Install Vaultwarden Server on NAT VPS

NATVPS.id – Vaultwarden is a password manager (password manager) open source which can be done independent host to save your own password. Vaultwarden is an implementation servers alternative to Bitwarden written in the Rust programming language, with usage source which is lighter.

This article discusses the steps for installing Vaultwarden on a NAT VPS using Docker Compose, along with NGINX configuration for reverse proxy. This article uses Ubuntu 22.04 as a reference, but you can use other distributions such as Debian and CentOS.

Port Forwarding Configuration

Considering we are using NAT, we need to add 2 port forwarding configurations on the Virtualizor panel (or other VPS panel according to provider), ie HTTP and HTTPS port forwarding for Vaultwarden domains.

For example, this article will use domains password.tutorial.mdinata.my.id to access Vaultwarden. You are free to change the domain according to your choice. Note this domain, because we will use it again in the installation process.

Don’t forget to add a DNS record that goes to your VPS’ NAT public IP, like this:

If you are confused, please read our article regarding domain forwarding here: Explanation of Domain Forwarding in NAT VPS.

Install Docker

We will use Docker and Docker Compose for spread Warehouse Keeper.

First, Install curly using the command:

apt update && apt install curl -y

Then, run it script automatic installation of Docker by entering:

curl -fsSL get.docker.com | sh

Wait until the installation process is complete.

Install Vaultwarden

First, create a new directory for Vaultwarden:

mkdir /opt/vaultwarden
cd /opt/vaultwarden

Then, create a Docker Compose file:

apt install nano -y # Jika belum
nano docker-compose.yml

Fill in the following configuration:

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      DOMAIN: "
    volumes:
      - ./vw-data/:/data/
    ports:
      - 127.0.0.1:8000:80

Save the file with Ctrl-X, yThen Enter.

Finally, run Vaultwarden:

docker compose up -d

Wait for the process spread finished. The first deployment may take a few minutes due to downloading picture Vaultwarden , as well as configuring it from the beginning.

NGINX (Reverse Proxy) Configuration

Vaultwarden requires an encrypted connection using HTTPS for security password which is saved. So that we can access URLs with HTTPS via domains such as https://password.tutorial.mdinata.my.idwe can use reverse proxy like NGINX.

First, install NGINX via command:

# Hapus Apache2 dan pendukungnya (biasanya terpasang secara bawaan di VPS OpenVZ)
apt purge apache2* -y

# Install NGINX
apt install nginx -y

Create a new host configuration specifically for Vaultwarden:

nano /etc/nginx/sites-available/vaultwarden

Then paste the following configuration:

# 
# Reference: 

# The `upstream` directives ensure that you have a http/1.1 connection
# This enables the keepalive option and better performance
#
# Define the server IP and ports here.
upstream vaultwarden-default {
  zone vaultwarden-default 64k;
  server 127.0.0.1:8000;
  keepalive 2;
}

# Needed to support websocket connections
# See: 
# Instead of "close" as stated in the above link we send an empty value.
# Else all keepalive connections will not work.
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      "";
}

server {
    listen 80;
    listen [::]:80;
    server_name password.tutorial.mdinata.my.id;

    client_max_body_size 525M;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    # If you use Cloudflare proxying, replace $remote_addr with $http_cf_connecting_ip
    # See 
    # alternatively use ngx_http_realip_module
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    location / {
      proxy_pass 
    }
}

Change password.tutorial.mdinata.my.id with your domain.

Activate the configuration by:

ln -sf /etc/nginx/sites-available/vaultwarden /etc/nginx/sites-enabled/

# Restart NGINX
systemctl restart nginx

Generate SSL Certificate (Let’s Encrypt)

In order for our domain to be accessible via HTTPS, we need to create an SSL certificate. We can use a free SSL certificate from Let’s Encrypt via Certbot.

Install Certbot and its NGINX plugin use the command:

apt install python3-certbot python3-certbot-nginx

So, produce certificate via Certbot with command

certbot --nginx -d password.tutorial.mdinata.my.id

Change password.tutorial.mdinata.my.id with your domain.

Happy! Vaultwarden is currently accessible via a secure HTTPS connection.

Access Vaultwarden

Vaultwarden can be accessed via your previous domain. Example: https://password.tutorial.mdinata.my.id. You need to open it to create main accountwhich will be used in Bitwarden.

Click Create an accountthen enter your account information as usual.

If so, you will go to dashboard.

Using Vaultwarden Server on Bitwarden

You need to change the address servers on Bitwarden to the configured Vaultwarden server.

Open the Bitwarden app, however Don’t log in yet.

On Access: bitwarden.com at the bottom, click then change to independent host.

Then enter your Vaultwarden server address.

You will be asked to enter your account. Use the account that was created on Vaultwarden previously.

If so, Bitwarden is ready to use. Happy!

Cover

That’s it for this article about the steps to install Vaultwarden on a NAT VPS.

If you are confused or in doubt, don’t hesitate to ask in the Telegram group @IPv6Indonesia. Thank You!