This project contains a tutorial to make vaultwarden work from a home network allowing it to be used from everywhere. The passwords are backed up into nextcloud.
- A DDNS (dynamic dns) service that is allowed to provide your public IP address. For example duckdns.
- A router that allows you to expose some ports and forward them to a virtual machine.
- A couple of servers or virtual machines.
This VM contains the Vaulwarden application together with an NGINX that is served with a self signed certificate and a backup container.
- Create a Debian virtual machine.
- Install docker see the documentation.
- Copy the files inside
01_vaultwardeninto a folder. for example/usr/local/vaultwarden.
- In the docker-compose.yaml make sure you are exposing the desired port, to make it harder to be found use a port different that
443. In this example8901will be used. - Make a copy of the
.example.envfile as.envand configure the parameters there. Some notes:-
ADMIN_TOKEN: This password will be needed to access the admin UIhttps://<ip>/admin.apt-get install argon2 echo -n "<MY_SECURE_PASSWORD" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4
-
SMTP_PASSWORD: Generate a password for this application in google. -
BACKUP_PASSWORD: Strong password that will be needed to decrypt the backups.
-
-
Create self signed certificate that will allow to test the configuration in the local network (thanks to):
cd /usr/local/vaultwarden/nginx/ssl openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj "/C=<YOUR_COUNTRY>/ST=<YOUR_LOCATION>/L=<YOUR_COMPANY>/O=<YOUR_COMPANY>/OU=Engineering/CN=192.168.178.250" -keyout ca.key -out ca.crt openssl genrsa -out "ssl.key" 2048 openssl req -new -key ssl.key -out ssl.csr -config openssl.conf openssl x509 -req -days 3650 -in ssl.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extensions v3_req -extfile openssl.conf -out ssl.crt openssl x509 -inform PEM -outform DER -in ssl.crt -out ssl.der.crt
- Make sure to use the
openssl.conf. - Make sure to use the correct ip.
- Download the PEM certificate displayed from the browser.
- Installed as CA (no app or vpn) in the phone.
- Make sure to use the
-
Configure the correct IP for your network in
nginx/nginx.conf.
-
If you don't want to use
nextcloudfor backups, create a new configuration using the wizard of executing the following command. Otherwise just edit the the file01_vaultwarden/backup-config/rclone/rclone.confto point to your server as suggested in the following step:docker run --rm -it \ -v ./backup-config:/config/ \ ttionya/vaultwarden-backup:latest \ rclone config
-
Upload to nextcloud.
-
Generate an application password from
nextcloudadmin UI. -
Encrypt it with:
docker run --rm -it \ ttionya/vaultwarden-backup:latest \ rclone obscure <YOUR_APPLICATION_PASSWORD>
-
Add it to the
rclone.conf.
-
Generate a basic firewall for the VM
-
Install:
sudo apt-get update sudo apt-get install iptables-persistent
-
Execute rules:
# Allow established connections iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Uncomment to allow ICMP # iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT # Allow ICMP # Allow SSH only from localnetwork iptables -A INPUT -p tcp -s 192.168.178.0/24,192.168.179.0/24 --dport 22 -j ACCEPT # HTTP redirection and Letsencrypt challenge iptables -A INPUT -p tcp --dport 80 -j ACCEPT # Allow HTTP # Application iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Allow HTTPS # Drop everything else iptables -A INPUT -j DROP
-
Save the rules
iptables-save > /etc/iptables/rules.v4 -
Start the docker compose with
docker compose up -d.
This VM has the only function of acting as reverse proxy but also being an added layer between what is exposed to the internet and the data that we want to keep safe. Therefore if an attacker gains access to the VM exposed he/she should not be able to get our data so easily.
- Create a Debian virtual machine.
- Install docker see the documentation.
- Copy the files inside
02_nginxinto a folder. for example/usr/local/nginx.
-
Install
certbotwith:apt -y install certbot python3-certbot-apache
-
Run the wizard with:
certbot certonly --standalone -d <YOUR_DOMAIN>.duckdns.org
-
At the end a path to your certificates should be provided.
-
Create a cronjob to renew the certificate:
0 12 * * * /usr/bin/certbot renew --quiet
- Make sure you have your IPs, DNS and certificates in
nginx/nginx.confaccording to your project.
Generate a basic firewall for the VM.
-
Install:
sudo apt-get update sudo apt-get install iptables-persistent
-
Execute rules:
# Allow established connections iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Make it harder to reach by to allowing ICMP # iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT # Allow ICMP # Allow SSH only from local network iptables -A INPUT -p tcp -s 192.168.178.0/24,192.168.179.0/24 --dport 22 -j ACCEPT # Letsencrypt challenge iptables -A INPUT -p tcp --dport 80 -j ACCEPT # Allow HTTP # HTTPS port is exposed by docker automatically in a different port # iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Allow HTTPS # Drop everything else iptables -A INPUT -j DROP
The configuration of nextcloud is out of the scope of this project.
- You can just start the stack (make sure to back your backup password and docker compose configuration).
- Some files will be created in the mapped folder.
- Bring down the stack.
- Extract the backup using the backups password.
- Copy the content of the backup inside the mapped folder and start again the stack.