UniFi Controller Installation on Vultr

Vultr is a great hosting platform that is very similar to Digital Ocean.  I have heard a lot of really good reviews from folks who use Vultr for their production systems, so I set out to create a full set of instructions for the installation of a Vultr-hosted UniFi Controller running on Ubuntu 16.04.

The first thing to do is sign up for Vultr.  If you don’t already have an account, I would appreciate signing up using my referral link:  https://www.vultr.com/?ref=7598600

 1. Set up 2 Factor Authentication for Vultr

Before we dig into creating our UniFi Controller, let’s take a quick detour to ensure that Two Factor Authentication (2FA) is set up on your Vultr account.  If you don’t have it already, you should go to the Apple App store or the Google Play Store to download the Google Authenticator app.

In the Vultr interface, click on ‘Account’ from the left-hand menu, followed by the ‘Authentication.’ tab.  Next, click on ‘Manage Two Factor Authentication.’

Select ‘Google Auth’ from the dropdown box and then click the ‘+’ symbol to add Google Authentication as your 2FA method.  This will bring up a QR code that needs to be scanned with the Google Authenticator app.  Once you’ve scanned the QR code, click ‘Continue’ to continue.

When you click continue, you will be asked to enter in the 6 digit code from Google Authenticator for your Vultr account.  Enter that code and click ‘Enable Google Authentication’ to finish the 2FA setup.  Done!  You will now be prompted for this 6 digit code when logging into Vultr.

2. Create Virtual  Server

Onto the UniFi Controller setup!  Click on ‘Servers’ from the left hand menu followed by the blue circled ‘+’ symbol in the upper right.  This will bring you to the new server setup page.

The first step of the server creation is to select your location.  Pick whichever data center you want – I however, tend to choose the data center closest to my (or my client’s) geographic location.  In this case, I’m going to pick Seattle.

The next step is where we select our server type.  Click on Ubuntu and choose ‘16.04 x64’ from the drop-down.

*** Tech note:  You may be asking “Why not the latest and greatest Ubuntu 18.04??”  Well, as of the writing of this blog post, UniFi still does not install properly on Ubuntu 18.04 without downgrading the default version of MongoDB.  So, until Ubiquiti standardizes on the latest version of Mongo, I prefer to stick with the OS I know works great right out of the box.  That being said though – this same process should work fine on Ubuntu 18.04 given the extra step of downgrading the database.

Next, select your server size.  UniFi will run on anything in the $3.50/month size or higher.  For testing purposes, the $3.50/month tier is fine.  For a production system with only a few sites, the $5.00/month tier would be the best option, and then scale up from there.

Finally, you can select any options (Auto Backups are highly recommended for a production server), and then give your server a hostname.  Hostname should be something like unifi.company.com.  You will then want to follow up and create a DNS A-record that points the FQDN hostname you create to the IP address of the Vultr server.  Using an FQDN to inform your UniFi equipment is best practice to ensure that you can migrate later on down the road without much issue.  Startup script and SSH Keys can be left blank.

Click ‘Deploy Now’ and you’re off to the races!  You are taken back to the server summary screen.  It will take 1-2 minutes for the server to spin up, so be patient.  Once the ‘Status’ changes from ‘Installing’ to ‘Running,’ you should wait about another 30 seconds, and then you’re good to go.  Click on the name of your server to see its detail screen.

Once the server is in a ‘Running’ state, you’ll see your IP address.  Copy or make note of that IP address – we’re going to use it to connect to our new Ubuntu server via SSH.  You’ll also want to make note of or copy your default root password.  (We will change that password immediately upon logging in).  You can show the password by clicking the ‘eye’ icon, or simply copy it to your clipboard by clicking the copy icon.

3. Log into virtual server with SSH

Once you have your login information, open up your favorite SSH program (I prefer to use PuTTY) and connect to the IP address of your server on TCP port 22.  In PuTTY, click YES when asked about authentication, and then login with root as the username.  When prompted for the password, use SHIFT+INS to paste the password you copied from the Vultr server details.

4. Change root password

The first command you should enter is:

passwd

This will prompt you to type in a new password, and then type in the password again to confirm it.  Note that this should be a STRONG password, and DO NOT LOSE IT!  If you lose this password, you will be locked out of root access to the system.

5.  Create a New User

When I create a virtual server that is going to be exposed to the open Internet, I like to ensure that there are multiple layers of security to prevent intrusion.  One of the first layers of security includes disabling the ability for the root user to log onto the server.  To do this, we first need to create a new user.  From SSH, type the following:

adduser [username]

In my case, my username was csherwood, so I typed ‘adduser csherwood’ in PuTTY.

You will be prompted to enter a password twice, and then prompted for additional information (which you can skip through).  Once you get to the confirmation, press Y to confirm, and your new user is created.

Now we need to allow our new user to use sudo to run root commands on the server.  Type the following:

gpasswd -a [username] sudo

This adds your newly created username to the sudo group.

