a

Install Vaultwarden Password Server on FreeBSD

🕐 3 minutes

📅 2022-01-30

What is Vaultwarden

Vaultwarden is an alternative implementation of the Bitwarden server API, written in Rust and compatible with upstream Bitwarden clients. It is perfect for self-hosted use when usin the official, resource-intensive service is not ideal.

We can install it as follows:

$: pkg install vaultwarden

Then we copy the sample configuration:

$: cp /usr/local/etc/rc.conf.d/vaultwarden.sample /usr/local/etc/rc.conf.d/vaultwarden

However, before we change our Vaultwarden configuration, we need an admin token, which we can create with the following command:

$: openssl rand -base64 48

We now copy the created token and change the configuration.

Note: If we want to use the web interface, we have to set SIGNUPS_ALLOWED to true. Under ADMIN_TOKEN we paste our copied token. Furthermore, we can change our email server configuration here.

$: nano /usr/local/etc/rc.conf.d/vaultwarden =>

ROCKET_ADDRESS=127.0.0.1
export ROCKET_ADDRESS

ROCKET_PORT=4567 # your port here
export ROCKET_PORT

# ROCKET_TLS='{certs = "/ssl/fullchain.pem", key = "/ssl/key.pem"}'
# LOG_FILE='/data/bitwarden.log'

SIGNUPS_ALLOWED='true'
export SIGNUPS_ALLOWED

DOMAIN='https://vaultwarden.<domain>'
export DOMAIN

ADMIN_TOKEN= # generate one with ~$ openssl rand -base64 48
export ADMIN_TOKEN

SMTP_HOST=localhost
export SMTP_HOST

SMTP_FROM=noreply@localhost
export SMTP_FROM

SMTP_PORT=25
export SMTP_PORT

SMTP_SSL=false
export SMTP_SSL

# SMTP_USERNAME=
# export SMTP_USERNAME

# SMTP_PASSWORD=
# export SMTP_PASSWORD

Now that we have changed our configuration, we can enable the Vaultwarden service and start it for the first time.

$: service vaultwarden enable
$: service vaultwarden start
$: service vaultwarden status

To be able to use the web interface, we will use nginx as a reverse proxy. To complete this, we first create the nginx configuration:

$: nano /usr/local/etc/nginx/vhosts/vaultwarden.conf =>

server {
	listen 80;

    server_name vaultwarden.<domain>;

    # Allow large attachments
    client_max_body_size 128M;

    location / {
        proxy_pass http://127.0.0.1:4567;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /notifications/hub {
        proxy_pass http://127.0.0.1:3012;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /notifications/hub/negotiate {
       proxy_pass http://127.0.0.1:4567;
    }
}

We need another entry in our hosts file:

$: nano /etc/hosts =>

127.0.0.1 vaultwarden.<domain>

Since it’s more secure to deploy Vaultwarden over HTTPS, and we still need let’s-encrypt certificates for that, we simply run the “certbot” command in our terminal and let it automatically create a certificate for our new domain. You can find more information about this in my nginx tutorial.

Finally, we restart the nginx once.

$: service nginx restart

Now we can open our freshly installed Vaultwarden service via the web browser.

Vaultwarden screenshot

Here, we can create a new user and manage our passwords securely in the future.

If you followed my Firefox course, I also briefly introduced the Bitwarden plug-in for Firefox. In the plug-in settings, we can enter our new Bitwarden URL so that our passwords securely stored on our hosted service.