? GMAB
Trust should be based on the value of the data. If a compromise could mean the end of your own business as well as the businesses you manage, leading to litigation and other consequences then a verified source with an external audit is well worth the extra money / effort when possible.
how do you limit people from going to your CF Tunnel address?
@@metal-beard The CF tunnel, by itself, is security by obscurity. As it is a CNAME record, one would need to know the FQDN of the self-hosted service to get there as it is not accessible by the ISP provided public IP address. CF also does not publish the CNAME records to the public. Even if you knew the CF target of the CNAME record, you cannot access the resource from the target name. CF also blocks bad actors from creating a new CNAME record of your resource to prevent spoofing.
Would love to see you making a video with a reverse Proxy
I set mine up with cloudflare zero trust. Super easy to set up and it handles all ssl certificates. You can even have multifactor authentication to even access the site for extra security
how do you put multifactor auth on it?
@@metal-beard In zero trust, under Access and Applications. I have it only allow certain emails to receive a one time code
Awesome! Exactly what I was looking for!
Yes, we are busy and a lot of things we need installed we will likely contract with you.
i was hoping to see vaultwarden here ;]
Funny that I literally did this yesterday then see your video today.
You should do a video on Docker-Mailserver (direct Docker name)
Great video Tom! I'm left wondering though. Is there no way to configure email verification with gmail?
Google is retiring (or may have retired already) the feature that would allow that.
What was the point of making the bitwarden user and then not executing the shell script within that users directory? At least that's what Bitwardens own documentation says to do. I know it doesn't make a difference to you, but for people watching and copying you directly, they will miss the step to switch to the bitwarden user and run the shell scripts in that service accounts directory. Ultimately, not the end of the world but for consistency and management it does matter.
Fair point
@@LAWRENCESYSTEMS you see you just did what you want not what made sense for a how to video lmaooooo garbage
What's the advantage of installing Bitwarden on bare metal than, as example, Docker? I've switched from Proxmox back to ESXi and this would be a perfect LXC container case, but yeah :)
How big is your installation in terms of passwords stored, shared collections and number of users? What are the scale up/out options?
A fresh install is about 152M and our production system with 8 users and a few thousand passwords is about 1G, but the backups are about 31M.
Thanks for the nice walkthrough... Interested in your thoughts on the new Bitwarden Unified which has just been released into Beta
Looks nice, I did consider waiting to make this video until that version is our of beta, but I have a feeling people don't want to wait. Also, this version has a long history of working well.
Saw the news of Bitwarden unified yesterday and thought, i will wait until tom will make a video about it, then i saw your video about bitwarden today and was kind of surprised that’s related to the „old“ method.
Been testing it for some time now, there are some blocking issues at the moment, but nothing that cannot be fixed. When it's released this should be a mayor improvement when run without mssql.
who's here from lastpass? don't forget to change your passwords!
One nitpick:
I personally don't like how you suggested that vaultwarden "didn't write the code", they did write their own server backend. From Scratch.
Yes, but they didn't write the front end
@@LAWRENCESYSTEMS That's fair, but the way it was placed made it sound too much like "they just stole the code and rebranded"...
@@kjeldschouten-lebbing6260you don’t know how well their code was written. It’s not gone under audits like bitwarden so it’s fair to seer clear of it in a production environment or if your are very security conscious.
I was wondering if you have a guide to install BitWarden on TrueNAS Scale?
Thank you!!
What's everyones opinion on deploying Bitwarden selfhosted using the "Unified (Beta)" option?
I have not tested it yet, I was going to wait until it's out of beta.
It changes the docker setup but the webapp is the same. Adds support for more external DB servers other than M$ SQL, which is a big plus.
Been testing it for some time now, there are some blocking issues at the moment, but nothing that cannot be fixed. When it's released this should be a mayor improvement when run without mssql.
@@dasGieltjE what's the issue with MSSQL?
