Help with HTTPS, using duckdns and opnsense

Hello!

I am hoping someone can help me get this project across the finish line. I have a bitwarden account through work, but I want to migrate my personal database to self-hosted. I already have a duckdns site and forwarding set up in opnsense for a plex server, which works fine. I want to add a password manager to that same in-house server. First I spun up a bitwarden container, but realized that half the features I wanted are behind a paywall. Plus I like FOSS software (I have a dozen containers with Home Automation software on that same server), so I wanted to get into Vaultwarden.

I am stuck with the https requirement for initial user creation. I can get vaultwarden docker running with no reverse proxy and direct-to-container port forwarding through opnsense, though it’s currently disabled because I dont want to just leave it open until I get this all figured out. At first I wanted to avoid opening more ports for this project altogether because I usually just use wireguard to phone-home. No open ports is best security in my mind. But I understand now that these password managers like to phone home through SSL, so I might as well take this opportunity to learn about certificates and get it running. Would be nice to not have to click through that warning whenever I access my local services on my local LAN, too, I guess.

I get pretty far into the ‘official’ tutorials, but caddy is entirely new learning material for me. I’ve got it installed into the baremetal ubuntu that drives my server, though I suspect I didn’t need to do that since vaultwarden uses it in a container.

I’ve tried the Using Docker Compose · dani-garcia/vaultwarden Wiki guide part about “Caddy with DNS challenge”, but I get stuck at caddy. When I download the duckdns-added-version of caddy, it’s not just a “caddy” file, and when I make that downloaded file executable with chmod, it still wont run the way the next steps in the instructions say they should.

So then I think more about the ‘opening ports is better for the mobile app on WAN’, and I convince myself its ok to open a port or two for Vaultwarden and I think about using the guide part about " Caddy with HTTP challenge", but I get worried because it says it’s going to need ports 80 and 443 for the certificates, but my OPNSense firewall uses those in the anti-lockout firewall rules that I cannot modify. So I dont know that I can forward those ports over to the server/container.

Anyone willing/able to point me in the right direction to set up OPNSense so that it can give my vaultwarden instance an SSL certificate SAFELY? I am a bit lost in all the options. I see nginx being talked about, and that’s available as a container, but I also see it mentioned in OPNSense options, but I also see a LOT of warnings about security with nginx … and my head starts to spin. It’s too much to consume at once. Can someone point me in the right direction?

Thank you!

I have a similar setup - I used HAPROXY plugin on OPNsense to create an https/ssl connection - Yes you have to open port 443 but it should be safe with password and 2 step auth.

I followed this tutorial and for a year I opened the necessary ports a few minutes every 90 days for caddy to automatically renew the certificate.

Recently I switched caddy from http to dns challenge to avoid the nuissance of briefly opening ports. Still waiting to see how smoothly the renewal process goes when the certificates need renewal.

Following the official vaultwarden wiki tutorial to the letter sounds like the best approach though.