UniFi is a spectacular networking platform – typically, the controller is on the LAN, but it can really be hosted anywhere. This guide will show you how to set up a Digital Ocean hosted UniFi Controller in about 15 minutes.
1. Create Digital Ocean Droplet
Digital Ocean is a super easy virtual server platform. They make it extremely easy to spin up new servers for testing or production, and also provide an incredible amount of documented resources and help to get you going. If you have not signed up for Digital Ocean, but find that this guide has been helpful, please click on the Digital Ocean logo below – this is my referral link, and will get you $10.00 worth of credit towards your virtual servers.
2. Log into Droplet with SSH
Log into Digital Ocean and create a new droplet. Go with Ubuntu 16.04.2 x64 and then pick your size (the $5.00/month tier is fine, but I recommend the $10.00/month tier for UniFi). Next choose a datacenter region closest to you and change the hostname to something friendly. In my case, I used unifitest.crosstalksolutions.com.
Click Create and your droplet will be created. You will now receive an email that contains your IP address and temporary root password – copy that root password from the email and open PuTTY. Enter in the IP Address for your Digital Ocean droplet and press Enter to connect. Click YES when asked about authentication, and then login with root as the username. When prompted for the password, use SHIFT+INS to paste the password you copied from email.
You are first prompted to change your root password. Click SHIFT+INS again to paste the copied ‘current’ password one more time, and then enter in a new password twice to set a new root password. This password should be a significantly strong password, and follow best practices for password creation.
3. Create a New User
When I create a Droplet that is going to be exposed to the open Internet, I like to ensure that there are multiple layers of security to prevent intrusion. One of the first layers of security includes disabling the ability for root to log onto the server. To do this, we first need to create a new user. From SSH, type the following:
In my case, my username was csherwood, so I typed ‘adduser csherwood’ in PuTTY.
You will be prompted to enter a password twice, and then prompted for additional information (which you can skip through). Once you get to the confirmation, press Y to confirm, and your new user is created.
Now we need to allow our new user to use sudo to run root commands on the server. Type the following:
gpasswd -a [username] sudo
This adds your newly created username to the sudo group.
4. Change SSH to a Non-Standard Port and Disable root Login Access
Another security measure is to change SSH from port 22 to something that is not as easy to guess. In my case, I use 2222, but you can use whatever port you like. Type the following to edit the SSH configuration file:
Find the line that says:
and change it to your desired port – in my case, I set it to:
Then, find the line that says:
and change it to:
Hit CTRL+X followed by Y to save and exit the file. Restart SSH by running:
service sshd restart
Once SSH has been restarted, close PuTTY and then re-launch it. This time, when you enter in your Droplet’s IP address, make sure you also change your port number to the SSH port you changed in the SSH config file. When prompted with ‘Login as:’ also remember to use the username you created instead of root – since root no longer has access to log in via SSH.
Once logged back in, you can do:
and then enter your root password to become root again and finish off your configuration.
5. Set up Firewall
Next, we want to block any ports that we aren’t going to use – or in other words, we want to specifically allow only ports that we want to allow. Run the following commands:
sudo ufw allow 2222/tcp
sudo ufw allow 8080/tcp
sudo ufw allow 8443/tcp
sudo ufw allow 8880/tcp
sudo ufw allow 8843/tcp sudo ufw allow 3478/udp *** EDIT 10/26/2017 - added the 3478 UDP stun port as per feedback from you guys!
This allows port 2222 for SSH (substitute 2222 with the SSH port that you used in step 4), and opens up all of the necessary UniFi ports. When you’re ready to actually commit these rules, you can double-check that all of your ports were entered correctly by typing:
sudo ufw show added
Once you’re happy, run:
sudo ufw enable
This turns on the firewall, and you’re good to go. If you did anything wrong, it is entirely possible that you just locked yourself out of your own Droplet…but no worries! Just go back to your Digital Ocean dashboard, destroy your droplet, and start over.
6. Configure Time Zone
Set up your Time Zone by running:
sudo dpkg-reconfigure tzdata
A pink bordered window will appear – select your geographic area (use America for United States) and then select your city/time zone from the list. You can press TAB, arrow keys, and SPACE to move around these screens and make selections.
Once your time zone has been selected, press OK, and you’re done with Step 6.
7. Configure NTP
Set up NTP (Network Time Protocol) by running:
sudo apt-get update sudo apt-get install ntp
This sets up your time server and syncs the clock. You can check NTP status by running:
service ntp status
Your local time should be set correctly (in 24-hour format).
8. Set Up a Swap File
Run the following commands to create and use a swap file.
sudo fallocate -l 4G /swapfile
This allocates 4GB as a swapfile in the /swapfile directory.
sudo chmod 600 /swapfile
Sets permissions on the swap file directory.
sudo mkswap /swapfile
Formats the swap file directory for use as a swap file.
sudo swapon /swapfile
Tells the server to use that directory as a swap file.
Finally, we need to make sure that the swap file turns on every time we reboot the server. Run the following command to add the swap file information to the /etc/fstab file:
sudo sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab'
To verify that the command worked, type:
and look for a line that says:
/swapfile none swap sw 0 0
If that line exists in the /etc/fstab file, you’re all good.
9. Upgrade Linux Kernel
*** EDIT 10/26/2017 – This step is probably no longer necessary. I just did a new DO Droplet today, and it is now 4.4.0-97-generic by default. That being said though, there probably no harm in simply running the sudo apt-get-install linux-image-generic command anyway.
There is a problem with the default Linux kernel that you get when you fire up the Ubuntu Droplet. If you type:
You should see the following:
This version needs to be on -83 instead of -81 for UniFi to function correctly. Run the following commands to update the Linux kernel:
sudo apt-get install linux-image-generic
This will take a minute or two to run – once done type:
to reboot the Droplet. You will be disconnected from PuTTY – wait about 60 seconds, and then log back in via SSH.
Now, if you run:
You should see:
10. Install UniFi
*** Update 7/10/2018 – The latest DO droplets use a newer version of Java than UniFi prefers. Use the following commands to first install Java 8:
echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | sudo tee /etc/apt/sources.list.d/webupd8team-java.list echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | sudo tee -a /etc/apt/sources.list.d/webupd8team-java.list sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886 sudo apt-get update sudo apt-get install oracle-java8-installer
Next we finally get to install UniFi.
*** Update 7/10/2018 – There is now an easier way to install UniFi than I showed in my video:
You can copy and paste that link to avoid typos. Finally, install UniFi by running the following commands:
sudo apt-get update sudo apt-get install unifi
This will take a couple of minutes to complete, but once it has finished, UniFi is installed!
*** EDIT 10/26/2017 – in the next paragraph, I talk about begin patient while UniFi starts up – this was actually found to be an issue and was fixed as per this article HERE. Now, you can run the following command and UniFi will launch much quicker (especially in v5.6):
sudo apt-get install haveged
BUT WAIT – THERE’S MORE! The next step is to bring up the UniFi startup wizard in a browser – but you’ll want to wait about 2 minutes before you do so…the first time the UniFi services start, they take about that much time before UniFi is actually accessible – you didn’t do anything incorrectly – it just takes a bit of patience! Once the 2 minutes is up, enter the following URL into your browser:
https://[ip address of droplet]:8443
For instance, if your IP address is 126.96.36.199, you’ll type:
to access UniFi.
Congratulations! You now have a hosted UniFi Controller – you can set-inform your devices to the UniFi inform URL which is:
http://[ip address of droplet]:8080/inform
More UniFi blog posts to follow!