.webp?table=collection&id=fff97571-0fee-81cf-8d7c-000bfde68952&t=fff97571-0fee-81cf-8d7c-000bfde68952&width=800&cache=v2){kind=small}
type
status
date
slug
summary
tags
category
icon
password
I used LastPass as my password manager for a long time, but after its security breach, I decided to switch to Microsoft Edge's built-in password manager. While it met my basic needs, it came with a significant drawback: I became completely tied to Microsoft Edge, both on PC and Android. The necessity of using Microsoft Edge solely for password management became a major inconvenience, which ultimately led me to consider Bitwarden. This article provides a guide on setting up a local Bitwarden server, Vaultwarden, using Docker on Windows, and using Cloudflare Tunnel for external access from mobile devices.
📝 Installing Docker on Windows
For this setup, I chose Windows not because it’s ideal for managing services (in fact, Docker Desktop on Windows is often criticized for being cumbersome), but because my Proxmox VE (PVE) mini-server is low on memory. Until I upgrade its RAM, I’m temporarily hosting Docker on my Windows machine. Once I expand the memory on my Proxmox VE (PVE) server, I’ll migrate all the vaultwarden setup to it.
Installation Steps:
- Visit Windows | Docker Docs to download the Docker installer.
- Run the installer and follow the prompts. Note that either WSL (Windows Subsystem for Linux) or Hyper-V must be enabled on Windows, as Docker relies on these virtualization technologies. I recommend using WSL as the backend.
Enabling WSL or Hyper-V on Windows (Windows 11 Example):
- Open the Control Panel and navigate to Programs → Turn Windows features on or off.
Depending on your choice:
- Enable Hyper-V if you prefer it as the virtualization backend.
- Enable Windows Subsystem for Linux if opting for WSL.
📝 Installing and Configuring Vaultwarden
Why Choose Vaultwarden?
Vaultwarden (formerly known as Bitwarden_RS) is an open-source password management server designed as a lightweight alternative to the official Bitwarden server. It’s optimized for self-hosting environments and is compatible with Bitwarden’s official clients (Windows, macOS, Linux, iOS, Android) and browser extensions. It’s resource-efficient, requiring only 512MB of RAM and less than 2GB of disk space, making it perfect for self-hosted and deployment on home networks, such as on a soft router or NAS.
Comparing with Official Bitwarden Server Requirements:
Specifications | Minimum | Recommended |
Processor | x64, 1.4GHz | x64, 2GHz dual core |
Memory | 2GB RAM | 4GB RAM |
Storage | 12GB | 25GB |
Docker Version | Engine 19+ and Compose 1.24+ | Engine 19+ and Compose 1.24+ |
Pulling the Vaultwarde Image:
Use the
docker pull command to fetch the Vaultwarden image. If you encounter slow downloads due to network issues, use a VPN service.Starting the Vaultwarden Container:
Due to differences in escape characters and path formats on Windows, the official
docker run command provided by Vaultwarden won’t work directly. Below is a modified command for Windows PowerShell:Notes:
- Replace
your-domain.comwith your desired domain.
- Modify the
-volume=path to your preferred directory (e.g.,F:\Docker\vaultwarden).
- Change the
pport mapping if needed (e.g.,10086:80for port 10086).
Using Docker Desktop GUI:
Alternatively, you can start the container using Docker Desktop’s GUI:
Open Docker Desktop and navigate to Images.
Find the
vaultwarden/server image and click the Start button.
Configure the Optional Settings:
- Container name: Optional (randomly generated if left blank).
- Host port: Set your desired port.
- Host path: Select the mount directory.
- Container path: Enter
/data/.
- Variable: Add
DOMAIN(case-sensitive).
- Value: Enter your domain.
Click Run.
Once the container is running, access Vaultwarden via
http://local-ip:port. The first time, you’ll need to create an account and set a master password.📝 Setting Up Cloudflare Tunnel for External Access
To access Vaultwarden outside your local network, use Cloudflare Tunnel, a service provided by Cloudflare’s Zero Trust platform.
Steps:
- Ensure you have a domain registered with Cloudflare and a payment method linked.
- Log in to Cloudflare, navigate to Zero Trust → Networks → Tunnels, and click Create a Tunnel.
- Select Cloudflared as the Tunnel type and give it a name (e.g.,
vaultwarden).
- In Install and run a connector, choose Docker as the environment. Copy the provided command and run it in your terminal:
- In Route Traffic, configure the routing:
- Subdomain: Set your desired subdomain (e.g.,
vault). - Domain: Choose your Cloudflare-managed domain.
- Path: Leave blank.
- Type: Select HTTP.
- URL: Enter your local IP and port (e.g.,
10.0.0.10:80). Do not uselocalhostor127.0.0.1.
After saving, access your configured domain to open Vaultwarden externally.
📝 Backing Up Vaultwarden with OneDrive
To prevent data loss and simplify future migrations, I recommend backing up the Vaultwarden data directory. Instead of compressing and encrypting the
data folder, I use a symbolic link (mklink) to sync it directly to OneDrive:Notes: Run this in CMD (not PowerShell). Modify
%CD%\Onedrive\bak\Warden to your desired OneDrive backup path.📝 Resource Usage
With both Vaultwarden and Tunnel containers running, total memory usage is around 1.2GB, with containers consuming 80MB. Disk usage is 1.83GB, and CPU usage is negligible. This setup is far more lightweight than the official Bitwarden server requirements.
📝 Advanced Features
Disabling New User Registrations:
To restrict new sign-ups, add the
SIGNUPS_ALLOWED=false environment variable:📎 References
By following this guide, you can achieve a self-hosted, secure, and efficient password management solution. Feel free to share your thoughts or questions in the comments! 🚀