I self-host Vaultwarden. I'm sure someone will be happy to explain to me how foolish my implementation is, but I'm comfortable with it from a security perspective.
I run it as a Docker instance on my home Synology NAS. This turned out to be pretty easy to do. The only part that was a slight hassle was buying a cert, creating an FQDN and making the DNS entries to get an SSL connection to the NAS. Also, I wish updating to a new version of Vaultwarden was a little more straightforward.
When I am at home, my devices with Bitwarden all sync to the Vautwarden instance on the NAS without issue.
My router is a Ubiquiti UDMPro. I have an L2TP VPN configured with a shared-secret and user passwords that are ridiculously long and complex. When I'm out and about and need to sync with the NAS from my laptop or mobile device, I activate the VPN and do the sync.
My Ubiquiti account does have 2FA.
I implemented all this when 1Password informed me that in order to continue using their service, my vault would have to be hosted on their server and I would have to pay them every month for the privilege. That was a nonstarter.
I'm sure my router and NAS are not impenetrable, but I don't feel like I'm low-hanging fruit either. And if someone went to the trouble of breaking in, their reward would be one guy's vault and not the vaults of millions of customers. I'm hoping that makes me a less attractive target. Of course the vault itself has a very long and complex password as well.
This is working out quite well for me so far, knock on wood.
I have a very similar self-hosted Vaultwarden set up, for the same reasons.
My other concern, which may be unfounded is that Vaultwarden [1], which is an unofficial Rust rewrite, may also be developed to different, or lesser security standards than the official client. However I don't have any real reasons to suspect this.
Agreed. I know I'm taking it on faith that this implementation is robust and secure when it might not be. However, I feel okay about it knowing that it would be very difficult for anyone other than me to access this Docker instance in the first place. And if I'm outside my home network, I'm interacting with it via the VPN.
> Note that Synology DSM has built-in Let's Encrypt support
Yes... I tried going down that route. In my scenario, I'm accessing the NAS via its internal IP which is in an RFC1918 subnet. Let's Encrypt insists that you use a globally routable IP. If I used the public IP issed to me by my ISP, then I would have to map a port on my router and expose the NAS directly to the Internet. No way am I doing that.
I bought a cert through Namecheap and got 5 years for $29.95. That seemed quite reasonable to me. There was no problem getting it to work when I mapped the hostname to the NAS's internal IP. The only downside is that I have to go through a renewal process every year and install the updated cert on NAS. Not a huge deal; just one more thing I have to do.
That all makes sense. Wanted to point out to others that there's potentially less of a hassle to set this up (if you're fine with opening port 80, as has been pointed out to me).
Unfortunately, HTTP challenge only. I.e. you have to open port 80 to your Synology, which is handled by the same nginx instance, as all the other services on the device.
I run it as a Docker instance on my home Synology NAS. This turned out to be pretty easy to do. The only part that was a slight hassle was buying a cert, creating an FQDN and making the DNS entries to get an SSL connection to the NAS. Also, I wish updating to a new version of Vaultwarden was a little more straightforward.
When I am at home, my devices with Bitwarden all sync to the Vautwarden instance on the NAS without issue.
My router is a Ubiquiti UDMPro. I have an L2TP VPN configured with a shared-secret and user passwords that are ridiculously long and complex. When I'm out and about and need to sync with the NAS from my laptop or mobile device, I activate the VPN and do the sync.
My Ubiquiti account does have 2FA.
I implemented all this when 1Password informed me that in order to continue using their service, my vault would have to be hosted on their server and I would have to pay them every month for the privilege. That was a nonstarter.
I'm sure my router and NAS are not impenetrable, but I don't feel like I'm low-hanging fruit either. And if someone went to the trouble of breaking in, their reward would be one guy's vault and not the vaults of millions of customers. I'm hoping that makes me a less attractive target. Of course the vault itself has a very long and complex password as well.
This is working out quite well for me so far, knock on wood.