Vultr is a great hosting platform that is very similar to Digital Ocean. I have heard a lot of really good reviews from folks who use Vultr for their production systems, so I set out to create a full set of instructions for the installation of a Vultr-hosted UniFi Controller running on Ubuntu 16.04.
The first thing to do is sign up for Vultr. If you don’t already have an account, I would appreciate signing up using my referral link: https://www.vultr.com/?ref=7803228-4F
1. Set up 2 Factor Authentication for Vultr
Before we dig into creating our UniFi Controller, let’s take a quick detour to ensure that Two Factor Authentication (2FA) is set up on your Vultr account. If you don’t have it already, you should go to the Apple App store or the Google Play Store to download the Google Authenticator app.
In the Vultr interface, click on ‘Account’ from the left-hand menu, followed by the ‘Authentication.’ tab. Next, click on ‘Manage Two Factor Authentication.’
Select ‘Google Auth’ from the dropdown box and then click the ‘+’ symbol to add Google Authentication as your 2FA method. This will bring up a QR code that needs to be scanned with the Google Authenticator app. Once you’ve scanned the QR code, click ‘Continue’ to continue.
When you click continue, you will be asked to enter in the 6 digit code from Google Authenticator for your Vultr account. Enter that code and click ‘Enable Google Authentication’ to finish the 2FA setup. Done! You will now be prompted for this 6 digit code when logging into Vultr.
2. Create Virtual Server
Onto the UniFi Controller setup! Click on ‘Servers’ from the left hand menu followed by the blue circled ‘+’ symbol in the upper right. This will bring you to the new server setup page.
The first step of the server creation is to select your location. Pick whichever data center you want – I however, tend to choose the data center closest to my (or my client’s) geographic location. In this case, I’m going to pick Seattle.
The next step is where we select our server type. Click on Ubuntu and choose ‘16.04 x64’ from the drop-down.
*** Tech note: You may be asking “Why not the latest and greatest Ubuntu 18.04??” Well, as of the writing of this blog post, UniFi still does not install properly on Ubuntu 18.04 without downgrading the default version of MongoDB. So, until Ubiquiti standardizes on the latest version of Mongo, I prefer to stick with the OS I know works great right out of the box. That being said though – this same process should work fine on Ubuntu 18.04 given the extra step of downgrading the database.
Next, select your server size. UniFi will run on anything in the $3.50/month size or higher. For testing purposes, the $3.50/month tier is fine. For a production system with only a few sites, the $5.00/month tier would be the best option, and then scale up from there.
Finally, you can select any options (Auto Backups are highly recommended for a production server), and then give your server a hostname. Hostname should be something like unifi.company.com. You will then want to follow up and create a DNS A-record that points the FQDN hostname you create to the IP address of the Vultr server. Using an FQDN to inform your UniFi equipment is best practice to ensure that you can migrate later on down the road without much issue. Startup script and SSH Keys can be left blank.
Click ‘Deploy Now’ and you’re off to the races! You are taken back to the server summary screen. It will take 1-2 minutes for the server to spin up, so be patient. Once the ‘Status’ changes from ‘Installing’ to ‘Running,’ you should wait about another 30 seconds, and then you’re good to go. Click on the name of your server to see its detail screen.
Once the server is in a ‘Running’ state, you’ll see your IP address. Copy or make note of that IP address – we’re going to use it to connect to our new Ubuntu server via SSH. You’ll also want to make note of or copy your default root password. (We will change that password immediately upon logging in). You can show the password by clicking the ‘eye’ icon, or simply copy it to your clipboard by clicking the copy icon.
3. Log into virtual server with SSH
Once you have your login information, open up your favorite SSH program (I prefer to use PuTTY) and connect to the IP address of your server on TCP port 22. In PuTTY, click YES when asked about authentication, and then login with root as the username. When prompted for the password, use SHIFT+INS to paste the password you copied from the Vultr server details.
4. Change root password
The first command you should enter is:
This will prompt you to type in a new password, and then type in the password again to confirm it. Note that this should be a STRONG password, and DO NOT LOSE IT! If you lose this password, you will be locked out of root access to the system.
5. Create a New User
When I create a virtual server that is going to be exposed to the open Internet, I like to ensure that there are multiple layers of security to prevent intrusion. One of the first layers of security includes disabling the ability for the root user to log onto the server. To do this, we first need to create a new user. From SSH, type the following:
In my case, my username was csherwood, so I typed ‘adduser csherwood’ in PuTTY.
You will be prompted to enter a password twice, and then prompted for additional information (which you can skip through). Once you get to the confirmation, press Y to confirm, and your new user is created.
