Lastpass is out. Aside from all the ongoing issues with vaults being decrypted, I just canceled my paid subscription only to discover the free account is basically useless for anyone who actually uses technology (they limit you to either computers or mobile devices).

I’ve successfully gotten a Vaultwarden instance running and it works great. But I have a few concerns:

  • Right now the vault is hosted on my LAN, and I use a VPN to connect to my LAN from my mobile devices as needed to access other internal private services. The problem I see here is that if my LAN goes down for some reason, I might not have access to my passwords…
  • I thought about hosting the vault on one of my cloud VPS’s. However I don’t feel as secure having the instance “flapping in the breeze” ready as a target for the first exploit that’s found in the server. I strongly prefer the idea of it only being accessible via some sort of VPN.
  • So, I thought I can just run a VPN on the VPS itself like I do with my home LAN right now, but then I realized my second concern is that if something were ever to happen to me, even temporarily (say I end up hospitalized), my VPS will just shut off as soon as payment isn’t received on time and all the other family members who might need to use the instance (e.g. to access my passwords) will be out of luck.
  • The problem with requiring a VPN to get to the VPS or to my LAN is that I can’t use the “give someone else access if I become incapacitated” options. I doubt my mom will ever remember how to activate the VPN and get into the vault, for example. (Not to mention I’d like to be able to offer family accounts on the instance as well, but I still am not sure how I feel about a Vaultwarden instance just sitting there on an open HTTP server.)

For those who self-host Vaultwarden (or even the official Bitwarden server), how do you do it securely and reliably? I know there isn’t much to be done about the “it goes down if I don’t pay” option other than setup autopay and hope it’ll be able to withdraw from your account in your absence, but what about security in general? It really smells bad to run a known password-storing server out on the public Internet for easy scanning and infiltration, plus it just makes your host a prime target

  • CYCLONOUS_69@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I have successfully hosted Bitwarden on my unused laptop and no one was willing to buy it (typical Indian mentality). I run my laptop 24x7 with other applications and softwares on it while keeping it plugged to the wall.

    I have configured CloudFlare tunnel to Bitwarden so I can access it outside of my local network without any issues. You just have to get a domain. I have configured my firewall on the server and the router to prevent unautorized access or DDoS. I have deployed Bitwarden using Docker-Compose according to official method which just works fine without any issues.

    I did look into Vaultwarden but I always prefer to stick with offical docker images.

  • PaleMongo@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    The problem I see here is that if my LAN goes down for some reason, I might not have access to my passwords…

    Regularly back up your Vaultwarden data. If necessary, import this to KeePass should your docker system break.

  • Developer_Akash@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    > The problem I see here is that if my LAN goes down for some reason, I might not have access to my passwords

    Not entirely true, you will still have read-only access.

    I had a similar concern when I thought about self-hosting password managers. So I started a discussion regarding the same here.

    Learned a lot of new stuff from the folks discussing here, take a look once, might help answer some of your queries as well.

  • Karbust@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I have mine public, strong master password and 2FA enabled. The admin panel is also public with a very strong password, no one is breaking that in many life times. About the database I’m not worried, only accessible locally or through SSH tunnel that only accepts authentication via private key. I’m also using cloudflare, the subdomain is available for my country only, unless when I travel, then I disable it.

  • bufandatl@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Have a look at cloudflare tunnel. You still have vaultwarden in your lan but accessible from the world. No open ports needed.

  • digitalindependent@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Your local bitwarden apps „only“ sync with your vaultwarden. So if you‘re not adding and changing multiple entries every day you can just endure an outage of a few hours or even days until you reconnect and sync.

    That said, I am very paranoid about hosting my password manager on a publicly available VPS. The VPS provider theoretically has access and if you don’t secure the VPS properly everybody else, too.

    So I make VW only accessible via a VPN (wireguard) and only host it locally on a pi. That is also backed up to another pi (Borg with borgmatic).

    For me this is a good mix of redundancy, access control and attack vector mitigation.

  • slurp@programming.dev
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    It doesn’t have to be live, you can make backups and put them various places for redundancy, so that it can be restored. A backup is small enough to fit in some free cloud storage, preferably encrypted, which helps protect against a few eventualities.