If you choose to deploy Ubiquiti Unifi for your site(s), it can be useful to also take advantage of the multisite capabilities and in particular the site-to-site VPN options. Unifi allows you to easily click a few options to setup a site-to-site VPN itself, but in order to do so, you need to have an accessible controller from BOTH sites. To establish one controller for multiple sites, you can setup a cloud based controller.
Setup a Linux server on a cloud provider
The first step is to setup a Linux server on your cloud provider. For this example I will setup an Ubuntu server on a Digital Ocean droplet. Note that the configurations at this stage will depend on your cloud provider.
At the time of writing this, the latest Long Term Support (LTS) release of Ubuntu is 18.04. I will follow the Digital Ocean guide for setting up this droplet. Follow the guide for an initial setup and login with an ssh key. You will initially login as root using the IP address assigned to your droplet, then create a new user.
shell> ssh root@IPAddress
shell> adduser [username]shell> adduser [username]
shell> user mod -aG sudo [username]
Next setup a firewall rule to allow SSH and then start the firewall service.
shell> ufw allow OpenSSH
shell> ufw enable
Now enable your new user to login via ssh.
shell> rsync --archive --crown=[username]:[username] ~/.ssh /home/[username]
At this point you can logout and you should be able to login as your new user. From here on we’ll use sudo to run commands with root level privileges.
shell> exit
shell> ssh [username]@IPAddress
If you’re able to login, let’s turn off root access via ssh.
shell> sudo nano /etc/ssh/sshd_config
Edit the file and set PermitRootLogin
to "no"
.
Now it’s time to update the software on your Ubuntu droplet.
shell> sudo apt update && sudo apt install ca-certificates apt-transport-https
shell> sudo apt-get update
shell> sudo apt-get upgrade
Setup Unifi
Next we’re going to follow this guide from Ubiquiti on setting up the Ubuntu/Debian repositories for the Unifi controller software.
shell> echo 'deb http://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
shell> sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg
For Ubuntu 18.04, you will need to take an additional step to get mongodb to work correctly.
shell> sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6
shell> echo "deb http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.4.list
Now you will want to update your apt repositories with the new Ubiquiti Unifi sources, then install unifi itself. You can check the status to ensure it’s installed.
shell> sudo apt update
shell> sudo apt install unifi
shell> sudo service unifi status
Log files will be essential for any troubleshooting you might perform. Find them here:
shell> tail /usr/lib/unifi/logs/server.log
shell> tail /usr/lib/unifi/logs/mongod.log
Now let’s configure the firewall to allow services we’ll need through.
shell> sudo ufw allow 8880
shell> sudo ufw allow 8443
shell> sudo ufw allow 80
shell> sudo ufw allow 443
shell> sudo ufw allow 3478/udp
shell> sudo ufw enable
I like to add the advanced stats for DigitalOcean.
shell> curl -sSL https://repos.insights.digitalocean.com/install.sh | sudo bash
Setup SSL
I assume you have already setup a domain in Digital Ocean and associate it with your droplet. If you haven’t, now is the time to make sure that is done. The next step is to setup SSL using the awesome free service from the Linux Foundation and ISRG called Let’s Encrypt. Please consider making a donation to them.
At this point there are also a number of configuration changes you can make to better secure and lock down your system. These include disabling root ssh access, changing the default ssh port, etc. This guide can be very helpful for making these changes. I’ll cover the necessary steps to setup SSL here.
shell> dpkg-reconfigure tzdata
shell> apt install haveged -y
shell> apt install htop -y
shell> sudo add-apt-repository ppa:certbot/certbot
shell> sudo apt-get update
shell> sudo apt-get upgrade
shell> sudo apt-get install python-certbot-apache -y
shell> sudo certbot --apache -d [YourDomain]
You should see the output below.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/lake2.mkdolan.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/lake2.mkdolan.com/privkey.pem
Your cert will expire on 2020-01-07. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
Now you need to get Unifi to start using SSL. This is a frustrating part of the process as I wish Unifi would make this the default configuration, but alas, it is not to be (at least for now). This next step can be greatly simplified by using a script someone named Steve Jenkins created and has been linked to by everyone else who has tried this before. I recommend using his script.
Save his script locally and then make the appropriate edits to add your domain, and uncomment the correct configuration section for Ubuntu. You should review the entire script to make sure you’re comfortable with what it will do. Once you’re ready, it’s time to execute the script.
shell> sudo chmod +x unifi_ssl_import.sh
shell> sudo ./unifi_ssl_import.sh
If you ever need to manually update Let’s Encrypt SSL certificates, this is the process.
shell> sudo nano /etc/apache2/sites-enabled/000-default-le-ssl.conf
Edit this file to add in a virtual host for port 80.
shell> sudo ufw allow 80
shell> sudo ufw enable
shell> sudo certbot renew
If you’re migrating to a new Unifi cloud controller, you can follow this guide for the process of using set-inform on the USG or other devices and get them to point to your new controller.
I also like to disable the default Apache server page.
shell> sudo a2dissite 000-default
shell> sudo a2dissite default-ssl
shell> sudo apachectl graceful
With this setup you should now be able to access Unifi from your domain. From here it’s just a login and configure of Unifi like you would from any controller.
In another post I’ll cover how to setup the site-to-site VPN, but you’re able to easily do that from here if you find the right guide.