Vaultwarden on Oracle Cloud VPS

Configuration with Cloudflare, Cloudflared, NPM and Webtop

Please read our disclaimer

Vaultwarden Oracle Cloud Free VPS


The following videos were watched, understood and previously implemented:


  • Oracle Cloud account already signed up and approved. (Oracle takes up to 5 business days to approve accounts, It took mine 4 days since it was during the holidays, but it could be quicker.)

  • Putty already installed on your system. (We need this for SSH and port forwarding.)

  • Make sure to NOT skip any STEPS for any reason.


  • USE

  • P@ssw0rd!

  • proxy

  • Proxy

  • ubuntu



  • non-root user





  • n-p-m.DOMAIN.COM

  • beta


Oracle Cloud and SSH Steps

  1. Go to your Oracle Cloud account.

  2. Once you are in your account, click on the top left hamburger that looks like 3 lines parallel on top of each other.

  3. After clicking that, click on Compute.

  1. Open Putty and paste the IP address you copied into the SSH bar. Name the session, and click save. After that, click on the + icon beside SSH and then click on Auth.

  2. Browse for the Private key you saved earlier and open it. Now in Putty, click the open button.

  3. A terminal will appear and another box in front of it asking for permission, click Accept.

  4. Now it wants you to login and by default the user is ubuntu, now input the private key password that we input before saving it.

We are now SSH’d into the VPS server.

Port Forwarding to Local Machine

Let's port-forward Webtop and N.P.M using Putty so only your PC/Machine can access it.

  1. Now we right-click the top bar of Putty and click Change Settings.

2. We now click the + sign beside SSH and then click Tunnels.

3. We are going to input the port of Webtop into Source port which is 3000 and we are going to put for the destination.

4. Furthermore, we will now click the Add button and add N.P.M. as well if you want to do it from that WebUI instead of Webtop which is HIGHLY recommended since it's much easier to add your Cloudflare Origin Certification.

The following is the end result:

Setting up the VPS for installation

Now that we are SSH’d into the VPS, we will run a couple of commands. Run the following:

sudo -i     #This is to become root user.
apt-get update && apt-get upgrade #Upgrade and update all your software. #Enter on `Yes` two times when it prompts you.

We are now going to install Docker and Docker-compose.

  • Run these commands:

(Any of these commands that prompt you for Y or N, just type Y and click enter.)

apt-get install \
    ca-certificates \
    curl \
    gnupg \
curl -fsSL | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
apt-get install docker-ce docker-ce-cli
apt-cache madison docker-ce
sudo curl -L "" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

We now have both of them installed, to make sure we have them installed, run the following:

docker version
docker-compose version

Both output the version. Now let's go install Webtop, Nginx Proxy Manager, and Vaultwarden.

Run the following commands:

cd /home/ubuntu/
mkdir containers
cd /home/ubuntu/containers/
mkdir {webtop,npm,vaultwarden} #This command makes the three directories we need.

Install Fish Shell – Optional

#We are going to install `fish` which is and user-friendly command line.
apt-get install fish #Click `Y` and Enter.
#We are going to make it the the default shell.
usermod --shell /bin/fish USER #Replace the Placeholder to `root`. Do the same for `ubuntu` if you want.
#If you want to change back then run the following command:
usermod --shell /bin/bash USER
#If you don't want to change users to have `fish` then run the following:

Webtop installation – Optional Shell – Optional

Important notice: The default abc user isn't supposed to be removed or changed, since it already has config permissions and other access that is required to use webtop.


Run these commands:

sudo usermod -aG docker ubuntu #Gives our user docker access.
docker network create proxy #Creates the network named `proxy`.
cd webtop #Directory change.
nano docker-compose.yml  #To build our docker-compose file.

We are going to use the .env file, so it’s not commented out and only change your timezone PUID AND PGUID depending on the user.

If you are using the default Ubuntu user then it’s the same number for both that is already there and if you want to know your ID then run this command:


In the docker-compose, we are going to paste the following:

    version: "2.1"
        image: #choose your flavor
        hostname: webtop
        container_name: webtop
        #privileged: true #optional but not needed unless you are running kde or i3 or other tools.
          - PUID=1001 # based on id
          - PGID=1001 # based on group
          - TZ=America/Chicago # your timezone
          - FILE__PASSWORD=./password #This is used if you use the .env file and want a permanent password change.
          - ./../../:/mnt/share #This will mount the relative path to the path in the container. 
          - /opt/appdata/webtop:/config #All Container Directory directory.
          - /var/run/docker.sock:/var/run/docker.sock #optional only if you need access to docker within this container.
          - 3000:3000
        shm_size: "2gb" #optional but set to 1GB or higher to prevent browser crashes
        restart: unless-stopped
        #If .env is used uncomment this line.
        env_file:  #only necessary if you want to change the password, see .env file
          - .env
        external: true
        name: proxy

Now back to the docker-compose.yml file, make sure that you save it with CTRL+X, Y and ENTER.

