Bitwarden

Installing bitwarden on Synology Diskstation

Until lately I had been using 1Password as my trusted password manager. I had been using it since 1Password 4 and lately bought the upgrade to 1Password 7 for Mac and Android. Syncing between devices was done by using Dropbox. It was pretty easy. But then it was time to share some passwords with my wife. I was looking the possibilities. Creating 1Password vault and shared it per Dropbox, or using the 1Password for families for 4,99 USD per month. Other alternatives, such as Lastpass, Dashlane and Bitwarden, are subscription model and you need to upload your password to their server.

But Bitwarden advertises itself as open source and can be self-hosted. But although it’s self-hosted, you have to pay the monthly subscription to use all the features. Then I came to an unofficial implementation of the Bitwarden server written in Rust, called bitwarden_rs. It has all the official Bitwarden’s features minus the subscription.

Since bitwarden_rs has a docker image and my Synology Diskstation 218+ can run docker application, why not try to host it on Synology 🙂

Docker bitwarden_rs

First install Docker from the Package Center. After that run the Docker package, go to Registry and search for bitwardenrs and download the image. I use only the bitwardenrs/server image. It will save your data in a sqlite3 database.

docker search

After the image is downloaded, let’s launch it.

docker container setting

I’ll name it bitwardenrs-server and then let’s click the advanced settings so we can mount a volume…

docker volume setting

and create a new port mapping. This port will be used later to create a reverse proxy, so the instance is reachable from the internet.

docker port setting

Before we run the docker image, let’s finish setting up the reverse proxy and create a Let’s Encrypt certificate so it is reachable from the internet. To do so, let’s open Application Portal in the Synology Control Panel, then go to Reverse Proxy.

reverse proxy on synology settings

Reverse proxy setup

Let’s create a new reserve proxy setting. In Hostname put your domain (e.g. bitwarden.domain.tld). Set port to 443 (https). In the destination section, hostname is localhost and port is the port number you set in the docker settings.

setup reverse proxy synology

After setting the reverse proxy, we stay in Control Panel and do the Security. In the Certificate panel, generate a Let’s Encrypt certificate for the domain you choose before in the Reverse Proxy setting.

setup let's encrypt certificate

That’s all. Start your Bitwarden_rs docker and your Bitwarden server will be available under the domain you choose earlier, assumed you already managed to set DNS for the chosen domain to your router IP and you set port redirect on your router, to route port 443 to your Synology NAS.

If bitwarden is reachable and you’ll get bitwarden login mask. User creation is open to anyone. So you’ll be better deactivate this.

bitwarden login

There are some way to deactivate user registration:

  • per docker environment
  • per bitwarden admin panel

To disable registration, just go back to the container setting in docker, and set SIGNUPS_ALLOWED to false. Then restart the container. The create account button is still visible, but user gets an error if they try to register themself.

deactivate signups environment settings

Another way is using the bitwarden admin panel. On this panel there’re more settings you can change. To enable the admin panel, go to the container setting and set ADMIN_TOKEN environment parameter. As value set to some token.

Then go to bitwarden and add /admin in the URL (e.g. bitwarden.domain.tld/admin). In the login mask, enter the admin token you set earlier. There you can disable the create account. The settings will be written in a config.json file in the docker volume. So secure this file.

admin token environment settings

See the wiki of bitwarden_rs to get more documentation on the docker environment settings. See https://github.com/dani-garcia/bitwarden_rs/wiki

Leave a Reply

Your email address will not be published. Required fields are marked *