The E-Mail address from My Account can be changed by navigating to the My Account page, entering the current password and the new E-Mail address. Vaultwarden is supposed to send an E-Mail with a code in order to set the new E-Mail but for closed LAN usage, the E-Mail will more than likely not be sent (and if it is, then it is also likely that E-mail providers will drop the E-Mail as spam given the lack of a FCrDNS E-Mail server).

In order to change the E-Mail anyway, locate the Vaultwarden SQLite database and query the email_new_token column of the users table after using the interface to request a change of E-Mail address (the SQL query being, SELECT email_new_token FROM users). The email_new_token will contain the code necessary to be entered in the Vaultwarden interface in order to be able to change the E-Mail address.

Vaultwarden runs on the default internal port 80 however recent releases only accept HTTPs connections. Whilst reverse-proxying traffic with Caddy is straightforward and Caddy resolves the issue by detecting an SSL stream from the outside to Vaultwarden's port 80, Traefik sees that Vaultwarden has opened port 80 and assumes that all the traffic must be plaintext.

The result is that Vaultwarden will be stuck loading or will display the elusive error message "Found" (the latter being the effect of connecting via HTTP to Vaultwarden's port 80).

In principle, if Vaultwarden requires HTTPs, it should not open port 80 because port 80 is defined by IANA as being a HTTP-only port and should either open up 443 or pick any other random non-reserved port beyond1024.

The workaround is to tell traefik that an SSL/TLS connection should be established over the exposed port or over port 80 by adding the labels:

-l traefik.http.routers.vaultwarden.tls=true \
-l traefik.http.routers.vaultwarden.entrypoints=https \
-l traefik.http.services.vaultwarden.loadbalancer.server.port=80