Vaultwarden is a more efficient re-implementation of the Bitwarden server API aimed at self-hosting. It is compatible with Bitwarden clients and provides a secure way to manage passwords.

• Docker installed
• Vaultwarden container running in your Docker stack
• A domain name and SSL certificate (optional but recommended for security)

1. Open your browser and navigate to http://<your-ip-address>:<port>.

**⚠️ Hint: Depending on your setup you might not be able to reach by IP and need to use the domain name (i.e. vault.example.com)

2. Log in with your Vaultwarden credentials.
3. If everything looks ok go to the admin page to configure Valutwarden's settings

    http://<your-ip-address>:<port>/admin`.
   

1. Once the admin page is open go to the General settings blade
2. Domain URL: https://vault.example.com
3. Require email verification on signups: Enable
4. Save

1. Navigate to the SMTP Email Settings tab.
2. Host: smtp.gmail.com
3. From Address: [email protected]
4. Port: 587
5. From Name: Vaultwarden
6. Username: [email protected]
7. Password:
8. Save
9. select Send test email

1. Navigate to the Users tab.
2. Add new users by filling the users email and clicking invite

To connect the Bitwarden mobile app to your self-hosted Vaultwarden instance:

1. Open the Bitwarden app on your phone.
2. Tap Log In.
3. Enter your email address.
4. Tap Self-Hosted Environment.
5. Enter your server URL (e.g., https://192.168.1.50:${Port Used}, or if you setup secure access https://valutwarden.example.com).
6. Tap Save, then enter your master password to unlock your vault.

💡 If you're using mTLS, make sure your .p12 certificate is imported, there is option at the bottom of the server configuration.

1. Go to the Dashboard tab.
2. Monitor the status of your Vaultwarden instance, including active users and any errors.
3. Use the logs to troubleshoot issues.

Secure Vaultwarden behind a Cloudflare Tunnel using client certificate authentication. This assumes your Cloudflare Tunnel is already set up.

• Cloudflare Tunnel for vaultwarden.example.com
• Access to Cloudflare Zero Trust (Applications + Client Certificates)
• Client certificate issued via Cloudflare Managed CA (certificate and key copied from dashboard)

1. Access → Applications → open your Vaultwarden app (or catch‑all *.example.com).
2. Add a policy:
   • Action: Service Auth
   • Include: Valid Certificate → Any valid certificate
3. Ensure this policy is listed above identity policies (e.g., Google Auth).
4. Save.

1. Go to Zero Trust → Access → Client Certificates.
2. Click Create Certificate.
   • Key type: RSA (2048)
   • Validity: Choose your preferred duration (e.g., 1 year)
3. Click Create.

4. Copy the PEM blocks shown:
   • Paste the certificate into example.crt
   • Paste the private key into example.key

5. Create host to enable mTLS
   • Edit and type the name of your sub domain

openssl pkcs12 -export \
  -inkey example.key \
  -in example.crt \
  -out example.p12 \
  -name "Example Cloudflare"

• Use formats appropriately:
  • Mobile/Windows apps: Import example.p12 into Windows → Current User → Personal, then enable automatic client certificate selection in the app.
  • CLI/scripts: Use example.crt and example.key.

curl -v https://vaultwarden.example.com/api/accounts/prelogin --cert example.crt --key example.key

Expected output:

{"Kdf":"PBKDF2_SHA256","KdfIterations":100000}

• Browsers without a client cert will fall back to identity login (e.g., Google Auth) if that policy is placed below the Service Auth rule.

• For Windows apps, importing .p12 into the Current User → Personal store avoids file‑path and parsing issues.

• Ensure all paths and environment variables are updated in the vaultwarden.yaml file.
• Regularly backup your config directory to save your settings and user data.

• Common Issues: List common issues and solutions.
• Logs: Check Vaultwarden logs for error messages.
• Support: Link to the Vaultwarden community and support resources.