VeilNet
DownloadLogin

Password manager with VeilNet

Learn how to deploy Vaultwarden (Bitwarden-compatible) with VeilNet for secure password management.

Prerequisites

  • Docker and Docker Compose installed
  • VeilNet registration token
  • Access to VeilNet Guardian service
  • Domain name (optional, for email features)

Overview

This guide shows you how to deploy Vaultwarden, a lightweight, self-hosted alternative to Bitwarden password manager, with VeilNet for secure remote access. Vaultwarden is compatible with Bitwarden clients and provides secure password storage and synchronization.

With VeilNet, you can securely access your password manager from anywhere without exposing it to the public internet.

Step 1: Create Docker Compose Configuration

Create a docker-compose.yml file with the following configuration:

services:
  veilnet-conflux:
    container_name: veilnet-conflux
    restart: unless-stopped
    env_file:
      - .env
    image: veilnet/conflux:beta
    pull_policy: always
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    network_mode: host

  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    volumes:
      - vaultwarden:/data
    environment:
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=true
      - ADMIN_TOKEN=<GENERATE_ADMIN_TOKEN>
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETUID
      - SETGID
      - DAC_OVERRIDE
    network_mode: "container:veilnet-conflux"
    depends_on:
      - veilnet-conflux

volumes:
  vaultwarden:
    driver: local
    driver_opts:
      type: none
      o: bind
      device: ./vaultwarden

Step 2: Create Environment File

Create a .env file in the same directory as your docker-compose.yml with the following variables:

VEILNET_REGISTRATION_TOKEN=<YOUR_REGISTRATION_TOKEN>
VEILNET_GUARDIAN=<YOUR_GUARDIAN_URL>
VEILNET_PORTAL=true
VEILNET_CONFLUX_TAG=<YOUR_CONFLUX_TAG>
VEILNET_CONFLUX_CIDR=<VEILNET_CIDR>

Replace the placeholders:

  • <YOUR_REGISTRATION_TOKEN>: Your VeilNet registration token (obtained from the VeilNet portal)
  • <YOUR_GUARDIAN_URL>: The URL of your VeilNet Guardian service (e.g., https://guardian.veilnet.app)
  • <YOUR_CONFLUX_TAG>: A tag to identify this Conflux instance (e.g., password-manager)
  • <VEILNET_CIDR>: Any IP address (e.g., 10.128.0.5/16) in CIDR format that belongs to the realm subnet (e.g., 10.128.0.0/16)

Important: Generate a strong admin token for Vaultwarden. You can generate one using:

openssl rand -base64 48

Replace <GENERATE_ADMIN_TOKEN> in the docker-compose.yml with this token.

Step 3: Create Data Directories

Create the directory for persistent data storage:

mkdir -p vaultwarden

This directory will store:

  • vaultwarden: Vaultwarden database and encrypted vault data

Step 4: Deploy the Stack

Start all services:

docker-compose up -d

This will:

  • Pull the Vaultwarden and VeilNet Conflux images
  • Start both containers
  • Create persistent volume for data storage
  • Automatically restart containers if they stop

Step 5: Verify Deployment

Check that all containers are running:

docker-compose ps

View the VeilNet Conflux logs to verify it's connecting:

docker logs veilnet-conflux -f

You should see logs indicating successful registration and connection to the VeilNet network.

Step 6: Initial Configuration

Local Access

  1. Open http://localhost:8080 in your browser
  2. Click "Create Account" to create your first user account
  3. Log in with your new account

Access Admin Panel

  1. Access the admin panel at http://localhost:8080/admin
  2. Use the admin token you generated earlier to log in
  3. Configure settings like:
    • Disable signups (if desired)
    • Configure email settings (optional)
    • View server statistics

Remote Access via VeilNet

  1. Find your host's VeilNet IP address:
ip addr show veilnet

Or check the VeilNet portal to see your assigned IP address.

  1. Access Vaultwarden from anywhere using:
    • Web UI: http://<veilnet-ip>:8080 (e.g., http://10.128.0.5:8080)
    • Admin Panel: http://<veilnet-ip>:8080/admin

Step 7: Access Your Password Manager

Local Access

Once the service is running, you can access it locally:

  • Web UI: http://localhost:8080
  • Admin Panel: http://localhost:8080/admin

Remote Access via VeilNet

With VeilNet configured, you can access your password manager remotely from anywhere in the world using the host's VeilNet IP address, as long as your device is also connected to the same VeilNet realm.

Access the web interface using:

  • Web UI: http://<veilnet-ip>:8080 (e.g., http://10.128.0.5:8080)
  • Admin Panel: http://<veilnet-ip>:8080/admin

Step 8: Configure Bitwarden Clients

Desktop Client

  1. Download the Bitwarden desktop client
  2. Click "Change Server" in settings
  3. Enter your server URL: http://<veilnet-ip>:8080
  4. Log in with your account credentials

Mobile App

  1. Download the Bitwarden mobile app
  2. Go to Settings → Server URL
  3. Enter your server URL: http://<veilnet-ip>:8080
  4. Log in with your account credentials

Browser Extension

  1. Install the Bitwarden browser extension
  2. Go to Settings → Account → Self-hosted environment
  3. Enter your server URL: http://<veilnet-ip>:8080
  4. Log in with your account credentials

Updating Services

To update to newer versions:

docker-compose pull
docker-compose up -d

This will pull the latest images and restart the containers with updated versions.

Stopping and Removing

To stop all services:

docker-compose down

To remove containers and volumes (this will delete all data):

docker-compose down -v

Warning: Removing volumes will delete all encrypted vault data. Make sure to export your passwords before removing volumes.

FAQ

Can I use the official Bitwarden apps with Vaultwarden?

Yes! Vaultwarden is fully compatible with all Bitwarden clients (desktop, mobile, browser extensions). Just configure the clients to use your self-hosted server URL.

How do I back up my passwords?

You can export your vault from the web interface (Tools → Export Vault) or use the Bitwarden CLI. The encrypted database is stored in the vaultwarden directory and can be backed up directly.

Can I share passwords with family members?

Yes! Create accounts for family members in Vaultwarden, then use Bitwarden's sharing features (Organizations) to share passwords securely. All family members need to be on the same VeilNet realm to access the server. Since Vaultwarden shares the network namespace with veilnet-conflux, it can also use the VeilNet TUN device for optimal network performance.

Is my data encrypted?

Yes! Vaultwarden uses the same encryption as Bitwarden. Your passwords are encrypted on your device before being sent to the server, and the server only stores encrypted data.

Can I disable signups?

Yes! Log in to the admin panel and disable signups. You can also set SIGNUPS_ALLOWED=false in the docker-compose.yml environment variables.

Why use NET_ADMIN capability instead of privileged mode?

The NET_ADMIN capability provides only the necessary permissions for VeilNet to create and manage network interfaces, without granting full privileged access. This is more secure while still allowing VeilNet to function properly.

Nextcloud with VeilNet

Learn how to deploy Nextcloud with VeilNet for secure remote file access.

Git hosting with VeilNet

Learn how to deploy Gitea with VeilNet for secure remote Git repository access.