Skip to content

Instantly share code, notes, and snippets.

@aldafu

aldafu/vaultwarden-on-synology-dsm.md

Created December 26, 2022 11:09
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save aldafu/c8f4bd4989aa96cc9ada7f9d30e37ddf to your computer and use it in GitHub Desktop.
Save aldafu/c8f4bd4989aa96cc9ada7f9d30e37ddf to your computer and use it in GitHub Desktop.
Download ZIP
How to set up Vaultwarden on Synology DSM
Raw
vaultwarden-on-synology-dsm.md

Vaultwarden on Synology DSM

This explains how to install and setup Vaultwarden via Docker on a Synology NAS.

Install Docker

Install Docker from Package Center.

Download Vaultwarden

The Docker image for Vaultwarden needs to be downloaded. You can do this either through the DSM UI or from the commandline when logged in via ssh.

ssh

  1. become root: sudo -i
  2. Pull the image: docker pull vaultwarden/server

DSM

The Docker image for Vaultwarden can also be downloaded through DSM UI.

  1. Start "Docker" app from DSM menu and select "Registry" from left menu
  2. Search for vaultwarden
  3. Select "vaultwarden/server" and download the image

Create Vaultwarden Docker container

  1. Start "Docker" app from DSM menu and select "Container" from left menu

  2. Click "Create" and select the "vaultwarden/server" image, click next

  3. Use "bridge" network type, click next

  4. Enable "auto-restart"

  5. Open advanced settings and add a new variable to allow admin access. This is needed to configure SMTP, so that Vaultwarden can send verification and invitation links for new Vaultwarden users by mail. Click "Add" and use "ADMIN_TOKEN" as name and set whatever token (i.e. admin password) you want to use, see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page

    Close advanced settings, click next

  6. For the existing container port 80, configure a local port, e.g. 8080, click next

  7. Click "Add Folder" to create a volume for the Vaultwarden container to store the database. This volume will continue to exist and hold the database even when the container is deleted and recreated, e.g. for a Vaultwarden version update. Create a new folder inside the existing "docker" folder and name it e.g. "vaultwarden". Use "/data/" as mount path. This is the path inside the container, click next

  8. Verify configured settings, click "Done", the container will start

Configure Vaultwarden

Open admin panel

In order to open the web admin panel for Vaultwarden the port that was configured as local port needs to be made available from the outside.

There are different ways to do this and it depends on your DSM configuration for hostname, routing, firewall, DDNS and reverse proxy.

It is assumed that the DSM is available on the public internet by DNS. The following steps explain how to configure a subdomain for Vaultwarden and use it with a TLS certificate from "Let's Encrypt" and a reverse proxy configuration.

Create reverse proxy

  1. Open DSM "Control Panel"
  2. Go to "Login Portal" and there the "Advanced" tab and click "Reverse Proxy"
  3. Create a new Reverse Proxy and configure "Source" as:
    • Set Protocol as "HTTPS"
    • Set Hostname to whatever new subdomain of your existing domain you want, e.g. "vaultwarden.myexistingdomain.test"
    • Set Port to 443
    • Check "Enable HSTS"
  4. Configure "Destination" as:
    • Set Protocol as "HTTP"
    • Set Hostname as "localhost"
    • Set Port to 8080 (use local port that you configured for the container)

Create TLS certificate

  1. Open DSM "Control Panel"
  2. Go to "Security" and there the "Certificate" tab and click "Add"
  3. Select "Add new certificate", click next
  4. Select "Get from Let's Encrypt"
  5. Set "Domain name" for the certificate to the same that was used as "Source" hostname from above when creating the reverse proxy
  6. Add your email adress as admin contact and click "Done"

Now the admin panel should be available. Use your configured domain name and append "/admin" and open in a web browser, e.g.

https://vaultwarden.myexistingdomain.test/admin

Use your admin token from above to gain access.

Configure General Settings

In the Vaultwarden Admin panel:

  1. Click on "General settings"
  2. Set "Domain URL" to the same that was used as "Source" hostname from above when creating the reverse proxy and prepend "https://" to make it a URL

Configure SMTP

In the Vaultwarden Admin panel it is needed to configure SMTP email. Vaultwarden uses it to verify new users, invite new users and also provide users with password recovery links if need be.

It is possible to use whatever SMTP email server that is available to you. It could be a private email server, but it could also be Gmail or whatever other commercial email service.

The following configuration example assumes the "Synology Mail Server" is installed and configured for local email delivery on the DSM itself.

Synology Mail Server should be configured to use SMTP Authentication

In the Vaultwarden Admin panel:

  1. Click on "SMTP Email settings"
  2. Set Host to "172.17.0.12" - The host IP adress from inside the Docker container
  3. Set "Secure SMTP" to "off"
  4. Set "Port" to 25
  5. Set "From adress" to an email adress used as sender, e.g. noreply@localhost
  6. Set Username to your DSM username
  7. Set Password to your DSM password
  8. Click "Save"

To test this configuration open "SMTP Email settings" again and try sending a test mail to your DSM user, e.g. user@localhost

Verify configuration

In the Vaultwarden Admin panel click on "Diagnostics", if you see green labels for all the checks you are done.

Create user

In the Vaultwarden Admin panel click on "Users" and invite your DSM user by mail e.g. user@localhost

Then check your local email for the invitation link to create a vaultwarden user.

Or create a new user without invitation link by going to your Vaultwarden URL.

Disable admin panel and disable registration for new users

In order to increase protection for your Vaultwarden installation disable access to the admin panel so nobody can change the configuration and consider disabling registration for new users.

Disable admin panel

  1. Stop the Docker container
  2. Edit the container and delete the "ADMIN_TOKEN" variable from advanced settings
  3. Open and edit the "config.json" file in your Vaultwarden folder that was created at step 8 when creating the container.
  4. Remove the "admin_token" from that file and save.
  5. Start container again

Disable registration for new users

  1. Stop the Docker container
  2. Edit the container and add a new variable "SIGNUPS_ALLOWED" and set it to false.
  3. Start container again
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment