Vaultwarden is a lightweight, self-hosted password manager that is fully compatible with the Bitwarden apps and browser extensions. Instead of storing your passwords on someone else’s server, you run it yourself. This tutorial walks through setting it up on Unraid using Docker Compose, accessible on your local network only.
Executive Summary#
Vaultwarden runs as a single Docker container with no external database required. Vault data is stored on your Unraid server and syncs in real time to any device running the official Bitwarden app. Setup takes about 30 minutes and requires no ports open to the internet.
Prerequisites#
- An Unraid server up and running
- The Compose Manager plugin installed in Unraid
- Basic familiarity with the Unraid UI and terminal
Implementation#
Step 1: Check for an Available Port#
Confirm the port you want to use is not already taken. SSH into your Unraid server and run:
ss -tulnp | awk '{print $5}' | grep -oP '(?<=:)\d+' | sort -n | uniqThis lists every port currently in use. This tutorial uses port 9080. If it does not appear in the output, you are good to go.
Step 2: Create the Directory Structure#
Create a directory for the stack and a data folder for Vaultwarden:
mkdir -p /mnt/user/compose/security/vaultwarden/dataThis keeps your Vaultwarden data organized under the security stack alongside any other security-related containers you add later.
Step 3: Generate an Admin Token#
The admin token protects the Vaultwarden admin panel, which lets you manage users, disable open registration, and configure email. Generate a secure random token:
openssl rand -base64 48Copy the output and store it somewhere safe. You will use it in the next step and any time you need to access the admin panel.
Step 4: Create the Compose File#
nano /mnt/user/compose/security/docker-compose.ymlPaste the following, replacing YOUR_ADMIN_TOKEN with the token from the previous step:
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
ports:
- "9080:80"
volumes:
- ./vaultwarden/data:/data
environment:
- ADMIN_TOKEN=YOUR_ADMIN_TOKEN
- SIGNUPS_ALLOWED=false
- WEBSOCKET_ENABLED=true
- LOG_LEVEL=warnNotes on these settings:
9080:80maps port 9080 on your Unraid server to port 80 inside the container./vaultwarden/datastores all vault data on the host so it persists across restarts and updatesSIGNUPS_ALLOWED=falsedisables public registration so only you can create accounts via the admin panelADMIN_TOKENenables the admin panel at/adminWEBSOCKET_ENABLED=trueenables real-time sync across devices
Step 5: Start the Container#
cd /mnt/user/compose/security
docker compose up -dConfirm it is running:
docker ps | grep vaultwardenYou should see the container listed with a status of Up.
Step 6: Add the Stack to Compose Manager#
- Go to the Unraid dashboard and open the Compose Manager plugin
- Click Add New Stack
- Name it
securityand set the source path to/mnt/user/compose/security - Click Save
The stack will now appear in Compose Manager and you can start, stop, and update it from the UI.
Step 7: Create Your Account#
Open a browser and go to:
http://YOUR-UNRAID-IP:9080Click Create Account and set up your account. This is your personal vault login, separate from the admin token. Log in after creating the account and verify your vault is accessible.
Step 8: Access the Admin Panel#
Go to:
http://YOUR-UNRAID-IP:9080/adminEnter your admin token when prompted. From here you can confirm your account was created, disable unwanted accounts, configure SMTP for email, and verify server diagnostics.
Step 9: Connect the Bitwarden App or Extension#
Vaultwarden is fully compatible with official Bitwarden clients.
Browser extension (Firefox, Chrome, Edge):
- Install the Bitwarden browser extension
- Click the extension icon and go to Settings
- Under Self-hosted environment, enter your server URL:
http://YOUR-UNRAID-IP:9080 - Click Save and log in with your account credentials
Mobile (iOS or Android):
- Install the Bitwarden app
- On the login screen, tap the region selector at the top
- Select Self-hosted, enter your server URL, and tap Save
- Log in with your account credentials
Lab Notes & Troubleshooting#
The container starts but the web UI does not load. Confirm port 9080 is not blocked by another container or firewall rule. Run docker logs vaultwarden to check for startup errors.
I lost my admin token. Stop the container, edit the compose file with a new token generated by openssl rand -base64 48, and restart. The vault data is unaffected.
The Bitwarden app cannot connect. Make sure you are on the same network as your Unraid server, or connected over VPN if accessing remotely. Double check the server URL includes the port number.
Sync is not working in real time. Confirm WEBSOCKET_ENABLED=true is set in your compose file and the container was restarted after the change.
Accessing from outside your network. This setup is LAN only. Connect to your home network over VPN first, then access Vaultwarden at the same local address. Public exposure without a VPN is not recommended for a password manager.
Summary#
You now have a self-hosted password manager running on your Unraid server, accessible on your local network and over VPN. Your vault data is stored on your own hardware, never leaves your network, and is accessible from any device using the official Bitwarden apps.