Install Vaultwarden Password Server on FreeBSD

In this guide, I explain how to install and set up Vaultwarden on FreeBSD.

What is Vaultwarden

Vaultwarden is an alternative implementation of the Bitwarden server API, written in Rust and compatible with upstream Bitwarden clients. It is perfect for self-hosted use when using the official, resource-intensive service is not ideal.

We can install it as follows:

$: pkg install vaultwarden

Then we copy the sample configuration:

$: cp /usr/local/etc/rc.conf.d/vaultwarden.sample /usr/local/etc/rc.conf.d/vaultwarden

However, before we change our Vaultwarden configuration, we need an admin token, which we can create with the following command:

$: openssl rand -base64 48

We now copy the created token and change the configuration.

Note: If we want to use the web interface, we have to set SIGNUPSALLOWED to true. Under ADMINTOKEN we paste our copied token. Furthermore, we can change our email server configuration here.

$: nano /usr/local/etc/rc.conf.d/vaultwarden =>

ROCKET_ADDRESS=127.0.0.1
export ROCKET_ADDRESS

ROCKET_PORT=4567 # your port here
export ROCKET_PORT

# ROCKET_TLS='{certs = "/ssl/fullchain.pem", key = "/ssl/key.pem"}'
# LOG_FILE='/data/bitwarden.log'

SIGNUPS_ALLOWED='true'
export SIGNUPS_ALLOWED

DOMAIN='https://vaultwarden.domain'
export DOMAIN

ADMIN_TOKEN= # generate one with ~$ openssl rand -base64 48
export ADMIN_TOKEN

SMTP_HOST=localhost
export SMTP_HOST

SMTP_FROM=noreply@localhost
export SMTP_FROM

SMTP_PORT=25
export SMTP_PORT

SMTP_SSL=false
export SMTP_SSL

# SMTP_USERNAME=
# export SMTP_USERNAME

# SMTP_PASSWORD=
# export SMTP_PASSWORD

Now that we have changed our configuration, we can enable the Vaultwarden service and start it for the first time.

$: service vaultwarden enable
$: service vaultwarden start
$: service vaultwarden status

To be able to use the web interface, we will use Nginx as a reverse proxy. To complete this, we first create the Nginx configuration:

$: nano /usr/local/etc/nginx/vhosts/vaultwarden.conf =>

server {
	listen 80;

    server_name vaultwarden.domain;

    # Allow large attachments
    client_max_body_size 128M;

    location / {
        proxy_pass http://127.0.0.1:4567;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /notifications/hub {
        proxy_pass http://127.0.0.1:3012;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /notifications/hub/negotiate {
       proxy_pass http://127.0.0.1:4567;
    }
}

We need another entry in our host's file:

$: nano /etc/hosts =>

127.0.0.1 vaultwarden.domain

Since it's more secure to deploy Vaultwarden over HTTPS, and we still need let's-encrypt certificates for that, we simply run the “certbot” command in our terminal and let it automatically create a certificate for our new domain.

Finally, we restart the Nginx once.

$: service nginx restart

Now we can open our freshly installed Vaultwarden service via the web browser.

Here, we can create a new user and manage our passwords securely in the future.

Discuss...