| ▲ | giancarlostoro 6 hours ago |
| Not my project but Vaultwarden is an open source (in Rust) alternative backend for Bitwarden. I believe its been around a while, and is still maintained. https://github.com/dani-garcia/vaultwarden |
|
| ▲ | duckmysick 6 hours ago | parent | next [-] |
| Question for anyone self-hosting vaultwarden: how reliable is it and how do you harden it? I'm thinking about running it in a container (Podman Quadlet with systemd) behind a VPN, with daily backups with borg. Anything I'm overlooking here? |
| |
| ▲ | JimBlackwood 6 hours ago | parent | next [-] | | I’ve used Vaultwarden for at lesst 7 years, I’m sure for longer but I’m not sure how long. Never had an issue with Vaultwarden itself. Restored from backups several times for a variety of reasons (migrating host, corrupt hard disk, re-installs) and that always worked first try. In regards to hardering, the wiki has a good guide: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Gu.... | | |
| ▲ | akerl_ an hour ago | parent | next [-] | | That guide is wild. By default it allows public registration, shows password hints, requires a reverse proxy for robust TLS but then passes tokens via GET params, runs in the container as root. Recommends fail2ban because it doesn't have any coverage against brute force. Recommends using a custom path for security. This feels less like a guide on hardening Vaultwarden than a guide on why I should be skeptical about it. | |
| ▲ | EvanAnderson 4 hours ago | parent | prev [-] | | Pretty similar experience for me, albeit I've only been managing it for about a year. Restore from backup testing was straightforward. We haven't had any problems w/ the application itself. I used that that hardening guide for my setup. The one I manage is exposed to the Internet and I'm bringing traffic into it via a reverse proxy. |
| |
| ▲ | void-star an hour ago | parent | prev | next [-] | | I have my vaultwarden running on a container on my home-lab server acessible only from Tailscale. The container itself is only accessible as its own node on my Tailscale private network and can’t be reached any other way (there are no inbound port forwards for the container itself, tailscale handles this) My phone and laptop both use tailscale to access this and a few other containers I have set up similarly. I also have tailscale ACL rules to limit just “me” or whomever I want to allow to use it (family etc) also on my tailnet. Backups are encrypted and stored locally as well as to AWS glacier. I love it and it works great. | |
| ▲ | cobertos 4 hours ago | parent | prev | next [-] | | I've never had a reliability issue with Vaultwarden. Hosted it 5+ years now. Even with random off/on of the server and other bumps in the road in life, the Docker container I run has had no issues with hosting. The user interface is friendly but can be just a little slow. Mine is not exposed to the public internet, though some friends of mine do. I use a VPN when I need to access fresh data from the home server, otherwise both the Firefox client and Android client will generally keep a cache of the last data pull when they had connection (so it wasn't an issue the 4 or so years I didn't have a VPN yet). | |
| ▲ | xienze 3 hours ago | parent | prev | next [-] | | > how do you harden it? By not exposing it to the wider internet. When I use a client (iPhone, browser, etc.) while on the home network, it syncs. While off the network, the last synced data is still there. That's been good enough for me. | | |
| ▲ | ibizaman 2 hours ago | parent [-] | | When the server can’t be accessed, you can’t create a secret, right? This has been quite annoying in my experience. I’d still recommend Bitwarden clients with self-hosted Vaultwarden. | | |
| |
| ▲ | PunchyHamster 2 hours ago | parent | prev | next [-] | | I touched it never aside from updates and it never failed. I compiled it from sources tho | |
| ▲ | thesuitonym 6 hours ago | parent | prev | next [-] | | It's as reliable as you make it. | |
| ▲ | hypeatei 6 hours ago | parent | prev [-] | | > Anything I'm overlooking here? Not technical, but the person behind that project now works for Bitwarden so there's some risk of a rugpull. Of course it's OSS but you'll need to trust a fork or maintain it yourself if said rugpull happens. | | |
| ▲ | Snow_Falls 5 hours ago | parent | next [-] | | The maintainer has said that they've been given permission to maintain it in their free time. All it takes is a bad quarter and the CEO decides they don't want to be supporting a competitor and that goes away. It's possible that a community continuation could happen but I wouldn't rely on something so uncertain for something as important as credentials. | | |
| ▲ | l72 28 minutes ago | parent [-] | | It’s a bad strategy. I am capable so I host an instance of vaultwarden for myself and spouse (only available via our vpn) But when friends and family ask for my recommendation I send them to Bitwarden and they pay for the service. If it wasn’t for vaultwarden and the clients being open source I would not be using it nor recommending it. I’d probably still be using keepass with manual sync and when friends and family ask for suggestions I’d probably shrug and say I don’t trust any of them. |
| |
| ▲ | akerl_ an hour ago | parent | prev | next [-] | | The expansion of "rugpull" to encompass "a company or open source developer changing the roadmap or level of investment in something they develop" is fascinating. | |
| ▲ | giancarlostoro 5 hours ago | parent | prev [-] | | Kind of makes a lot of sense that they wound up working there too. |
|
|
|
| ▲ | afavour 2 hours ago | parent | prev | next [-] |
| Personally, I want to avoid the responsibility for hosting it myself. I'm happy to pay for that. But a reasonable amount. Today Bitwarden's price is fine for me, but I worry about what's coming. |
|
| ▲ | danielmeskin 2 hours ago | parent | prev | next [-] |
| It is still maintained, but I believe the maintainer is employed by Bitwarden now, and is working on projects in addition to Vaultwarden. |
|
| ▲ | pocksuppet 5 hours ago | parent | prev | next [-] |
| Is there an alternative frontend as well, or are you still locked in? |
| |
|
| ▲ | WesolyKubeczek 2 hours ago | parent | prev [-] |
| Don't I have to rely on the OG frontend/GUI components, though? They are one automatic update away from bundling taking custom server address away with important security fixes, in a way that you are damned if you do and damned if you don't. |
| |
| ▲ | PunchyHamster 2 hours ago | parent [-] | | Technically yes but the frontend is so far open source so forking that is also something that could technically happen if company ever went back on it. |
|
