[無料] GCEでサクッとパスワードマネージャーサーバを立てた(Vaultwarden)

概要

パスワードマネージャーとして、1Passwordを使っていましたが、サーバを自分でセルフホストして使えるBitwardenというOSSがあるのを知りました。
そこで、パスワードマネージャーへかかる費用を削減すべく、乗り換えました。
どうせならとことん費用を抑えようと思って色々工夫したら維持費が完全無料になりました。
Bitwarden: https://bitwarden.com/ja-JP/

比較

• これまで使っていた1Passwordはファミリープランです。
• Bitwardenにはセルフホストしない、1Passwordと同じようなサブスク型の有料プランがありますが、今回は無視します。(とても安いけど)

比較項目	1Password	Bitwarden(セルフホスト)
費用	有料($4.99)	無料
アカウント数	5人	無制限
チーム内共有	可能	可能
クライアント	macOS、Windows、Linux、iOS、Android、CLI、ChromeOS	macOS、Windows、Linux、iOS、Android、CLI
生体認証	対応	対応
ブラウザ自動入力	対応	対応
ブラウザ拡張機能	Chromium系、Firefox系、Safari	Chromium系、Firefox系、Safari、Opera
ワンタイムパスコード	対応	対応
外部とのパスワード共有	対応	非対応
SSH鍵管理機能	対応	非対応

環境

Bitwardenサーバ構築をした環境は以下のとおりです。

サーバ

GCEの無料枠のVM(e2-micro)を利用しています。(https://cloud.google.com/free/docs/free-cloud-features?hl=ja#free-tier-usage-limits)
パスワード管理を数百人数千人のアカウントで行うわけじゃないので、性能的にも、ストレージ的にもこれで十分かと判断しました。
外向きの通信(1GB/1ヶ月)もオーバーしないと判断しました。
OSは適当にRockyLinuxにしましたが、Dockerつかってるわけですし、別にDebianとかでも大丈夫だと思います。

これで完全に無料でサーバマシンが用意できました。

利用したもの

• Vaultwarden

  • BitwardenをRustで書いたという、Vaultwardenを利用します。
  • こちらは非公式版という位置づけながら、軽量とのことなので、使うことにしました。

• Tailscale

  • P2Pでクライアント同士をつないでくれます。WireGuardベースです。
  • これめっちゃ便利です。かんたんに導入できます。各種アカウントによるSSO対応です。
    • Androidであれば、常時接続型VPNとして指定すればずっとつながっててくれます。

前提

• Dockerはサーバに導入済みであること(https://github.com/Miutaku/docker-ansible で構築かんたんにできます)
• TailscaleのSSL証明書発行機能を今回は利用しました。
  • 閉じたネットワークの中で、安全かつSSL証明書を楽に発行してくれるので、今回のニーズに合っているため利用しました。
  • Magic DNSは有効にしておきます。

作業

Docker IPv6対応

私事ながら、IPv6でしかアクセスできない環境にてパスワードを見たくなることがあるので、IPv6でのアクセスができるようにしておきます。

$ sudo ip6tables -t nat -A POSTROUTING -s fd6d:6168:6f72:6901::/64 ! -o docker0 -j MASQUERADE

環境用意

今回はこのレポジトリを利用させてもらいました。https://github.com/erkenes/vaultwarden-server.git

$ git clone https://github.com/erkenes/vaultwarden-server.git
Cloning into 'vaultwarden-server'...
remote: Enumerating objects: 22, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 22 (delta 0), reused 1 (delta 0), pack-reused 19
Receiving objects: 100% (22/22), 5.37 KiB | 5.38 MiB/s, done.
Resolving deltas: 100% (2/2), done.