@@feo786 insanely memory inefficient, also running a MariaDB instance that already serves dozens of other systems and is offsite replicated and backed up.
This video put me in the mindset that converting from LastPass to BitWarden is too much trouble last year. Is this actually a lot simpler? Am I fine using their servers rather than my self-hosted setup or should I 100% go self-hosted?
For just one person, using self hosted does not make a lot of sense so just use their servers.
@@LAWRENCESYSTEMS thanks!
It'd be for me, my kids, wife, and other relatives, but it's easier to just do the online account. Is it secure?
@@Saturn2888Yes, they do a good job with security
Hello! thnx for your video! helpfull! but how can i startup bitwarten automacaly on boot start?
Using vaultwarden (not bitwarden!) on an internal docker through cloudflare tunnel with cloudflare certificates!
one thing is I don't understand what is the advantage of self-hosted Bitwarden vs having Bitwarden host it on your behalf on Microsoft Azure Cloud. Sidenote I use Bitwarden.
As a nobody you are not going to be a very good target for hacking groups that are focused on hacking companies for big $$$. If you aren't pants on head retarded in terms of your home server security you should be safer than having it in the cloud. Remember that if you don't hold the vault then you don't own the vault.
Reducing the risk of having your vault stolen in the event of an attack vs self-hosting it would have to be a targeted attack. (This is exactly what happened with LastPass)
@@heavy1metalcounterpoint user might not be as good as bitwarden at locking down their environment. An improperly secured environment is what got last pass.
Lol, your video prompted me to lookup bitwarden and then to see "vaultwarden" in the Archlinux software repository.
None of these tools do I use in a corporate environment. So for a number of years have been using Keepass, but honestly it's a pain in the butt keeping things smoothly going between just my wife and I through synchronization. We do have a number of attachements, does the $0 cost mean you can't have *any* attachments for personal use? Or, just you don't get to have any encrypted ones? And, if I self-host, does none of that apply at all? I can have my cake and eat it too?
Great! Can you complete with the firewall rulles to secure the vm? You are awesome!!!!!
The only port needed if 443
How would I connect an enterprise license to the self hosted server? I didn't quite understand.
You have an account on Bitwardens site where you buy the licence which has an export option to create a file that you import via the self hosted web interface.
I cannot get this working with the iPhone IOS, SSL Error........... and a browser addon ....... won't connect as not secure type thing. Works fine from website, any fix?
You need a reverse proxy
If people do self host where do they store backup of the password file? Cloud? Ummmmm??
Where do you store your backup passwords as your cannot store them in bitwarden, chicken and egg situation
Interesting but a bit too complicated for little old me 😀I have a Synology NAS but it's too small to handle Docker. Can anyone suggest a suitable size NAS that would be adequate for this, or a small home server that could be used as a NAS and to run other services? Thanks!
Any good option for this one truenas scale? Or just use a VM?
I have not tested this on scale
hello Tom, I get a 522 error . is there any step that we may need to do in PFSENSE to fix this issue
What is the difference between Lastpass' and Bitwardens servers (NOT self host) in terms of security? Is there actually a difference other than LastPass already having been attacked heavily? With all the things my personal hardware does, I am more comfortable relying on huge datacenters to host my services tbh.
Why is Bitwarden better than putting a KeePass vault file on Cloud Storage? KISS principle seems to apply here, KeePass has served me well for years and I have full control of everything.
I am working on a video to cover this very common question, but the short answer is scalability with larger teams. For single users, KeePass is fine.
I love you that you can self-host bitwarden. But Bitwarden is one of the few services out there that I DON't want to self-host and pay someone else :)
From a newbie, can this process be done within a Docker container?
These instructions are for using docker.
For cloud setup would you recommend a vm running bitwarden with only ip access from a reverse proxy. and then that reverse proxy only allows ip access from the vpn ip?
