Vaultwarden with Docker on a Synology NAS

Install password manager Vaultwarden on a Synology NAS under Docker.

Vaultwarden with Docker on a Synology NAS-heroimage


Please be aware that the original version of this blog post was written in German. This English translation has been provided for your convenience. While all efforts have been made to maintain accuracy, there may be some translation errors. I apologize for any confusion or misunderstandings that may arise from the translated text. Corrections are welcome via comments or email.

Strengthening Digital Security with Vaultwarden on a Synology NAS

In today’s digital age, secure password management is non-negotiable. With the myriad of accounts and applications each of us uses, safeguarding personal information begins with robust passwords. Celebrating World Password Day, let’s delve into installing Vaultwarden, an open-source password manager, on a Synology NAS using Docker.

Discovering Vaultwarden

Vaultwarden, a Bitwarden derivative, is a free and open-source tool that simplifies password management. It enables users to generate and securely store unique passwords for every login, presenting an effective alternative to proprietary password managers. Vaultwarden shines with its straightforward interface yet comprehensive feature set.

The Logic Behind Docker Deployment on Synology NAS

Leveraging Docker to run Vaultwarden on a Synology NAS encapsulates the application in a container, ensuring isolation from other system components. This method simplifies installations, migrations, and updates significantly.

Prerequisites for Vaultwarden Installation

For my setup, I use a DS220+(Amazon affiliate link)Synology NAS equipped with 10 GB RAM(Amazon affiliate link), although Vaultwarden’s modest resource demands are as follows:

System requirementsMinimum
CPU0.2 cores
Storage200 MB

These guidelines also apply to other Docker-compatible devices.

A reverse proxy manager is essential within the network, whether hosted on another device or directly on the Synology NAS. A domain is also beneficial.

Setting the Stage for Installation

Before diving into Vaultwarden’s setup, ensure Docker is installed on the NAS. I’ve detailed the DiskStation setup process here. While Portainer is optional, it’s a useful tool for managing containers. I’ll focus on using Portainer in this guide.

Firstly, create a dedicated folder for Vaultwarden’s persistent data. Note down the folder path after naming it vaultwarden-data.

Vaultwarden data folder

Deploying Vaultwarden

Commence the installation by configuring a new stack in Portainer using Docker-Compose:

version: "3"

        external: false

        container_name: vaultwarden
        image: vaultwarden/server
        restart: unless-stopped
            - /path-to-folder:/data # Modify to the actual folder path on your NAS e.g., /volume1/docker/vaultwarden-data:/data
            - 1234:80 # Change the left side port as needed
            - 3012:3012 # Change the left side port as needed
            - WEBSOCKET_ENABLED=true # Enables real-time sync
            - ADMIN_TOKEN=secure password # Admin login token
            - internal

Vaultwarden Stack

If utilizing a proxy manager on the DiskStation, integrate the proxy manager’s network and omit the port configurations.

After stack creation, monitor the container’s log to confirm the server is operational.

Vaultwarden Log

Configuring Vaultwarden

Establishing a Proxy

Setting up a proxy host varies depending on the reverse proxy used. Here’s how it could look with Caddy:

# Input your domain here {
encode gzip

# Reference ports from docker-compose.yml and NAS IP
reverse_proxy /notifications/hub/negotiate

# Websocket port from docker-compose.yml
reverse_proxy /notifications/hub

# Redirect to the first port again

For Nginx Proxy Manager:

Vaultwarden Proxy Host

Secure Vaultwarden with a Let’s Encrypt SSL certificate.

SSL certificate

Configure advanced settings accordingly:

Advanced settings

# location /admin {
# return 404;
# }

  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

  location /notifications/hub {
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

  location /notifications/hub/negotiate {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

Adjust ports and IP addresses as required.

Initial Setup and User Management

Navigate to the URL to register a new user account.

Vaultwarden Login

Access admin settings using the admin token from docker-compose.yml by appending /admin to the URL. Configure the domain under “General Settings” and manage user registration options here.

Set up “SMTP Email Settings” to enable Vaultwarden to send emails.

SMTP Settings

Invite new users under the “Users” section.

Vaultwarden Users

Optionally, secure the admin area by uncommenting the relevant lines in your proxy manager’s settings:

location /admin {
 return 404;


Keeping Vaultwarden Up-to-Date

Updates are straightforward with Portainer. All you have to do is recreate the stack. To do this, go to the stack editor in Portainer and click “Update the stack”. Select that the image should be rebuilt.

Vaultwarden Update

If there is a new release, this should be downloaded and started using the procedure.

Summing Up

Vaultwarden stands out as a viable Bitwarden alternative, with simple installation and convenient administration for multiple users. While reverse proxy configuration adds complexity, it’s manageable with clear instructions. May this guide serve you well in bolstering your digital security.

This website uses cookies. These are necessary for the functionality of the website. You can find more information in the privacy policy