Run this command for the .env file.

nano .env

In here, paste this in and change the placeholder. Later we will define the same password in the Webtop system to the user abc.


Save the file and run:

docker-compose up -d #This will compose the files and install webtop.

Password change of Webtop

Go into your browser and input and login We defined the password in .env file now we need to do the same in the Webtop terminal.

This method doesn't permanently change the password of the container, but this method here does.

The terminal can be found if you click Menu in the top left corner of the webpage, hover over System Tools and click MATE Terminal as shown below.

Now, to change your password to the specified user, abc we need to run the following command.

sudo passwd abc  #Running this as root to change the password of user `abc`.

FOR Permanent PASSWORD change, even if you move the container

#While the container is running run:

docker exec -it webtop passwd abc

#Input the password you listed in the `.env` file.

The command above and below will force the site you put for Webtop to go to the following screen below since we changed the password permanently, which is highly recommended you do.

If you ever lose your password, you can always reset it by execing into the container as root:

sudo docker exec -it webtop passwd abc

By default, it performs all logic for the abc user and I recommend using that user only in the container, but new users can be added as long as there is a executable script in their home directory. All of these containers are configured with passwordless sudo, I do not recommend ever publishing Webtop ports to the public Internet. Which we take them off after Argo Tunneling the containers.

In here you don't change the Session section, only input the default user abc and your new password, and you will be able to enter the Webtop panel.

Installation of N.P.M.

Run these commands:

cd /home/ubuntu/containers/npm/
nano docker-compose.yml

In the yaml paste the following below:

version: "3.8"
    container_name: nginx-proxy-manager
    image: jc21/nginx-proxy-manager
    hostname: nginx-proxy-manager
    restart: unless-stopped
      # Public HTTP Port:
      - 80:80
      # Public HTTPS Port:
      - 443:443
      # Admin Web Port:
      - 81:81
      # Uncomment this if IPv6 is not enabled on your host
      DISABLE_IPV6: 'true'
      # Make sure this config.json file exists as per instructions below:
      - ./config.json:/app/config/production.json
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
      - db
      test: ["CMD", "/bin/check-health"]
      interval: 10s
      timeout: 3s
    container_name: proxy-mariadb
    image: yobasystems/alpine-mariadb:10.5.11
    restart: unless-stopped
      MYSQL_DATABASE: 'npm'
      MYSQL_USER: 'proxyManager'
      - ./data/mysql:/var/lib/mysql

      name: proxy

Save the file.

Run the following command.

nano config.json

Paste the following:

  "database": {
    "engine": "mysql",
    "host": "db",
    "name": "npm",
    "user": "proxyManager",
    "password": "SOMETHING", #Only change the password to what you put in the `docker-compose.yml` file.
    "port": 3306

Save the file and run:

docker-compose up -d

Vaultwarden Installation

Run the following commands:

cd /home/ubuntu/containers/vaultwarden/
nano docker-compose.yml

Now paste the following:

version: "3.8"
    image: vaultwarden/server:latest
    hostname: vaultwarden
    container_name: vaultwarden
    restart: unless-stopped
    # Port for WebSocket notifications
      - 3012:3012
    # Enable WebSocket notifications.
      - ./data:/data

    external: true
    name: proxy

Save the file.


docker-compose up -d

N.P.M. Setup

Since we already have the local ports open for NPM we just need to open up a browser on any computer and input the we will then follow the same steps taken here.

N.P.M. Setup in Webtop or your Browser

As shown in the above image, we add it first and then click apply. Now we have a Webtop port forwarded, and we are now going to access it by inputting the in a web browser on your system, then you will be redirected to Webtop. In Webtop, open Firefox which is located on the top left of the screen and input in the address bar this PUBLIC_IP_OF_VPS:81 This is, so we can access NPM.

5. We now sign in with the default credentials, which are. and changeme

6. Now when we sign in it will ask us to edit the user account which we put our own email and password on the next screen.

Creating an Origin Certificate

7. After that we will open a new tab, go to Cloudflare and login. Then we are going to make a new origin certificate, go to the next page from below:

8. We now need to create a file that ends with .pem to put the certificate origin inside it, and then we create a file that ends with .key we paste in the private key in there.

9. Now we click Ok and head back to NPM, go to the SSL cert. Tab, click add SSL Cert and click custom.

10. We will now put the .key file we have into the key section and the .pem into the certification section and then click Ok to add it.

Cloudflare's configuration for VPS

11. We now head back over to Cloudflare and set up our DNS names. We will put an A name to whatever name we want and then the IPV4 section will be the PUBLIC_IP_OF_VPS as shown below and proxy it.

12. Furthermore, we will now put our 3 CNAMES that we want to use for our containers.

13. Now since we have that setup, let’s head back to NPM and go to the proxy tab. Below is how all the proxies should look like once you proxied all of them.

For anyone wanting to know why I didn’t use with the subdomain in front of it for any of the containers.

