Vaultwarden VPS - Getting Started Guide
Your Vaultwarden VPS based on Ubuntu 24.04 comes fully configured and ready to use. Vaultwarden is a lightweight, self-hosted password manager compatible with all Bitwarden clients (browser extensions, mobile apps, desktop apps).
Software Included
| Component | Details |
|---|---|
| Ubuntu | 24.04 LTS |
| Vaultwarden | Latest (SQLite database) |
| Nginx | Reverse proxy with SSL |
| Certbot | Let's Encrypt SSL |
| Fail2Ban | SSH + Vaultwarden brute-force protection |
Step 1 - Access Your Vault
Vaultwarden is available immediately after your VPS is created. Open your browser and go to:
https://your.server.ipNote: Vaultwarden uses a self-signed SSL certificate by default. Your browser will show a security warning - this is expected. Click "Advanced" and proceed. You can install a proper Let's Encrypt certificate later (see Step 4).
Step 2 - Create Your Account
On the login page, click Create account. Enter your email address, name, and choose a master password.
Important: Your master password is used to encrypt all your data. Vaultwarden never stores it - if you lose it, your data cannot be recovered. Choose a strong, memorable password.
After registration, log in with your email and master password. This is your personal vault where you can store passwords, notes, cards, and identities.
Step 3 - Connect Bitwarden Clients
Vaultwarden is compatible with all official Bitwarden clients. Download the one you need:
- Browser extension: Chrome, Firefox, Edge, Safari
- Desktop app: Windows, macOS, Linux
- Mobile app: iOS, Android
Before logging in, you need to point the client to your server. In any Bitwarden client:
- On the login screen, click the region selector (or gear icon) and choose Self-hosted
- Enter your server URL:
https://your.server.ip - Save and log in with your email and master password
Once connected, all your passwords sync automatically across all devices.
Step 4 - Set Up a Domain and SSL (Recommended)
For the best experience with Bitwarden clients, set up a domain with a proper SSL certificate:
- Create a DNS A record pointing your domain to the server IP:
Type Name Value A vault your.server.ip - SSH into your server and run the SSL script:
/opt/setup/get-ssl.sh vault.yourdomain.com - Update the Vaultwarden config:
sed -i "s|^DOMAIN=.*|DOMAIN=https://vault.yourdomain.com|" /opt/vaultwarden/.env systemctl restart vaultwarden - Update the server URL in your Bitwarden clients to
https://vault.yourdomain.com
DNS changes usually take a few minutes, but can take up to 24 hours. Check the status at dnschecker.org.
Step 5 - Admin Panel (Optional)
Vaultwarden includes an admin panel for managing users, organizations, and server settings. To enable it, SSH into your server and set an admin token:
# Add ADMIN_TOKEN to the config
echo 'ADMIN_TOKEN=your-secret-token-here' >> /opt/vaultwarden/.env
systemctl restart vaultwardenThen open https://your.server.ip/admin and enter the token. From the admin panel you can:
- Invite or delete users
- Disable open registration
- Manage organizations
- View server diagnostics
Post-Installation
Fail2Ban - Brute-Force Protection
Your server comes with Fail2Ban pre-configured to protect both SSH and the Vaultwarden web interface from brute-force attacks.
| Rule | Max Attempts | Ban Duration |
|---|---|---|
| SSH | 5 failed logins | 1 hour |
| Vaultwarden web login | 5 failed logins | 1 hour |
Useful commands:
# Check banned IPs
fail2ban-client status sshd
fail2ban-client status vaultwarden
# Unban an IP
fail2ban-client set sshd unbanip 1.2.3.4If you accidentally lock yourself out, connect via VNC console in your client panel and unban your IP.
Useful Commands
# Service management
systemctl status vaultwarden # check Vaultwarden status
systemctl restart vaultwarden # restart Vaultwarden
systemctl status nginx # check Nginx status
# Configuration
nano /opt/vaultwarden/.env # edit Vaultwarden settings
# Database backup (SQLite)
cp /opt/vaultwarden/data/db.sqlite3 /root/vaultwarden-backup-$(date +%Y%m%d).sqlite3
# View logs
journalctl -u vaultwarden -f # Vaultwarden service log
cat /opt/vaultwarden/data/vaultwarden.log # application logUpdates
Vaultwarden is installed as a standalone binary and does not update automatically. To update, replace the binary with a newer version extracted from the official Docker image:
# On a machine with Docker, extract the new binary:
docker pull vaultwarden/server:latest-alpine
CID=$(docker create vaultwarden/server:latest-alpine)
docker cp $CID:/vaultwarden /tmp/vaultwarden
docker rm $CID
# Copy to your server and replace:
scp /tmp/vaultwarden root@your.server.ip:/tmp/
ssh root@your.server.ip "systemctl stop vaultwarden && cp /tmp/vaultwarden /opt/vaultwarden/vaultwarden && chmod +x /opt/vaultwarden/vaultwarden && systemctl start vaultwarden"OS updates can be applied via SSH:
apt update && apt upgrade -yTroubleshooting
| Problem | Solution |
|---|---|
| Browser shows SSL warning | This is expected with the default self-signed certificate. Click "Advanced" and proceed. To fix permanently, set up a domain and run /opt/setup/get-ssl.sh |
| Can't access web vault | Check services: systemctl status vaultwarden nginx. Make sure you use https:// (not http) |
| Bitwarden client can't connect | Make sure you selected "Self-hosted" in the client settings and entered the correct server URL with https:// |
| Forgot master password | Master password cannot be recovered - this is by design (zero-knowledge encryption). If you enabled the admin panel, you can delete the account and create a new one |
| Domain not resolving | Check that your domain's A record points to the server IP. Use dnschecker.org to verify |
| Blocked by Fail2Ban | Use VNC console in your client panel to unban your IP: fail2ban-client set sshd unbanip 1.2.3.4 |
| Can't connect via SSH | Check that port 22 is not blocked. Try VNC console as a fallback |