Comment by duckmysick
5 hours ago
Question for anyone self-hosting vaultwarden: how reliable is it and how do you harden it?
I'm thinking about running it in a container (Podman Quadlet with systemd) behind a VPN, with daily backups with borg. Anything I'm overlooking here?
I have my vaultwarden running on a container on my home-lab server acessible only from Tailscale. The container itself is only accessible as its own node on my Tailscale private network and can’t be reached any other way (there are no inbound port forwards for the container itself, tailscale handles this)
My phone and laptop both use tailscale to access this and a few other containers I have set up similarly. I also have tailscale ACL rules to limit just “me” or whomever I want to allow to use it (family etc) also on my tailnet.
Backups are encrypted and stored locally as well as to AWS glacier.
I love it and it works great.
I’ve used Vaultwarden for at lesst 7 years, I’m sure for longer but I’m not sure how long.
Never had an issue with Vaultwarden itself. Restored from backups several times for a variety of reasons (migrating host, corrupt hard disk, re-installs) and that always worked first try.
In regards to hardering, the wiki has a good guide: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Gu....
That guide is wild. By default it allows public registration, shows password hints, requires a reverse proxy for robust TLS but then passes tokens via GET params, runs in the container as root. Recommends fail2ban because it doesn't have any coverage against brute force. Recommends using a custom path for security.
This feels less like a guide on hardening Vaultwarden than a guide on why I should be skeptical about it.
Pretty similar experience for me, albeit I've only been managing it for about a year.
Restore from backup testing was straightforward. We haven't had any problems w/ the application itself.
I used that that hardening guide for my setup. The one I manage is exposed to the Internet and I'm bringing traffic into it via a reverse proxy.
I've never had a reliability issue with Vaultwarden. Hosted it 5+ years now. Even with random off/on of the server and other bumps in the road in life, the Docker container I run has had no issues with hosting. The user interface is friendly but can be just a little slow.
Mine is not exposed to the public internet, though some friends of mine do. I use a VPN when I need to access fresh data from the home server, otherwise both the Firefox client and Android client will generally keep a cache of the last data pull when they had connection (so it wasn't an issue the 4 or so years I didn't have a VPN yet).
> how do you harden it?
By not exposing it to the wider internet. When I use a client (iPhone, browser, etc.) while on the home network, it syncs. While off the network, the last synced data is still there. That's been good enough for me.
When the server can’t be accessed, you can’t create a secret, right? This has been quite annoying in my experience. I’d still recommend Bitwarden clients with self-hosted Vaultwarden.
Mobile wireguard clients are very good as a solution to the access problem.
I touched it never aside from updates and it never failed. I compiled it from sources tho
It's as reliable as you make it.
> Anything I'm overlooking here?
Not technical, but the person behind that project now works for Bitwarden so there's some risk of a rugpull. Of course it's OSS but you'll need to trust a fork or maintain it yourself if said rugpull happens.
The expansion of "rugpull" to encompass "a company or open source developer changing the roadmap or level of investment in something they develop" is fascinating.
The maintainer has said that they've been given permission to maintain it in their free time. All it takes is a bad quarter and the CEO decides they don't want to be supporting a competitor and that goes away. It's possible that a community continuation could happen but I wouldn't rely on something so uncertain for something as important as credentials.
Kind of makes a lot of sense that they wound up working there too.