Install Vaultwarden Password Server on FreeBSD

In this tutorial, I explain how to install and set up Vaultwarden on FreeBSD.


In this tutorial, I explain how to install and set up vaultwarden on FreeBSD.

What is Vaultwarden

It is an alternative implementation of the Bitwarden server API, written in Rust and compatible with the upstream Bitwarden clients. Perfect for self-hosted use when running the official, resource-intensive service might not be ideal.

We can install it as follows:

root: pkg install vaultwarden

We then copy the sample configuration:

root: cp /usr/local/etc/rc.conf.d/vaultwarden.sample /usr/local/etc/rc.conf.d/vaultwarden

But before we change our bitwarden configuration, we need an admin token, which we can create with the following command:

root: openssl rand -base64 48

We now copy the created token and now change the configuration.

Note: if we want to use the web interface, we have to set SIGNUPS_ALLOWED to true. At ADMIN_TOKEN we paste our copied token. Also, we can change our email server configuration here.

root: nano /usr/local/etc/rc.conf.d/vaultwarden =>

ROCKET_ADDRESS=127.0.0.1
export ROCKET_ADDRESS

ROCKET_PORT=4567 # your port here
export ROCKET_PORT

# ROCKET_TLS='{certs = "/ssl/fullchain.pem", key = "/ssl/key.pem"}'
# LOG_FILE='/data/bitwarden.log'

SIGNUPS_ALLOWED='true'
export SIGNUPS_ALLOWED

DOMAIN='https://vaultwarden.<domain>'
export DOMAIN

ADMIN_TOKEN= # generate one with ~$ openssl rand -base64 48
export ADMIN_TOKEN

SMTP_HOST=localhost
export SMTP_HOST

SMTP_FROM=noreply@localhost
export SMTP_FROM

SMTP_PORT=25
export SMTP_PORT

SMTP_SSL=false
export SMTP_SSL

# SMTP_USERNAME=
# export SMTP_USERNAME

# SMTP_PASSWORD=
# export SMTP_PASSWORD

Now that we have changed our configuration, we can enable the Bitwarden service and start it for the first time.

root#: service vaultwarden enable
root#: service vaultwarden start
root#: service vaultwarden status

To be able to use the web interface, we will use NGINX as reverse proxy. We first create the NGINX configuration:

root#: nano /usr/local/etc/nginx/vhosts/vaultwarden.conf =>

server {
    listen 80;

    server_name vaultwarden.<domain>;

    # Allow large attachments
    client_max_body_size 128M;

    location / {
        proxy_pass http://127.0.0.1:4567;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /notifications/hub {
        proxy_pass http://127.0.0.1:3012;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /notifications/hub/negotiate {
       proxy_pass http://127.0.0.1:4567;
    }
}

We need one more entry in our hosts file:

root: nano /etc/hosts =>

127.0.0.1 vaultwarden.<domain>

Since it is more secure to deploy Bitwarden via HTTPS and we still need let's-encrypt certificates for that, we simply run the command 'certbot' in our terminal and let it automatically create a certificate for our new domain. You can find more information about this in my Nginx Tutorial.

Finally, we restart the NGINX once.

root: service nginx restart

Now we can open our freshly installed Bitwarden service via web browser.

Vaultwarden login screen

Here, we can create a new user and manage our passwords securely in the future.

If you followed my Firefox tutorial, I also briefly introduced the Bitwarden plugin for Firefox. We can enter our new Bitwarden URL in the plugin settings so that our passwords are stored securely on our hosted service.