Comment by giancarlostoro
5 hours ago
Not my project but Vaultwarden is an open source (in Rust) alternative backend for Bitwarden. I believe its been around a while, and is still maintained.
5 hours ago
Not my project but Vaultwarden is an open source (in Rust) alternative backend for Bitwarden. I believe its been around a while, and is still maintained.
Question for anyone self-hosting vaultwarden: how reliable is it and how do you harden it?
I'm thinking about running it in a container (Podman Quadlet with systemd) behind a VPN, with daily backups with borg. Anything I'm overlooking here?
I have my vaultwarden running on a container on my home-lab server acessible only from Tailscale. The container itself is only accessible as its own node on my Tailscale private network and can’t be reached any other way (there are no inbound port forwards for the container itself, tailscale handles this)
My phone and laptop both use tailscale to access this and a few other containers I have set up similarly. I also have tailscale ACL rules to limit just “me” or whomever I want to allow to use it (family etc) also on my tailnet.
Backups are encrypted and stored locally as well as to AWS glacier.
I love it and it works great.
I’ve used Vaultwarden for at lesst 7 years, I’m sure for longer but I’m not sure how long.
Never had an issue with Vaultwarden itself. Restored from backups several times for a variety of reasons (migrating host, corrupt hard disk, re-installs) and that always worked first try.
In regards to hardering, the wiki has a good guide: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Gu....
That guide is wild. By default it allows public registration, shows password hints, requires a reverse proxy for robust TLS but then passes tokens via GET params, runs in the container as root. Recommends fail2ban because it doesn't have any coverage against brute force. Recommends using a custom path for security.
This feels less like a guide on hardening Vaultwarden than a guide on why I should be skeptical about it.
Pretty similar experience for me, albeit I've only been managing it for about a year.
Restore from backup testing was straightforward. We haven't had any problems w/ the application itself.
I used that that hardening guide for my setup. The one I manage is exposed to the Internet and I'm bringing traffic into it via a reverse proxy.
I've never had a reliability issue with Vaultwarden. Hosted it 5+ years now. Even with random off/on of the server and other bumps in the road in life, the Docker container I run has had no issues with hosting. The user interface is friendly but can be just a little slow.
Mine is not exposed to the public internet, though some friends of mine do. I use a VPN when I need to access fresh data from the home server, otherwise both the Firefox client and Android client will generally keep a cache of the last data pull when they had connection (so it wasn't an issue the 4 or so years I didn't have a VPN yet).
> how do you harden it?
By not exposing it to the wider internet. When I use a client (iPhone, browser, etc.) while on the home network, it syncs. While off the network, the last synced data is still there. That's been good enough for me.
When the server can’t be accessed, you can’t create a secret, right? This has been quite annoying in my experience. I’d still recommend Bitwarden clients with self-hosted Vaultwarden.
1 reply →
I touched it never aside from updates and it never failed. I compiled it from sources tho
It's as reliable as you make it.
> Anything I'm overlooking here?
Not technical, but the person behind that project now works for Bitwarden so there's some risk of a rugpull. Of course it's OSS but you'll need to trust a fork or maintain it yourself if said rugpull happens.
The expansion of "rugpull" to encompass "a company or open source developer changing the roadmap or level of investment in something they develop" is fascinating.
The maintainer has said that they've been given permission to maintain it in their free time. All it takes is a bad quarter and the CEO decides they don't want to be supporting a competitor and that goes away. It's possible that a community continuation could happen but I wouldn't rely on something so uncertain for something as important as credentials.
Kind of makes a lot of sense that they wound up working there too.
Personally, I want to avoid the responsibility for hosting it myself. I'm happy to pay for that. But a reasonable amount. Today Bitwarden's price is fine for me, but I worry about what's coming.
It is still maintained, but I believe the maintainer is employed by Bitwarden now, and is working on projects in addition to Vaultwarden.
Is there an alternative frontend as well, or are you still locked in?
https://github.com/doy/rbw Is an alternative Bitwarden cli front end. Probably has plenty of scaffolding to build a GUI frontend based on it.
Edit: Just a bit of googling turned up these as well.
https://github.com/AChep/keyguard-app https://github.com/sgolub/bitclient
There is not an alternative frontend that I'm aware of, but as the article mentions, the clients are Apache 2.0 licensed, so in the event of a rug pull, a fork and rebrand of the clients would be what is needed to restore service.
Their android app at least is open source and on available on their own f-droid repo
Don't I have to rely on the OG frontend/GUI components, though? They are one automatic update away from bundling taking custom server address away with important security fixes, in a way that you are damned if you do and damned if you don't.
Technically yes but the frontend is so far open source so forking that is also something that could technically happen if company ever went back on it.