$ cd vaultwarden-server/
$ mkdir data
$ mkdir reverse-proxy
$ mkdir reverse-proxy/conf
$ mkdir reverse-proxy/ssl

nginx (reverse proxy)

• Nginxのconfigを用意します。

$ cat > reverse-proxy/conf/nginx.conf
events {}

http{
  server {
    listen 80;
    return 301 https://$host$request_uri;
  }

  server {
    listen 443 ssl;

    ssl_certificate /etc/ssl/certs/ssl.crt;
    ssl_certificate_key /etc/ssl/key/ssl.key;

    location / {
        proxy_pass http://vaultwarden;
    proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
    }

  location /notifications/hub {
    proxy_pass http://vaultwarden:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /notifications/hub/negotiate {
    proxy_pass http://vaultwarden:80;
  }
}
}

• SSL証明書を配置

$ cp /path/to/<サーバ証明書>.crt reverse-proxy/ssl/
$ cp /path/to/<秘密鍵>.key reverse-proxy/ssl/

vaultwarden

• 今回は、DBにはsqlite3を利用しています。
  • Postgreとかでもいいですし、MySQLとかのRDBMSでもいいらしいです。
• メール送信をVaultwardenが行えるよう、SMTPの情報を取得しておきます。私はOutlookを利用しました。(Gmailは無理なので)
  • 以下の用途でメールが使われます。
    • アカウントの登録時の認証
    • 新規端末によるログイン通知
    • etc

$ openssl rand -base64 48 # Admin画面にアクセスするためのtokenを発行しておきます。

$ cat > vaultwarden.env
## Vaultwarden Configuration File
## Uncomment any of the following lines to change the defaults
##
## Be aware that most of these settings will be overridden if they were changed
## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json .
##
## By default, vaultwarden expects for this file to be named ".env" and located
## in the current working directory. If this is not the case, the environment
## variable ENV_FILE can be set to the location of this file prior to starting
## vaultwarden.

## Main data folder
# DATA_FOLDER=data

## Database URL
## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3
DATABASE_URL=data/db.sqlite3
## When using MySQL, specify an appropriate connection URI.
## Details: https://docs.diesel.rs/diesel/mysql/struct.MysqlConnection.html
# DATABASE_URL=mysql://user:password@host[:port]/database_name
## When using PostgreSQL, specify an appropriate connection URI (recommended)
## or keyword/value connection string.
## Details:
## - https://docs.diesel.rs/diesel/pg/struct.PgConnection.html
## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
# DATABASE_URL=postgresql://user:password@host[:port]/database_name

## Database max connections
## Define the size of the connection pool used for connecting to the database.
# DATABASE_MAX_CONNS=10

## Database connection initialization
## Allows SQL statements to be run whenever a new database connection is created.
## This is mainly useful for connection-scoped pragmas.
## If empty, a database-specific default is used:
## - SQLite: "PRAGMA busy_timeout = 5000; PRAGMA synchronous = NORMAL;"
## - MySQL: ""
## - PostgreSQL: ""
# DATABASE_CONN_INIT=""

## Individual folders, these override %DATA_FOLDER%
# RSA_KEY_FILENAME=data/rsa_key
# ICON_CACHE_FOLDER=data/icon_cache
# ATTACHMENTS_FOLDER=data/attachments
# SENDS_FOLDER=data/sends
# TMP_FOLDER=data/tmp

## Templates data folder, by default uses embedded templates
## Check source code to see the format
# TEMPLATES_FOLDER=/path/to/templates
## Automatically reload the templates for every request, slow, use only for development
# RELOAD_TEMPLATES=false

## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP"
## Set to the string "none" (without quotes), to disable any headers and just use the remote IP
# IP_HEADER=X-Real-IP

## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever")
# ICON_CACHE_TTL=2592000
## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
# ICON_CACHE_NEGTTL=259200

## Web vault settings
# WEB_VAULT_FOLDER=web-vault/
# WEB_VAULT_ENABLED=true

## Enables websocket notifications
WEBSOCKET_ENABLED=false

## Controls the WebSocket server address and port
# WEBSOCKET_ADDRESS=0.0.0.0
# WEBSOCKET_PORT=3012

## Controls whether users are allowed to create Bitwarden Sends.
## This setting applies globally to all users.
## To control this on a per-org basis instead, use the "Disable Send" org policy.
# SENDS_ALLOWED=true

