Home Server Setup Guide (Part 4): Self-Hosting Passwords with Vaultwarden and Tailscale
Now that your old laptop is a server, let’s make it truly useful. In this guide, I’ll show you how to host your own password manager with Vaultwarden and secure it with Tailscale. Plus, To enhance privacy, we’ll configure Tailscale with GitHub authentication. Ready to take control of your passwords?
Passwords are the keys to your digital life—email, banking, social media, everything. Relying on third-party password managers (e.g., LastPass, 1Password) means trusting someone else with those keys. Here’s why self-hosting is a game-changer:
- Control: You own the server, so you decide where your data lives—no cloud breaches to worry about.
- Privacy: No Big Tech snooping. Your passwords stay on your hardware.
- Customization: Tailor the setup to your needs (e.g., backups, access rules).
- Cost: Free and open-source tools like Vaultwarden save you subscription fees.
Tailscale is a zero-config VPN that creates a secure, private network between your devices using WireGuard. No need to mess with router ports or firewalls—it just works. Here’s why it’s key for our setup:
- Secure Access: Connect to your Vaultwarden server from anywhere as if you’re on the same LAN.
- Simplicity: No complex VPN configs—just install and go.
- Privacy: Encrypted connections without exposing your server to the public internet.
┌──────────────┐ ┌──────────────┐
│ Mobile/Laptop│ ────> | Tailscale |
│ (100.x.x.x) │ │ Virtual VPN │
└──────────────┘ └──────────────┘
│
▼
┌───────────────────┐
│ Vaultwarden │
│ Self-hosted PM │
│ (100.x.x.x) │
└───────────────────┘
Assuming your server is running NixOS, let’s set up Vaultwarden. Add Vaultwarden to configuration.nix
sudo nano /etc/nixos/configuration.nix
services.vaultwarden = {
enable = true;
config = {
DOMAIN = " "; # Tailscale HTTPS URL
SIGNUPS_ALLOWED = true; # After creating the admin account in vaultwarden make this to false
WEBSOCKET_ENABLED = true;
ROCKET_ADDRESS = "0.0.0.0"; # Listen on all interfaces
ROCKET_PORT = 8000; # Default Vaultwarden port
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
sudo nixos-rebuild switch
Mistake I Faced: I forgot to open port 80 in the firewall—Vaultwarden wasn’t accessible until I added it.
We’ll use Tailscale to access Vaultwarden remotely, and authenticate with a GitHub account (not Google) for added security and privacy.
services.tailscale.enable = true;
sudo nixos-rebuild switch
I created a new GitHub account, to avoid linking my Tailscale activity to Big Tech (Google/Microsoft). It’s a blend of anonymity and deep system traces—perfect for this setup.
sudo tailscale up
sudo tailscale status
To access Vaultwarden from your phone or laptop, install Tailscale on that device too.
Windows/Mac: Download from Tailscale.
- Check your server’s Tailscale details:
tailscale status
Example output: 100.64.1.2 vaultserver orca-lizard.ts.net. The name (e.g., vaultserver.orca-lizard.ts.net) is your server’s MagicDNS domain, automatically generated from its machine name (vaultserver) and your tailnet name (orca-lizard.ts.net).
Ensure MagicDNS is enabled:
- Log in to the Tailscale admin console at login.tailscale.com.
- Go to the DNS tab and verify MagicDNS is toggled on (it’s enabled by default for new tailnets).
Connect to Vaultwarden:
- Open your Bitwarden client (mobile app, desktop app, or browser extension).
- Go to the settings and set the custom server URL to your server’s Tailscale MagicDNS name, e.g., http://vaultserver.orca-lizard.ts.net . Save the settings.
- Log in with your Vaultwarden credentials to access your password vault.