You can use any domain you like. I personally have an actual domain that I only use inside my network. This way I can get SSL certs from Let’s Encrypt using the DNS challenge which doesn’t require any ports being opened. You can use self signed certs but I would strongly suggest using certs from the likes of Let’s Encrypt.

Here are 2 pages on this subject

https://github.com/dani-garcia/vaultwarden/wiki/Private-CA-and-self-signed-certs-that-work-with-Chrome

https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS

I am hosting vaultwarden locally (docker) and just don’t use the Webinterface. The Firefox addon and the bitwarden desktop tool work just fine. Also the android app syncs.

It’s good to use SSL even if you don’t plan to use it externally. At some point you may change your mind, or you may need to access it via VPN and there may be one hop between your browser and the VPN that will then be in plain text. Plus, not all devices are trustworthy anymore. An Android or iPhone device might have “malware” (including from reputable companies like Google trying to track you for ad purposes but recording unsecured http traffic to do it.) Or a frienday bring a bad device over and connect to your wifi and inadvertently capture that traffic. Lots of ways for internal traffic to be spied on.

Google: “how to create self signed certificate authority on <your workstation OS>”

And if that article doesn’t have it, google: “how to create a domain certificate from a self signed certificate authority”.

It doesn’t have to be a valid external domain, just use “.internal” as the top level domain which is reserved for this kind of thing, like “vaultwarden.internal”. You can also just use IP addresses in the certificate, but I find that less desirable.

Then google: "how to add a trusted certificate authority on <all your OS’s of all internal devices>”. Depending on what web browser you use, you may need to add it there as well. Once the certificate authority is trusted by your devices and browsers, then the domain certificate created by that CA will be as well.

You can set your expiration dates to be far in the future if you want, to avoid having to create new ones often, but be sure to document how just so in 5 or 10 years or so, if it’s still that way, you’ll know how to update them.

You are in luck, I just made this. Https, no reverse proxy needed

proxmox install script for Vaultwarden

https://forum.proxmox.com/threads/a-proxmox-install-script-for-vaultwarden.159510/#post-732319

I set mine up with duckdns and caddy. In duckdns set the ip address to your machines local address. If memory serves, there’s a section in the vaultwarden wiki about using caddy with duckdns

I know the desktop, and mobile apps work without https, however I can’t remember if you can set it up via those apps?

I ran vaultwarden for a couple of years without q certificate, I just couldn’t log into my instance via the browser.

I did saw You could also use Tailscale and use their internal signed certificates. Then you can access it both internally and remotly over Tailscale with SSL.

Personally I own a domain for years and just use it.

Reverse proxy + LetsEncrypt + DuckDNS + DNS rewrite to point it at local IP is all you need. Works quite well for all my services.

I prefer Keepass as it is less faff as a password manager is too critical to host like this imo.

Self signed certs will work. You can Google how to set them up.