Cloudflare, Cloudflare, Cloudflare, - I love Cloudflare for their FREE ssl wildcard cert along with there domain hosting. And then there is the CloudflareD tunnels and proxying. When used with Authentik I believe that is a great way to self host everything. I am a long time paid subscriber to Bitwarden ($10.00 a year). I have used the self hosting solution but feel safer using their servers. Love your videos and Thank you. :-)
Can we use Authentik with CFd tunnels?
@@metal-beard I am currently using it with NPM on my PI. Love it
Im getting an error on the installing step after steps 1-7 its saying that on line49 docker: command not found, is there anything I can try to fix this?
If I am not wrong. Vaultwarden is a fork of Bitwarden. They had to change the name because of legal issues on using the same name. But I could be wrong.
Yeah they rebuilt it in rust and doesn’t have the same limitations the normal Bitwarden app does. But, you can use the default Bitwarden apps with the vaultwarden server just the same.
It's not a fork. But yes, the backend is written in Rust. Frontend is 99% from Bitwarden themselves.
However encryption happens on client side. So the server never gets/should not get unencrypted confidential data. But I agree with Tom 13:00
Has anything changed recently with the Bitwarden install files? I'm following your steps exactly with the latest version but it doesn't work, I cannot create my acccount, shows an error on the webpage. In the logs i'm getting an error relating to the mssql db login. Using Debian 12. Also it looks like some spaces have been added for the mssql login string for TrustServerCertificate=True and MultipleActiveResultSets=False but removing the spaces didn't resolve my problem.
You skipped over the installation of Docker at the beginning. Without Docker installed, the install script for Bitwarden won't run.
hes a horrible instructionist, he skips right over the key parts, doesnt actually show how to just shows us just how he did it without showing key steps lmaoo pure garbage
Their docker setup really feels over engineered, what was it? 13 containers?
They break out everything in separate containers so only the containers that need to be updated are updated. They have their new version in beta that consolidates the containers so that will be an option soon.
@@LAWRENCESYSTEMS I hadn't heard about a consolidated setup, looking forward to that then!
All of that for a handful of users certainly is a bit cumbersome. I can only assume that this is a bit of a facsimile of their production environment where they host a gazillion users. Separating things out like this let's them scale the various bits of the infra more granularly than if everything ran in one native process. For self-hosting, it's definitely overkill. But if the containers are all deployed as separate auto-scaling deployments in kubernetes or something like that, it's probably very cost effective, manageable, and more easily monitored when your usage spikes are in the hundreds of thousands of requests per second.
13 microservices :--) The way of the future, monolithic apps or microsevices AKA containers.. The way of the future, embrace
@@richardbillington3185 I run all my apps in containers, but 13 is pushing it toooo far
How many containers does this deploy? Is it worth putting on a 2 core 4 gb VM or on my container host (much larger)
Really depends on the amount of users. If it’s just you, 2core, 2gb is working fine for me. 2GB ram minimum or MSSQL won’t work properly.
This version runs 11 containers in the end. You can start with 1 core 2gb and just simply see how it runs... Beautiful thing about VMs, it's easy to add RAM and CPUs..
How do you make the android app work with a self signed certificate without a fqdn but instead an ip address...
you don't
Hi, how can I create the tunnel without having the port?
I checked in the portainer and no ports are being generated!
Thanks 🍻
The Cloudflare tunnels connect to the other services running on your network or in docker.
any alternatives to using docker? all docs I have found says to use docker but I do not want to
They have all the source available but I don't have a guide on it. The use Docker to make service delivery simple.
Hi Tom, I might be a bit late to the subjecta nd I hope you can help, but is there a way to install bitwarden natively without using docker or any other container environment?
I don't have a tutorial but you could grab all the source and build it manually.
Is it advisable to use bitwarden/vaultwarden for a large organization with around 1000 employees?
Bitwarden yes, but Vaultwarden I don't use.