6.  Change SSH to a Non-Standard Port and Disable root Login Access

Another security measure is to change SSH from port 22 to something that is not as easy to guess.  In my case, I use 22222, but you can use whatever port you like.  Type the following to edit the SSH configuration file:

nano /etc/ssh/sshd_config

Find the line that says:

Port 22

and change it to your desired port – in my case, I set it to:

Port 22222

Then, find the line that says:

PermitRootLogin yes

and change it to:

PermitRootLogin no

Hit CTRL+X followed by Y to save and exit the file.  Restart SSH by running:

service sshd restart

Once SSH has been restarted, close PuTTY and then re-launch it.  This time, when you enter in your Droplet’s IP address, make sure you also change your port number to the SSH port you changed in the SSH config file.  When prompted with ‘Login as:’ also remember to use the username you created instead of root – since root no longer has access to log in via SSH.

Once logged back in, you can do:

su root

and then enter your root password to become root again and finish off your configuration.

7.  Set up Firewall

Next, we want to block any ports that we aren’t going to use – or in other words, we want to specifically allow only ports that we want to allow.  Run the following commands:

sudo ufw allow 22222/tcp
sudo ufw allow 8080/tcp
sudo ufw allow 8443/tcp
sudo ufw allow 8880/tcp
sudo ufw allow 8843/tcp

sudo ufw allow 3478/udp

This allows port 22222 for SSH (substitute 22222 with the SSH port that you used in step 6), and opens up all of the necessary UniFi ports.  When you’re ready to actually commit these rules, you can double-check that all of your ports were entered correctly by typing:

sudo ufw show added

Once you’re happy, run:

sudo ufw enable

This turns on the firewall, and you’re good to go.  If you did anything wrong, it is entirely possible that you just locked yourself out of your own virtual server…but no worries!  Just go back to your Vultr dashboard, destroy your server, and start over.  Great practice, and a good learning experience!

8.  Configure Time Zone

Set up your Time Zone by running:

sudo dpkg-reconfigure tzdata

A pink bordered window will appear – select your geographic area (use America for United States) and then select your city/time zone from the list.  You can press TAB, arrow keys, and SPACE to move around these screens and make selections.

Once your time zone has been selected, press OK, and you’re done with Step 6.

9. Set Up a Swap File

Run the following commands to create and use a swap file.

sudo fallocate -l 4G /swapfile

This allocates 4GB as a swapfile in the /swapfile directory.  4GB is fine for the $5.00 tier, but if you are on the $3.50 tier, you may want to make this 2G instead.

sudo chmod 600 /swapfile

Sets permissions on the swap file directory.

sudo mkswap /swapfile

Formats the swap file directory for use as a swap file.

sudo swapon /swapfile

Tells the server to use that directory as a swap file.

Finally, we need to make sure that the swap file turns on every time we reboot the server.  Run the following command to add the swap file information to the /etc/fstab file:

sudo sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab'

To verify that the command worked, type:

cat /etc/fstab

and look for a line that says:

/swapfile none swap sw 0 0

If that line exists in the /etc/fstab file, you’re all good.

10. Update Ubuntu

To update Ubuntu, first refresh the list of available packages with:

sudo apt-get update

Then run all available updates with:

sudo apt-get upgrade -y

This process will usually take a few minutes to complete.

11.  Install UniFi

The latest Ubuntu instances use a newer version of Java than UniFi prefers.  Use the following commands to install Java 8:

echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | sudo tee /etc/apt/sources.list.d/webupd8team-java.list 

echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | sudo tee -a /etc/apt/sources.list.d/webupd8team-java.list 

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886 

sudo apt-get update 

sudo apt-get install oracle-java8-installer

Press OK followed by YES when prompted.

Next we finally get to install UniFi.

echo 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 06E85760C0A52C50

You can copy and paste that link to avoid typos.  Finally, install UniFi by running the following commands:

sudo apt-get update
sudo apt-get install unifi

This will take a couple of minutes to complete, but once it has finished, UniFi is installed! 

Finally, to speed up UniFi a bit, it is recommended to install a package called haveged.  Install it with this command:

sudo apt-get install haveged

At this point, UniFi should be online!  Pop the IP address (or FQDN if you’ve already set up your DNS A record) of your server into your browser using HTTPS and port 8443:

https://[ip address of droplet]:8443

For instance, if your IP address is 1.2.3.4, you’ll type:

https://1.2.3.4:8443

Congratulations!  You now have a hosted UniFi Controller – you can set-inform your devices to the UniFi inform URL which is:

http://[ip address of droplet]:8080/inform

Or, connect up your smart phone and use the UniFi SDN app – it works great!

 

 

 

 

 

 

 

Comments 3

  1. Hey I have a small problem i recive the error “Bad Request
    This combination of host and port requires TLS.”

    What should I do?

Leave a Reply

Your email address will not be published. Required fields are marked *