## Controls whether users can enable emergency access to their accounts.
## This setting applies globally to all users.
# EMERGENCY_ACCESS_ALLOWED=true

## Job scheduler settings
##
## Job schedules use a cron-like syntax (as parsed by https://crates.io/crates/cron),
## and are always in terms of UTC time (regardless of your local time zone settings).
##
## How often (in ms) the job scheduler thread checks for jobs that need running.
## Set to 0 to globally disable scheduled jobs.
# JOB_POLL_INTERVAL_MS=30000
##
## Cron schedule of the job that checks for Sends past their deletion date.
## Defaults to hourly (5 minutes after the hour). Set blank to disable this job.
# SEND_PURGE_SCHEDULE="0 5 * * * *"
##
## Cron schedule of the job that checks for trashed items to delete permanently.
## Defaults to daily (5 minutes after midnight). Set blank to disable this job.
# TRASH_PURGE_SCHEDULE="0 5 0 * * *"
##
## Cron schedule of the job that checks for incomplete 2FA logins.
## Defaults to once every minute. Set blank to disable this job.
# INCOMPLETE_2FA_SCHEDULE="30 * * * * *"
##
## Cron schedule of the job that sends expiration reminders to emergency access grantors.
## Defaults to hourly (5 minutes after the hour). Set blank to disable this job.
# EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE="0 5 * * * *"
##
## Cron schedule of the job that grants emergency access requests that have met the required wait time.
## Defaults to hourly (5 minutes after the hour). Set blank to disable this job.
# EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 5 * * * *"

## Enable extended logging, which shows timestamps and targets in the logs
# EXTENDED_LOGGING=true

## Timestamp format used in extended logging.
## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime
# LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f"

## Logging to file
# LOG_FILE=/path/to/log

## Logging to Syslog
## This requires extended logging
# USE_SYSLOG=false

## Log level
## Change the verbosity of the log output
## Valid values are "trace", "debug", "info", "warn", "error" and "off"
## Setting it to "trace" or "debug" would also show logs for mounted
## routes and static file, websocket and alive requests
# LOG_LEVEL=Info

## Enable WAL for the DB
## Set to false to avoid enabling WAL during startup.
## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB,
## this setting only prevents vaultwarden from automatically enabling it on start.
## Please read project wiki page about this setting first before changing the value as it can
## cause performance degradation or might render the service unable to start.
# ENABLE_DB_WAL=true

## Database connection retries
## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely
# DB_CONNECTION_RETRIES=15

## Icon service
## The predefined icon services are: internal, bitwarden, duckduckgo, google.
## To specify a custom icon service, set a URL template with exactly one instance of `{}`,
## which is replaced with the domain. For example: `https://icon.example.com/domain/{}`.
##
## `internal` refers to Vaultwarden's built-in icon fetching implementation.
## If an external service is set, an icon request to Vaultwarden will return an HTTP
## redirect to the corresponding icon at the external service. An external service may
## be useful if your Vaultwarden instance has no external network connectivity, or if
## you are concerned that someone may probe your instance to try to detect whether icons
## for certain sites have been cached.
# ICON_SERVICE=internal

## Icon redirect code
## The HTTP status code to use for redirects to an external icon service.
## The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent).
## Temporary redirects are useful while testing different icon services, but once a service
## has been decided on, consider using permanent redirects for cacheability. The legacy codes
## are currently better supported by the Bitwarden clients.
# ICON_REDIRECT_CODE=302

## Disable icon downloading
## Set to true to disable icon downloading in the internal icon service.
## This still serves existing icons from $ICON_CACHE_FOLDER, without generating any external
## network requests. $ICON_CACHE_TTL must also be set to 0; otherwise, the existing icons
## will be deleted eventually, but won't be downloaded again.
# DISABLE_ICON_DOWNLOAD=false

## Icon download timeout
## Configure the timeout value when downloading the favicons.
## The default is 10 seconds, but this could be to low on slower network connections
# ICON_DOWNLOAD_TIMEOUT=10

