Simon Schraeder
Published on

Self-hosting Bitwarden behind Tailscale

It appears like hackers were able to obtain the customer vaults of LastPass customers. I wasn't using LastPass, but, but nevertheless I thought this might be a good reason to move from cloud-based storage of my passwords to my local environment.

Step 0: Setup Tailscale

As I don't want my personal small NAS exposed to the internet, I decided to use Tailscale. I could use my own control server with headscale, but as I need to trust their closed-source GUI clients anyway, I decided to just use Tailscale.

The setup is very easy. I don't want to duplicate the setup instructions, but it basically boils down to installing their software on all related machines. No other configuration needed.

Step 1: Setup DNS

I didn't feel like using the tailscale SSL solution. It is probably very simple, but I wanted my own vanity domain. So I simply added an A record containing the Tailscale IP of my NAS IP.

Step 2: docker-compose.yaml

This docker-compose.yaml was very convenient for me. It is using the lightweight vaultwarden server as opposed to the offical bitwarden server. For me it's good enough and saving resources on my small homeserver is always good.

To use the DNS challenge with Cloudflare, I had to build my own docker image for Caddy. The instructions are simple enough, you just have to combine the Caddy server with a Cloudflare extension.

Step 3: docker-compose up

Very quickly Caddy and vaultwarden started up. The DNS challenge was solved within 30 seconds and my Bitwarden instance was running. Yay.

Using the export feature on and the import feature on my local instance worked very fast and within seconds I had migrated my data.

Step 4: Setting up the Android client

To setup your Android client, you need to sign out and click on the cogwheel on the login page. There you can change the URL of the Bitwarden instance used.