Hi, thanx for the video, what i dont understand here, if you setup bitwarden locally and use vpn to be more secure, you cant use the bitwarden outside of your home network?! otherwise you need to build bridge outside each time you want to use bitwarden..?! do you still recommending it this way or am i getting something wrong? do you think it is a bad idea to expose e.g. cloudflare tunnel?
I prefer to keep my Bitwarden instance behind a VPN but you can expose it directly or via a reverse proxy such as Cloudflare tunnel.
@@LAWRENCESYSTEMS will you be able to use it from outside your network? you will need to use the same vpn(network)?!
@@ismailuwair187I use a VPN to use it outside my network.
Have you ever looked into passbolt as a self-hosted solution?
I have not and I have only seen sponsored reviews of it so not really sure how good it is.
@@LAWRENCESYSTEMS it'd be interesting to get your perspective!
@@TheOGShelbyLee Due to the work involved in testing a password manager I don't know if I will be reviewing it anytime soon. Most of my reviews are products we use all the time.
I'm using Vaultwarden 😀
is there a way not to setup smtp and declare my user/pwd on admin side? im the only one who gonna use this and if i want someone to use it like my wife i will setup an account manually is that possible?
nope
I keep running into an issue where the install script cannot find Docker. (internal error, please report: running "docker.compose" failed: cannot find installed snap "docker" at revision 1458: missing file /snap/docker/1458/meta/snap.yaml) I think it's because I installed Docker natively in Ubuntu and not through Snap.
I would uninstall Docker and reinstall it through Snap, but I have my Plex server running on it, and I don't want to rebuild the libraries.
Any solution for this?
I have not done any testing using it with snaps.
@@LAWRENCESYSTEMS I haven't either. I wonder it isn't picking up my Docker instance.
Thanks
Do you have any info on installing a self hosted password manager without involving Docker?
No
@@LAWRENCESYSTEMS Thanks for your quick response 😊 I asked because I’m in a mission of removing and avoiding Docker on our servers with the most sensitive / security related data.
Paying for Dashlane at the moment. If I self host this, will this then be completely free for multiple users, or do I still need to pay something for the client's apps or other services?
bitwarden.com/pricing/
Nice tutorial but i can't get it to work properly.
When i register a new user it gives me an error "an unhandled server error has occurred"
Anyone knows what i'm doing wrong?
China
im confused on the domain stuff, do i have to buy a domain/website name? i want to host on a raspberry pi. can i just use the ip address of the pi?
You have to have a working email which requires a domain.
@@LAWRENCESYSTEMS finally got time to mess around with it. a self hosted bitwarden can be done with a gmail email address you just have to get a app password setup. self signed cert and gmail email i got it all up and running. to make things a little easier a free domain with duckdns works as well. i set one up with duckdns LAN only and with a cloudflare domain LAN only with a gmail email and its working good. so buying a domain and having a smtp email server or whatever is not a need. if your using it for a company or large scale sure probably worth it but a 1-5 person setup for home super easy to do it for free with no smtp or domain stuff.
Vaultwarden - this is the way.
(╯°□°)╯︵ [_]|| nope, Bitwarden is the way to go.
Yep, combined with CloudFlare Tunnel, you can get an SSL cert in seconds with no port forwarding or reverse proxy
But then you are relying on Cloudflare to handle things.
@@arubial1229 agree to Tom here. It depends on how much you trust Cloudflare and its tunnel in transmitting your data.
Non-Docker Install...
Hi Tom
thx for another great setup-video!
Is there any chance to get bitwarden running self-hosted without docker?
I'm aware, that there's different dependencies db, nginx, etc. but shouldn't it be possible to set it up manually w/o docker?