## Icon blacklist Regex
## Any domains or IPs that match this regex won't be fetched by the icon service.
## Useful to hide other servers in the local network. Check the WIKI for more details
## NOTE: Always enclose this regex withing single quotes!
# ICON_BLACKLIST_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'

## Any IP which is not defined as a global IP will be blacklisted.
## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
# ICON_BLACKLIST_NON_GLOBAL_IPS=true

## Disable 2FA remember
## Enabling this would force the users to use a second factor to login every time.
## Note that the checkbox would still be present, but ignored.
# DISABLE_2FA_REMEMBER=false

## Maximum attempts before an email token is reset and a new email will need to be sent.
# EMAIL_ATTEMPTS_LIMIT=3

## Token expiration time
## Maximum time in seconds a token is valid. The time the user has to open email client and copy token.
# EMAIL_EXPIRATION_TIME=600

## Email token size
## Number of digits in an email 2FA token (min: 6, max: 255).
## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting!
# EMAIL_TOKEN_SIZE=6

## Controls if new users can register
SIGNUPS_ALLOWED=false

## Controls if new users need to verify their email address upon registration
## Note that setting this option to true prevents logins until the email address has been verified!
## The welcome email will include a verification link, and login attempts will periodically
## trigger another verification email to be sent.
# SIGNUPS_VERIFY=false

## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time
## an email verification link has been sent another verification email will be sent
# SIGNUPS_VERIFY_RESEND_TIME=3600

## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification
## email will be re-sent upon an attempted login.
# SIGNUPS_VERIFY_RESEND_LIMIT=6

## Controls if new users from a list of comma-separated domains can register
## even if SIGNUPS_ALLOWED is set to false
# SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org

## Controls which users can create new orgs.
## Blank or 'all' means all users can create orgs (this is the default):
# ORG_CREATION_USERS=
## 'none' means no users can create orgs:
# ORG_CREATION_USERS=none
## A comma-separated list means only those users can create orgs:
# ORG_CREATION_USERS=admin1@example.com,admin2@example.com

## Token for the admin interface, preferably use a long random string
## One option is to use 'openssl rand -base64 48'
## If not set, the admin panel is disabled
# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
ADMIN_TOKEN=<作成したtokenを貼る>

## Enable this to bypass the admin panel security. This option is only
## meant to be used with the use of a separate auth layer in front
# DISABLE_ADMIN_TOKEN=false

## Invitations org admins to invite users, even when signups are disabled
INVITATIONS_ALLOWED=false
## Name shown in the invitation emails that don't come from a specific organization
# INVITATION_ORG_NAME=Vaultwarden

## Per-organization attachment storage limit (KB)
## Max kilobytes of attachment storage allowed per organization.
## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization.
# ORG_ATTACHMENT_LIMIT=
## Per-user attachment storage limit (KB)
## Max kilobytes of attachment storage allowed per user.
## When this limit is reached, the user will not be allowed to upload further attachments.
# USER_ATTACHMENT_LIMIT=

## Number of days to wait before auto-deleting a trashed item.
## If unset (the default), trashed items are not auto-deleted.
## This setting applies globally, so make sure to inform all users of any changes to this setting.
# TRASH_AUTO_DELETE_DAYS=

## Number of minutes to wait before a 2FA-enabled login is considered incomplete,
## resulting in an email notification. An incomplete 2FA login is one where the correct
## master password was provided but the required 2FA step was not completed, which
## potentially indicates a master password compromise. Set to 0 to disable this check.
## This setting applies globally to all users.
# INCOMPLETE_2FA_TIME_LIMIT=3

## Controls the PBBKDF password iterations to apply on the server
## The change only applies when the password is changed
# PASSWORD_ITERATIONS=100000

## Controls whether users can set password hints. This setting applies globally to all users.
# PASSWORD_HINTS_ALLOWED=true
PASSWORD_HINTS_ALLOWED=false # セキュリティ的に不要のため

## Controls whether a password hint should be shown directly in the web page if
## SMTP service is not configured. Not recommended for publicly-accessible instances
## as this provides unauthenticated access to potentially sensitive data.
# SHOW_PASSWORD_HINT=false