Now we need to allow our new user to use sudo to run root commands on the server. Type the following:
gpasswd -a [username] sudo
This adds your newly created username to the sudo group.
6. Change SSH to a Non-Standard Port and Disable root Login Access
Another security measure is to change SSH from port 22 to something that is not as easy to guess. In my case, I use 22222, but you can use whatever port you like. Type the following to edit the SSH configuration file:
Find the line that says:
and change it to your desired port – in my case, I set it to:
Then, find the line that says:
and change it to:
Hit CTRL+X followed by Y to save and exit the file. Restart SSH by running:
service sshd restart
Once SSH has been restarted, close PuTTY and then re-launch it. This time, when you enter in your Droplet’s IP address, make sure you also change your port number to the SSH port you changed in the SSH config file. When prompted with ‘Login as:’ also remember to use the username you created instead of root – since root no longer has access to log in via SSH.
Once logged back in, you can do:
and then enter your root password to become root again and finish off your configuration.
7. Set up Firewall
Next, we want to block any ports that we aren’t going to use – or in other words, we want to specifically allow only ports that we want to allow. Run the following commands:
sudo ufw allow 22222/tcp
sudo ufw allow 8080/tcp
sudo ufw allow 8443/tcp
sudo ufw allow 8880/tcp
sudo ufw allow 8843/tcp sudo ufw allow 3478/udp
This allows port 22222 for SSH (substitute 22222 with the SSH port that you used in step 6), and opens up all of the necessary UniFi ports. When you’re ready to actually commit these rules, you can double-check that all of your ports were entered correctly by typing:
sudo ufw show added
Once you’re happy, run:
sudo ufw enable
This turns on the firewall, and you’re good to go. If you did anything wrong, it is entirely possible that you just locked yourself out of your own virtual server…but no worries! Just go back to your Vultr dashboard, destroy your server, and start over. Great practice, and a good learning experience!
8. Configure Time Zone
Set up your Time Zone by running:
sudo dpkg-reconfigure tzdata
A pink bordered window will appear – select your geographic area (use America for United States) and then select your city/time zone from the list. You can press TAB, arrow keys, and SPACE to move around these screens and make selections.
Once your time zone has been selected, press OK, and you’re done with Step 6.
9. Set Up a Swap File
Run the following commands to create and use a swap file.
sudo fallocate -l 4G /swapfile
This allocates 4GB as a swapfile in the /swapfile directory. 4GB is fine for the $5.00 tier, but if you are on the $3.50 tier, you may want to make this 2G instead.
sudo chmod 600 /swapfile
Sets permissions on the swap file directory.
sudo mkswap /swapfile
Formats the swap file directory for use as a swap file.
sudo swapon /swapfile
Tells the server to use that directory as a swap file.
Finally, we need to make sure that the swap file turns on every time we reboot the server. Run the following command to add the swap file information to the /etc/fstab file:
sudo sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab'
To verify that the command worked, type:
and look for a line that says:
/swapfile none swap sw 0 0
If that line exists in the /etc/fstab file, you’re all good.
10. Update Ubuntu
To update Ubuntu, first refresh the list of available packages with:
sudo apt-get update
Then run all available updates with:
sudo apt-get upgrade -y
This process will usually take a few minutes to complete.
11. Install UniFi
The latest Ubuntu instances use a newer version of Java than UniFi prefers. Use the following commands to install Java 8:
echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | sudo tee /etc/apt/sources.list.d/webupd8team-java.list echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" | sudo tee -a /etc/apt/sources.list.d/webupd8team-java.list sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886 sudo apt-get update sudo apt-get install oracle-java8-installer
Press OK followed by YES when prompted.
Next we finally get to install UniFi.
echo 'deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
You can copy and paste that link to avoid typos. Finally, install UniFi by running the following commands:
sudo apt-get update sudo apt-get install unifi
This will take a couple of minutes to complete, but once it has finished, UniFi is installed!
Finally, to speed up UniFi a bit, it is recommended to install a package called haveged. Install it with this command:
sudo apt-get install haveged
At this point, UniFi should be online! Pop the IP address (or FQDN if you’ve already set up your DNS A record) of your server into your browser using HTTPS and port 8443:
https://[ip address of droplet]:8443
For instance, if your IP address is 220.127.116.11, you’ll type:
Congratulations! You now have a hosted UniFi Controller – you can set-inform your devices to the UniFi inform URL which is:
http://[ip address of droplet]:8080/inform
Or, connect up your smart phone and use the UniFi SDN app – it works great!