Triii Technologies LLC

Client Area (Not Logged In)

Secure Self-Hosted Password Management: Install Vaultwarden on Ubuntu 24.04 & Tunnel It with Tailscale

Secure Self-Hosted Password Management: Install Vaultwarden on Ubuntu 24.04 & Tunnel It with Tailscale

If you’re running a homelab, a private server, or a small team infrastructure, you’ve likely noticed a recurring security pattern: self-hosting services without exposing them to the public internet.

This tutorial walks you through the modern, zero-trust way to deploy Vaultwarden (a lightweight Bitwarden-compatible password manager) on Ubuntu 24.04, and secure access using Tailscale VPN. No port forwarding, no reverse proxy headaches, and no SSL certificate management required for initial setup.

๐Ÿ“‹ Prerequisites

  • Ubuntu 24.04 LTS (Server or Desktop)
  • A user with sudo privileges
  • A free Tailscale account (tailscale.com)
  • Basic terminal familiarity

๐Ÿ”น Step 1: Install & Authenticate Tailscale on Ubuntu 24.04

Tailscale replaces traditional VPN complexity with WireGuard-based mesh networking. It automatically handles NAT traversal, DNS, and firewall rules.

1. Install the Tailscale Client

Run the official automated installer:

bash

curl -fsSL https://tailscale.com/install.sh | sh

This script detects your APT package manager and sets up the tailscaled systemd service automatically.

2. Start & Authenticate the Client

bash

sudo tailscale up

You’ll see output containing an authentication URL like https://login.tailscale.com/a/.... Open that link in any browser, sign in with your Tailscale account, and authorize the device.

3. Verify Connectivity

bash

# Install prerequisites

sudo apt update

sudo apt install -y ca-certificates curl gnupg

# Add Docker's official GPG key

sudo install -m 0755 -d /etc/apt/keyrings

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

sudo chmod a+r /etc/apt/keyrings/docker.gpg

# Add Docker repository

echo \

"deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \

"$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \

sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

# Install Docker Engine

sudo apt update

sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

sudo usermod -aG docker $USER

newgrp docker

tailscale status

You should see your machine listed in the output. Head to your Tailscale Admin Console to confirm the device appears in your tailnet. Take note of the 4.x.x.x IPv4 address or the FQDN (e.g., yourhostname.tail-12345.tailnet.goog).

๐Ÿ”น Step 2: Install Docker Engine

Ubuntu 24.04 no longer ships Docker in its default repositories. We’ll install it via Docker’s official APT repository.

bash

Log out and back in for group permissions to apply. Verify with docker --version and docker compose version.

๐Ÿ”น Step 3: Deploy Vaultwarden via Docker

Vaultwarden is a Rust-based, resource-efficient alternative to Bitwarden’s official server. We’ll run it with persistent storage.

1. Pull the Image

bash

docker pull vaultwarden/server:latest

2. Run the Container

bash

docker run -d \

--name vaultwarden \

--restart unless-stopped \

-v /vw-data:/data \

-p 8082:80 \

-e SIGNUPS_ALLOWED=false \

-e ADMIN_PASSWORD="$(openssl rand -base64 32)" \

-e ENABLE_DB_WAL=true \

vaultwarden/server:latest

Why this configuration?

  • -v /vw-data:/data: Persists your vault database, attachments, and config across container updates.
  • -p 8082:80: Maps to a non-privileged port to avoid conflicts with nginx/apache (optional but recommended).
  • SIGNUPS_ALLOWED=false: Disables public registration (recommended for private setups).
  • ADMIN_PASSWORD: Generates a secure random admin password. Save this! You’ll need it to access /admin.
  • Tailscale’s encrypted tunnel means HTTP is perfectly secure here. The Chrome/Web Crypto HTTPS warning in the Vaultwarden docs applies to public internet exposure, which we’re bypassing entirely.

Verify it’s running:

bash

docker ps | grep vaultwarden

tailscale ip4

๐Ÿ”น Step 4: Access Vaultwarden Securely Over Tailscale

Because Tailscale creates a private encrypted network, you can access Vaultwarden as if you’re on the same local machine.

  1. On any device in your tailnet (Windows, macOS, Android, iOS, or another Ubuntu box), install the Tailscale client.
  2. Open your browser and navigate to: CollapseCopy91โ€บhttp://<ubuntu-tailscale-ip>:8082(Replace <ubuntu-tailscale-ip> with the 4.x.x.x address from tailscale ip4)
  3. Click Create Account and register as the first user.
  4. Log in and set up your master password.
  5. Install the Bitwarden browser extension or mobile app. In the extension settings, change the Server URI to your Tailscale address: CollapseCopy91โ€บhttp://<ubuntu-tailscale-ip>:8082

๐Ÿ” You now have a fully functional, self-hosted password manager accessible only from your tailnet. No public IPs, no exposed ports, no reverse proxy required.

๐Ÿ›  Pro Tips for Production-Ready Setups

1. Use Docker Compose (Recommended)

The docker run command is great for quick starts. For maintainability, use a docker-compose.yml:

yaml

version: '3'

services:

vaultwarden:

image: vaultwarden/server:latest

container_name: vaultwarden

restart: unless-stopped

ports:

- "8082:80"

volumes:

- /vw-data:/data

environment:

- SIGNUPS_ALLOWED=false

- ADMIN_PASSWORD=${ADMIN_PASSWORD}

- ENABLE_DB_WAL=true

networks:

- tailscale

networks:

tailscale:

external: true

Start with docker compose up -d.

2. Firewall with UFW

Tailscale automatically drops non-tailnet traffic, but hardening UFW is still wise:

bash

sudo ufw default deny incoming

sudo ufw default allow outgoing

sudo ufw allow ssh

sudo ufw allow 41641/udp # Tailscale discovery

sudo ufw enable

Note: You don’t need to open port 80/8082. Tailscale handles routing securely.

3. Backups

bash

# Daily backup script (/vw-data contains everything)

sudo rsync -av /vw-data/ /mnt/backup/vaultwarden/

# Compress periodically

tar -czf /mnt/backup/vaultwarden-$(date +%F).tar.gz /vw-data/

4. Public Exposure (Optional)

If you ever want to access Vaultwarden over the public internet, you must enable HTTPS. Use certbot with a reverse proxy (Caddy or Nginx), or generate self-signed certs with mkcert. Never expose Vaultwarden over HTTP publicly.

๐ŸŽฏ Conclusion

Combining Vaultwarden with Tailscale gives you enterprise-grade access control, military-grade encryption, and zero infrastructure overhead. By leveraging Tailscale’s WireGuard mesh network, you eliminate the most common self-hosting pitfalls: NAT complications, SSL certificate management, and port exposure risks.

Your password manager is now:
โœ… Self-hosted & fully private
โœ… Accessible from anywhere via your tailnet
โœ… Secure by default (no public IPs or firewall rules needed)
โœ… Ready for scaling with Docker Compose & automated backups

Drop a comment if you run into authentication hiccups, need help configuring Bitwarden clients, or want to extend this setup with TOTP generation or emergency access features. Stay secure, stay private. ๐Ÿ›ก๏ธ๐Ÿ’ป

Published for Ubuntu 24.04 LTS | Tailscale & Vaultwarden versions current as of Jan 2026
Keywords: Ubuntu 24.04, Tailscale VPN, Vaultwarden, Docker, Self-Hosted Password Manager, Zero Trust Networking, Homelab Security

How useful was this article?

Click on a star to rate it!

We are sorry that this article was not useful for you!

Let us improve this article!

Tell us how we can improve this post?

,