Vaultwarden - SynoCommunity/spksrc GitHub Wiki
SynoCommunity Vaultwarden package specific information
Vaultwarden is an alternative implementation of the Bitwarden server API, written in Rust. It is compatible with upstream Bitwarden clients and perfect for self-hosted deployment.
⚠️ HTTPS Requirement
Vaultwarden uses the Web Crypto API which requires a secure context (HTTPS). You must configure a reverse proxy with SSL before accessing the web interface, otherwise you will see a "secure context required" error.
Reverse Proxy Setup
Step 1: Create a Certificate (if needed)
- Go to Control Panel > Security > Certificate
- Add a certificate via Let's Encrypt or import your own
Step 2: Create Reverse Proxy Entry
Navigate to the Reverse Proxy settings:
- DSM 7: Control Panel > Login Portal > Advanced > Reverse Proxy
- DSM 6: Control Panel > Application Portal > Reverse Proxy
Click Create and configure as follows:
| Field | Value |
|---|---|
| Description | Vaultwarden |
| Source Protocol | HTTPS |
| Source Hostname | Your domain (e.g., vault.yourdomain.com) |
| Source Port | 443 (or custom) |
| Destination Protocol | HTTP |
| Destination Hostname | localhost |
| Destination Port | 8180 |
Step 3: Enable WebSocket Support
WebSocket is required for live sync between Bitwarden clients.
- In the reverse proxy entry, go to the Custom Header tab
- Click Create > WebSocket
- Click Save to apply the configuration
Step 4: Assign Certificate
- Go to Control Panel > Security > Certificate
- Click Settings (DSM 7) or Configure (DSM 6)
- Assign your certificate to the Vaultwarden reverse proxy entry
Alternative: Built-in TLS
If you prefer not to use a reverse proxy, Vaultwarden supports built-in TLS:
- Generate or obtain SSL certificates (e.g., via Let's Encrypt)
- Edit the environment file:
/var/packages/vaultwarden/var/.env - Add or uncomment:
ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"} - Restart the package
Ports
| Port | Protocol | Description |
|---|---|---|
| 8180 | TCP | Web interface and API |
Configuration Files
| File | Description |
|---|---|
/var/packages/vaultwarden/var/.env |
Environment configuration |
/var/packages/vaultwarden/var/config.json |
Runtime configuration (editable via admin UI) |
Database Support
Vaultwarden supports multiple database backends:
- SQLite (default) - No additional configuration needed
- MySQL/MariaDB - Set
DATABASE_URLin.env - PostgreSQL - Set
DATABASE_URLin.env
Admin Interface
The admin interface is available at /admin (e.g., https://vault.yourdomain.com/admin). You need the admin token set during installation to access it.
If you didn't copy the token during installation and want to disable admin access, edit /var/packages/vaultwarden/var/config.json and set:
"disable_admin_token": true
Troubleshooting
"Secure context required" error
Ensure you are accessing Vaultwarden via HTTPS. See the reverse proxy setup above.
WebSocket connection errors
Make sure WebSocket headers are configured in your reverse proxy.
Connection refused
Check that the package is running: Package Center > Vaultwarden > Run