VaultWarden with Tailscale Integration

This project sets up a VaultWarden instance with Tailscale VPN integration using Docker Compose. It creates a secure, private network connection for your VaultWarden instance using Tailscale.

Prerequisites

• Docker and Docker Compose installed on your system
• A Tailscale account and auth key (get one from https://login.tailscale.com/admin/authkeys)
• HTTPS Certificates enabled in the DNS tab of Tailscale admin page
• Basic understanding of Docker and networking concepts

Project Structure

ts-vaultwarden/
├── docker-compose.yml
├── tailscale/
│   ├── tailscale-data/     # Persistent Tailscale state
│   └── config/             # Tailscale configuration files
└── vaultwarden/
    └── data/               # VaultWarden data 

Setup Instructions

1. Clone the Repository

   git clone https://gitea.damconsulting.llc/DAM/ts-vaultwarden
   cd ts-vaultwarden
   

2. Create Required Directories

   mkdir -p tailscale/tailscale-data vaultwarden/data
   

3. Configure Tailscale

   • Replace {{YOUR_TAILSCALE_AUTHKEY}} in the docker-compose.yml with your actual Tailscale auth key
   • Optionally, update the file in tailscale/config/serve.json if you need specific Tailscale serve configurations
     • CAUTION: Changing "${TS_CERT_DOMAIN}:443": false to true will expose the service to the internet

4. Configure VaultWarden

   • Replace {{YOUR_DOMAIN}} in the docker-compose.yml
   • Configuring the Admin page (WebUI)
     • For a basic configuration update the following ADMIN_TOKEN: "an-incredibly-complex-password-is-required" in the docker-compose.yml and change the password. This password permits access to your admin page
     • For enterprise grade security follow these directions.
   • OPTIONAL Vaultwarden's configuration is primarily managed through environment variables or a .env file for configuration options
     • Helpful Tutorial

5. Start the Services

   docker compose up -d
   

6. Wait for Certificate to propagate [~2m]

7. Login

   • After starting the services your service should be available via tailnet at https://vaultwarden.{{YOUR_TAILNET_DOMAIN}}.ts.net ie https://vaultwarden.tail12345.ts.net/

Services

vaultwarden-ts (Tailscale)

• Runs Tailscale VPN client
• Image: tailscale/tailscale:latest
• Container name: vaultwarden-ts
• Hostname: vaultwarden
• Requires NET_ADMIN and SYS_MODULE capabilities
• Persists state in ./tailscale/tailscale-data
• Uses configuration from ./tailscale/config

vaultwarden

• Depends on vaultwarden-ts service

Usage

• After starting the services your service should be available via tailnet at https://vaultwarden.{{YOUR_TAILNET_DOMAIN}}.ts.net ie https://vaultwarden.tail12345.ts.net/
• To manually get the Tailscale IP/hostname of your container:

  docker logs vaultwarden-ts
  

  Look for the Tailscale IP address in the logs.

Optional Features

• Add the port mapping if you need direct access (without Tailscale):

  ports:
  - 80:80
  

• Stopping the Services

  docker compose down
  

Troubleshooting

• Check container logs:

  docker logs vaultwarden-ts
  docker logs vaultwarden
  

• Ensure your Tailscale auth key is valid and not expired
• Verify the configuration files have proper permissions
• Make sure required directories exist before starting

Notes

• The VaultWarden service uses the Tailscale service's network stack via network_mode: service:vaultwarden-ts
• Direct port mapping is disabled by default as Tailscale handles the networking
• Services restart automatically unless explicitly stopped
• For more information:
  • Tailscale documentation: https://tailscale.com/kb/
  • VaultWarden documentation: https://github.com/dani-garcia/vaultwarden/wiki
  • VaultWarden repository: https://github.com/dani-garcia/vaultwarden