Vaultwarden - Getting Started Guide
Vaultwarden is a lightweight, self-hosted password manager compatible with all Bitwarden clients - browser extensions, mobile apps and desktop apps. This server comes fully configured with Vaultwarden, Nginx reverse proxy and SSL. Just open the web vault, create your account and start storing passwords.
Step 1 - Verify Vaultwarden Works
Your server's IP address and root password are shown on the Server Details page in your client panel. Open your browser and go to:
https://your.server.ipIf the login page loads, Vaultwarden is working correctly.
If you placed the server behind a VyOS router on a private network, either configure port forwarding (ports 80 and 443), or connect over a VPN and reach Vaultwarden on the server's private IP.
Step 2 - Create Your Account
On the login page, click Create account. Enter your email address, name, and choose a master password.
After registration, log in with your email and master password. This is your personal vault where you can store passwords, notes, cards and identities.
Step 3 - Connect Bitwarden Clients
Vaultwarden is compatible with all official Bitwarden clients:
- Browser extension: Chrome, Firefox, Edge, Safari
- Desktop app: Windows, macOS, Linux
- Mobile app: iOS, Android
Before logging in, point the client to your server:
- On the login screen, click the region selector (or gear icon) and choose Self-hosted
- Enter your server URL:
https://your.server.ip - Save and log in with your email and master password
Once connected, all your passwords sync automatically across all devices.
Step 4 - Set Up a Domain and SSL (Recommended)
For the best experience with Bitwarden clients, set up a domain with a proper SSL certificate:
1. Create a DNS A record pointing your domain to the server IP (e.g. vault.yourdomain.com → your.server.ip).
2. SSH into your server and run:
ssh root@your.server.ip/opt/setup/get-ssl.sh vault.yourdomain.com3. Update the Vaultwarden config:
sed -i "s|^DOMAIN=.*|DOMAIN=https://vault.yourdomain.com|" /opt/vaultwarden/.env
systemctl restart vaultwarden4. Update the server URL in your Bitwarden clients to https://vault.yourdomain.com.
Step 5 - Admin Panel (Optional)
Vaultwarden includes an admin panel for managing users, organizations and server settings. To enable it, SSH into your server and set an admin token:
echo 'ADMIN_TOKEN=your-secret-token-here' >> /opt/vaultwarden/.env
systemctl restart vaultwardenThen open https://your.server.ip/admin and enter the token. From the admin panel you can:
- Invite or delete users
- Disable open registration
- Manage organizations
- View server diagnostics
Post-Installation
Fail2Ban - Brute-Force Protection
Your server comes with Fail2Ban pre-configured to protect both SSH and the Vaultwarden web interface from brute-force attacks.
| Rule | Max Attempts | Ban Duration |
|---|---|---|
| SSH | 5 failed logins | 10 minutes |
| Vaultwarden | 5 failed logins | 1 hour |
Useful commands:
# Check banned IPs
fail2ban-client status sshd
fail2ban-client status vaultwarden
# Unban an IP
fail2ban-client set sshd unbanip 1.2.3.4If you accidentally lock yourself out, connect via VNC console in your client panel and unban your IP.
Service Management
# Check status
systemctl status vaultwarden nginx
# Restart Vaultwarden
systemctl restart vaultwarden
# View logs
journalctl -u vaultwarden -f
# Edit config
nano /opt/vaultwarden/.env
# Backup database (SQLite)
cp /opt/vaultwarden/data/db.sqlite3 /root/vaultwarden-backup-$(date +%Y%m%d).sqlite3Updates
Vaultwarden is installed as a standalone binary and does not update automatically. To update, replace the binary with a newer version extracted from the official Docker image:
# On a machine with Docker, extract the new binary:
docker pull vaultwarden/server:latest-alpine
CID=$(docker create vaultwarden/server:latest-alpine)
docker cp $CID:/vaultwarden /tmp/vaultwarden
docker rm $CID
# Copy to your server and replace:
scp /tmp/vaultwarden root@your.server.ip:/tmp/
ssh root@your.server.ip "systemctl stop vaultwarden && cp /tmp/vaultwarden /opt/vaultwarden/vaultwarden && chmod +x /opt/vaultwarden/vaultwarden && systemctl start vaultwarden"OS updates:
apt update && apt upgrade -ySoftware Included
| Component | Details |
|---|---|
| Ubuntu | 24.04 LTS |
| Vaultwarden | Latest (SQLite database) |
| Nginx | Reverse proxy with SSL |
| Certbot | Let's Encrypt SSL |
| Fail2Ban | SSH + Vaultwarden brute-force protection |
Troubleshooting
| Problem | Solution |
|---|---|
| Browser shows SSL warning | This is expected with the default self-signed certificate. Set up a domain and run /opt/setup/get-ssl.sh vault.yourdomain.com for a trusted certificate |
| Cannot access web vault | Check services: systemctl status vaultwarden nginx. Make sure you use https:// (not http) |
| Bitwarden client cannot connect | Make sure you selected "Self-hosted" in the client settings and entered the correct server URL with https:// |
| Forgot master password | Master password cannot be recovered - this is by design (zero-knowledge encryption). If you enabled the admin panel, you can delete the account and create a new one |
| Blocked by Fail2Ban | Use VNC console in your client panel to unban your IP: fail2ban-client set sshd unbanip 1.2.3.4 |
| Forgot root password | Use VNC console in your client panel to reset it |