Not that I know of
Just wondering, what shell and theme are you using there?
github.com/lawrencesystems/dotfiles
Hi Tom, any working comments about Windows/Active Directory integration? I am failing miserably at it, thanks
Not a feature we use or plan to use
@@LAWRENCESYSTEMS but still a nice challenge, riiiiiiiight? lol
Thx tho, will keep chipping at it and document it the moment I get it working, but just in case... I mean... ;)
Is there big advantages to self-hosting this versus Bitwarden managed?
Upside you are in control of your data, downside you are fully responsible for managing & securing your data.
@@LAWRENCESYSTEMS thats kinda what I thought.
I'm surprised they're relying on MSSQL though...
if I set this up on a old laptop connected to power running 24/7, whats the risk of the server going down? Is this a good idea or should I invest in a real server for this project.
It's all about your risk tolerance. Most laptops only have one drive so there is not much redundancy.
@@LAWRENCESYSTEMS How often would you expect to preform maintenance on your server. Would a drive failing be a regular occurrence?
It's not a frequent occurrence, just statistically most likely one that should be planned for
Can this be done in the unraid docker apps?
I don't use Unraid but probably.
Any advice on redundancy for 2 instances?
It's not designed to work that way.
Not needed - just backup the database. The client caches a copy of the vault file which eliminates the need for 24/7 uptime. So you'll have plenty of time to spin up a new instance and attach the database in the event of failure.
Thanks both
For self hosting. Vaultwarden > Bitwarden
I prefer to use the back end made by the dev team that made the front end.
I just spent the weekend setting up Vaultwarden, CloudFlare, Lets Entrypt and Nignix Proxy on my Unraid box. But you mentioned self signed cert, but then you had an error with the browser plug in due to SSL error. How did you get past the error? I have wireguard on my pfsense router working and with only a few apps on my phone allowed. So I could use self signed cert. How did you get past it or did you?
He said it himself. Reverse proxy, specifically HA proxy on pfsense.
@@mistakek sorry i must have missed that. I guess I am getting old and can't hear nor see :)
@David Brown If you are using Cloudflare and Nginx you can use Cloudflare cert to protect your environment instead. I use this in my setup. You can find many videos on RUclips on this. Check the Ibracorp videos.
What keyboard are you using in the video?
Anyone know what keyboard is being used?
I already have Bitwarden deployed on it’s own VM, working well.
What are your thoughts on colocating it on a docker host with other services?
I prefer not too
Can non standard ports be used? Or we need to expose 443? Port scanners might find it fast and take interest in my home ip then
Security through obscurity is not advisable. Have a firewall in front OR you could always setup cloudflare in front of your web server.
@@seeingblind2 wouldn’t a firewall close the port and force using vpn to sync?
@@Ultrajamz well you can do a lot with a firewall. You can also ban certain IP-Ranges/allow some public IPs you own.
@@M.4y any good user friendly firewalls that allow easy geo-based ip range blocks? So like only USA ips can even possibly connect or only certain carriers or US states?
I would go with Vaultwarden (based on Bitwarden) instead, why more lightweight! Hope it helps
And vaultwarden is not audited. You are risking all of your passwords using that docker container. It would be better for you to use Bitwarden unified.
Does it run in ARM?
This version does not, but their beta does bitwarden.com/help/install-and-deploy-unified-beta/
@@LAWRENCESYSTEMS thanks Lawrence
I love video's like this but I hate my ISP for videos like this... blocking port 80 and 443 gah.
Try a cloudflare tunnel and see if you can get around that.
@@fourmobro6214 i have never tried that.. I'll look into it.
i need an smtp server?
You need access to a working one.
Why not just use KeePass?
ruclips.net/video/46aiqnEHOVU/видео.html
@@LAWRENCESYSTEMS Haha wow thanks
Docker only right? Why is that?
any suggestions for homelab people that dont have a company smtp email.
www.duocircle.com/email/outbound-smtp
I may have missed it, but is this running on a standalone server or is it running on a VM?
Neither, it's a container which is agnostic of whether or not it's a VM / bare-metal solution. How you host it, is up to you.