It is due to Cloudflare already linking each subdomain to beta and that is linked to the VPS IP and your main domain, which in this example it would be for me.

Argo Tunneling:ARM64

This Argo Tunneling section NOT required but is HIGHLY recommended having implemented into your VPS for security reasons.

Run the following commands:

sudo -i  #Become root.
cd /home/ubuntu/containers/
mkdir cloudflared #We are now going to make the folders for Cloudflared.
cd /home/ubuntu/containers/cloudflared/
mkdir data

The following commands are going to be used to install and configure Cloudflared:

Please read and follow instructions carefully.

#I have tried running the `chmod -R 775` command so not every user may have access to the specified folder, though that didn't work and the following did:
sudo chmod -R 777 /home/ubuntu/containers  #This will allow everyone to modify the folders in `containers` directory.
nano docker-compose.yml

We are going to put the following in the docker-compose and when we compose it, the container will not work, which is fine. What we will want is the image, and then we will go back to the container to edit a couple of things.

version: "3.8"
    container_name: cloudflared
    restart: unless-stopped
    network_mode: "host"
      - PUID=1001
      - PGID=1001
    command: tunnel --config /home/nonroot/.cloudflared/config.yaml run RANDOM-NUMBERS-FOR-NOW  #We are going to replace the placeholder later.
      - ./data:/home/nonroot/.cloudflared/
      - "beta.DOMAIN.COM:" #This is needed so that cloudflare may link this to the certificate so it's detected as valid.

Save the file with Ctrl+X, Press Y and then ENTER.

Run the following:
docker-compose up -d  #This could take 2 minutes for the image to build.
docker image ls #Find the cloudflared Image and copy/highlight the `Image ID`.
docker run -it --rm -v /home/ubuntu/containers/cloudflared/data:/home/nonroot/.cloudflared/ CLOUDFLAREDIMAGEID tunnel login #Make sure to replace the placeholder with your Cloudflared Image.

We are now going to make the tunnel and the config.yaml file.

docker run -it --rm -v /home/ubuntu/containers/cloudflared/data:/home/nonroot/.cloudflared/ CLOUDFLAREDIMAGEID tunnel create TUNNELNAME #This is to make the tunnel.

To make theCNAME for the tunnel, please have it like the following:

Now let's go back to the Putty Terminal and run the following:

cd data
nano config.yaml #In here paste the following:
credentials-file: /home/nonroot/.cloudflared/TUNNELUUID.json

# NOTE: You should only have one ingress tag, so if you uncomment one block comment the others

#forward all traffic to Reverse Proxy w/ SSL
  - service: https://IPV4_OF_VPS:443
      originServerName: n-p-m.DOMAIN.COM
#forward all traffic to Reverse Proxy w/ SSL and no TLS Verify
#  - service: https://REVERSEPROXYIP:PORT
#    originRequest:
#      noTLSVerify: true

#forward all traffic to reverse proxy over http
#  - service: http://REVERSEPROXYIP:PORT

Save the file.

cd .. 
nano docker-compose.yml

In the compose file we are going to change the RANDOM_NUMBERS we had in the command: line to the TUNNELUUID and then we are going to save the file.

version: "3.8"
    container_name: cloudflared
    restart: unless-stopped
    network_mode: "host"
      - PUID=1001
      - PGID=1001
   command: tunnel --config /home/nonroot/.cloudflared/config.yaml run TUNNELUUID #This command runs the tunnel. (Used to be RANDOM_NUMBERS. 
      - ./data:/home/nonroot/.cloudflared/
      - "beta.DOMAIN.COM:" #This is needed so that cloudflare may link this to the certificate so it's detected as valid.

Now run the following commands:

docker-compose down
docker-compose up -d
#Now if we run `docker ps`, you will see that Cloudflared is up and running.
docker logs cloudflared

We will now go into NPM with our domain we already have.

Hostname explanation

Back in the Putty terminal, run the following:

cd /home/ubuntu/containers/npm/
nano docker-compose.yml
#Look at the new added line below.

As always make sure to save the file after editing it and let's run the following to update the container:

docker-compose up -d #We do this if we edited the docker-compose file but if we edited anything else.
#For example the `config.yaml` file of Cloudflared, we edit that and we only have to run the following command:
`docker-compose restart`. That's it.

If you don't know already, you don't need to port forward any ports, since your Argo Tunneling takes care of that and lets you access it without exposing those ports to the outside world.

You can also remove the Tunnel we have in the Putty Terminal if not done so already.

That is all you have to do for Argo Tunneling on this arm64-vps, have a great day everyone!

Final Words

We hope you enjoyed this guide. It was conceptualized, written, and implemented by our Discord Community member Norkz, based on the IBRACORP Vaultwarden guide found here.

Want to contribute a guide? Join our Discord below and let us know!

Support Us

Our work sometimes takes months to research and develop. If you want to help support us please consider:

Thank you for being part of our community!

Last updated