Keeping Vaultwarden as a Private Resource but still reachable on the home LAN without the client — sane idea or overkill?
Hey folks,
I've got Pangolin running on a VPS, with Newt on a Raspberry Pi at home connecting back to it. Currently I've got Vaultwarden exposed as a public resource with SSO + path rules for the Bitwarden API endpoints (/api/*, /identity/*, /notifications/*, /icons/*, /attachments/* allowed, /admin/* denied), which works fine with the browser extension and mobile apps.
I'm now toying with switching it to a private resource instead, mainly because I like the idea of it not having any public DNS footprint at all for something as sensitive as a password vault. My worry with private resources though is that they seem to depend on the Pangolin client being connected — and for a password manager I really don't want "is my VPN client currently alive" to be a precondition for logging in, especially on mobile where background VPN apps get killed/throttled all the time.
So here's the plan I came up with, and I'd love a sanity check:
Vaultwarden stays a private resource in Pangolin (Newt on the Pi, no public domain).
At home, I run AdGuard Home on the Pi and add a DNS rewrite so vault.mydomain.tld resolves straight to the Pi's LAN IP instead of going out to the internet at all.
Also on the Pi, a small Caddy container in front of Vaultwarden gets its own valid Let's Encrypt cert via DNS-01 (my registrar has an API, so no port-80 exposure needed), so the local connection is still proper HTTPS and not just plain HTTP.
Away from home, I connect with the official Pangolin client like normal, and it resolves the private resource through the tunnel as usual.
End result: at home, Vaultwarden is a completely normal HTTPS domain that works without any client running at all, and away from home it works exactly like any other private resource. Pangolin itself never has to expose it publicly at any point.
For context, I'm doing something similar with Jellyfin (kept as a public resource since TV apps/Chromecast/other household members can't run a client, but with the same AdGuard + local Caddy trick so streaming at home doesn't round-trip through the VPS and eat my upload bandwidth).
The other thing I want to avoid on principle: I don't want a single network-wide CIDR tunnel that gives blanket access to my whole 192.168.1.0/24 just to reach a couple of services... feels like it defeats the point of Pangolin being resource-scoped in the first place, and turns one compromised laptop into "attacker is now on my whole home network." So I'd rather keep every service as its own resource (public or private depending on what it is) and only reach for a wide tunnel as a rare fallback.
Does this hold up, or is there something about how private resources/Newt handle local DNS resolution that would trip this up? Is anyone actually running Vaultwarden this way, or is there a reason people don't bother and just do public+SSO like I did originally? Genuinely curious whether I'm overthinking this or if it's a reasonable setup. Thanks in advance!