## Domain settings
## The domain must match the address from where you access the server
## It's recommended to configure this value, otherwise certain functionality might not work,
## like attachment downloads, email links and U2F.
## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
DOMAIN=https://<VaultwardenサーバのFQDN>

## Allowed iframe ancestors (Know the risks!)
## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
## This adds the configured value to the 'Content-Security-Policy' headers 'frame-ancestors' value.
## Multiple values must be separated with a whitespace.
# ALLOWED_IFRAME_ANCESTORS=

## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
# LOGIN_RATELIMIT_SECONDS=60
## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.
## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2.
# LOGIN_RATELIMIT_MAX_BURST=10

## Number of seconds, on average, between admin requests from the same IP address before rate limiting kicks in.
# ADMIN_RATELIMIT_SECONDS=300
## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`.
# ADMIN_RATELIMIT_MAX_BURST=3

## Yubico (Yubikey) Settings
## Set your Client ID and Secret Key for Yubikey OTP
## You can generate it here: https://upgrade.yubico.com/getapikey/
## You can optionally specify a custom OTP server
# YUBICO_CLIENT_ID=11111
# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA
# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify

## Duo Settings
## You need to configure all options to enable global Duo support, otherwise users would need to configure it themselves
## Create an account and protect an application as mentioned in this link (only the first step, not the rest):
## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account
## Then set the following options, based on the values obtained from the last step:
# DUO_IKEY=<Integration Key>
# DUO_SKEY=<Secret Key>
# DUO_HOST=<API Hostname>
## After that, you should be able to follow the rest of the guide linked above,
## ignoring the fields that ask for the values that you already configured beforehand.

## Authenticator Settings
## Disable authenticator time drifted codes to be valid.
## TOTP codes of the previous and next 30 seconds will be invalid
##
## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
## we allow by default the TOTP code which was valid one step back and one in the future.
## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
## You can disable this, so that only the current TOTP Code is allowed.
## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
# AUTHENTICATOR_DISABLE_TIME_DRIFT=false

## Rocket specific settings
## See https://rocket.rs/v0.4/guide/configuration/ for more details.
# ROCKET_ADDRESS=0.0.0.0
# ROCKET_PORT=80  # Defaults to 80 in the Docker images, or 8000 otherwise.
# ROCKET_WORKERS=10
# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}

## Mail specific settings, set SMTP_HOST and SMTP_FROM to enable the mail service.
## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
SMTP_HOST=<smtp server host>
SMTP_FROM=<送り元メールアドレス>
# SMTP_FROM_NAME=Vaultwarden
# SMTP_SECURITY=starttls # ("starttls", "force_tls", "off") Enable a secure connection. Default is "starttls" (Explicit - ports 587 or 25), "force_tls" (Implicit - port 465) or "off", no encryption (port 25)
SMTP_PORT=587          # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and used with Implicit TLS.
SMTP_USERNAME=<SMTPユーザ名>
SMTP_PASSWORD=<SMTPパスワード>
# SMTP_TIMEOUT=15

## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections.
## Possible values: ["Plain", "Login", "Xoauth2"].
## Multiple options need to be separated by a comma ','.
# SMTP_AUTH_MECHANISM="Plain"

## Server name sent during the SMTP HELO
## By default this value should be is on the machine's hostname,
## but might need to be changed in case it trips some anti-spam filters
# HELO_NAME=

## SMTP debugging
## When set to true this will output very detailed SMTP messages.
## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting!
# SMTP_DEBUG=false

## Accept Invalid Hostnames
## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
## Only use this as a last resort if you are not able to use a valid certificate.
# SMTP_ACCEPT_INVALID_HOSTNAMES=false

## Accept Invalid Certificates
## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
## Only use this as a last resort if you are not able to use a valid certificate.
## If the Certificate is valid but the hostname doesn't match, please use SMTP_ACCEPT_INVALID_HOSTNAMES instead.
# SMTP_ACCEPT_INVALID_CERTS=false

## Require new device emails. When a user logs in an email is required to be sent.
## If sending the email fails the login attempt will fail!!
# REQUIRE_DEVICE_EMAIL=false

## HIBP Api Key
## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key
# HIBP_API_KEY=

# vim: syntax=ini

docker-compose

$ cat > docker-compose.yml
version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:alpine
    container_name: vaultwarden
    env_file:
      - ./vaultwarden.env
    volumes:
      - ./data:/data
    expose:
      - 80:80
      - 3012:3012
    environment:
      WEBSOCKET_ENABLED: 'true'

  reverse-proxy:
    image: nginx
    container_name: reverse-proxy
    restart: always
    volumes:
      - ./reverse-proxy/conf:/etc/nginx
      - ./reverse-proxy/ssl/<秘密鍵>.key:/etc/ssl/key/ssl.key
      - ./reverse-proxy/ssl/<サーバ証明書>.crt:/etc/ssl/certs/ssl.crt
    ports:
      - 443:443
      - 80:80
    environment:
       - ENABLE_IPV6=true

起動

$ docker-compose up -d

確認

ウェブブラウザで、 https://<サーバのFQDN>/admin にアクセスしてみてください。
tokenが求められるのでさっき発行したものを入れてログインします。
ログインできたら、初期設定やユーザ登録、パスワードのインポートなど、順を追って済ませていきましょう。

利用するクライアントからの接続確認もしましょう。
サーバに到達できない場合は、tailscaleのメッシュネットワークにつながっていない可能性があります。

移行してみて

• これで完全に無料で運用できることになりましたー！毎月$4.99払ってましたが、円安の影響もあり、9000円/年近く払っていたものが0円になったのはとても大きいと思っています。

• 利便性が損なわれたかというと大したことはなく、とても便利です。
  個人的に使いたい端末のクライアントは全て揃ってますし、端末間共有もできます。
  なによりワンタイムパスコードが使えるのが大きいです。他の競合サービスもみてみましたが、ワンタイムパスコードに対応したものが少ないです。
  無料のものに絞るとほぼ他にはないと思います。

• 1PasswordのTeamsプラン(ファミリープラン相当)を無料で使える方法もあるようですが、申請が面倒そうなのと、非営利でしか使えないので、vaultwardenの方が企業で利用する場合でも良さそうです。

• サーバ負荷は、CPUがどれだけ使っても2桁%に到達しませんでした。

• チームで使ったりとか、企業での利用もしやすそうな感じです。わかりやすいUIで使いやすく、非常に良きでした。

• 移行時、1Passwordのほか、KeePassなどでエクスポートしたファイルのインポートにも対応していますので、移行は割とかんたんです。
  組織向けプランとかを1Passwordとかですでに契約していて、組織内共有でパスワードを大量に管理している場合は大変だと思います。。。

おまけ

無いとは思いますが、外向き通信が1GB/月を超えそうになったときにすぐにサーバを止められるよう、以下のようなスクリプトを用意しました。
800MBのしきい値にしています。slack/mattermostに通知を飛ばせます。
通信量くらいなら、監視サーバで監視させようかと思いましたが、自宅と別のクラウドに構築しているため、外向きの通信が多くなって本末転倒になったりしても嫌だったので、このスクリプトをcronで回すことにしています。

#!/bin/bash

transmit_byte=`cat /proc/net/dev | grep eth0 | awk '{print $10}'`
uptime_date=`uptime | awk '{print $3}'`

#echo "$(($transmit_byte / $uptime_date)) byte"
#echo "$(($(($transmit_byte / $uptime_date)) /1024)) KB"
#echo "$(($(($(($transmit_byte / $uptime_date)) /1024)) /1024)) MB"
transmit_mbyte_per_day=$(($(($(($transmit_byte / $uptime_date)) /1024)) /1024))

if [ $transmit_mbyte_per_day -ge 800 ];
then
	curl -X POST -H 'Content-type: application/json' --data "{'text': \"[WARNING] `hostname` exceeded transmit by 800MB. (Now: $transmit_mbyte_per_day MegaByte.)\"}" <your_webhook_url>
fi