Ubiquiti (and their Unifi gear) have become my go to for just about anything network related. Their gear is feature rich, rock solid, and seems to really “just work”.  We couldn’t be bigger fans.  Since Unifi gear runs a Software Defined Network (SDN), it is not configured like traditional routers and switches via a command-line or on-device web GUI, rather it is configured from a controller running on a separate computer.  This controller has its own web GUI and allows you to configure the entire network, a single device, or access a command-line interface if needed.  Normally you’d need to buy a cloud controller, setup a dedicated virtual machine, or install the controller on your desktop PC. In this tutorial, we’ll go through the very simple process of setting up a Raspberry Pi Unifi Controller. It’s easy!

Instructions

1. Install Raspbian on a SD card. I tested this with Jessie Lite (headless)
2. Use raspi-config to expand the filesystem, rename your PI, etcsudo raspi-config
3. Reboot the PI for the filesystem changes to take effect
4. Update packagessudo apt-get update sudo apt-get upgrade -y
5. Install Java 7 (OpenJDK) and MongoDBsudo apt-get install -y openjdk-7-jre-headless mongodb
6. Disable the default MongoDB instance to free up resources (UniFi will run its own copy)sudo service mongodb stop sudo service mongodb disable
7. Add Ubiquiti’s source listecho “deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti” | sudo tee /etc/apt/sources.list.d/100-ubnt.list sudo apt-key adv –keyserver keyserver.ubuntu.com –recv C0A52C50 sudo apt-get update
8. Install the UniFi controller softwareapt-get install -y unifi
9. Create log rotation to avoid disk space issues NOTE: downloads unifi_logrotate.d.sh from this Gistsudo wget https://gist.githubusercontent.com/kburdett/006a16316afa62148b16/raw/unifi_logrotate.d.sh -O /etc/logrotate.d/unifi
10. Generate yourself a CSR, replace the details as desiredsudo java -jar lib/ace.jar new_cert unifi.mydomain.dom “My Company Name” City State USThis will generate a CSR for you at /var/lib/unifi/unifi_certificate.csr.pem
11. Generate the certificate using your own CA, or a buy a certificate from a real CA
12. Download your certificate(s) to /var/lib/unifi/
13. Import the certificatecd /var/lib/unifi sudo java -jar /usr/lib/unifi/lib/ace.jar import_cert unifi_certificate.cert.pem intermediate.cert.pem root.cert.pem sudo service unifi restartNOTE: I am importing a certificate, plus the intermediate and root certs to establish a chain, your chain may differ
14. Verify your service is exposed with netstat, like this:pi@hostname:~ $ sudo netstat -tlnp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:27117 0.0.0.0:* LISTEN 542/mongod tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 499/sshd tcp6 0 0 :::8843 :::* LISTEN 509/java tcp6 0 0 :::8880 :::* LISTEN 509/java tcp6 0 0 :::8080 :::* LISTEN 509/java tcp6 0 0 :::22 :::* LISTEN 499/sshd tcp6 0 0 :::8443 :::* LISTEN 509/java
15. Now you are ready to start using your controller! You can reach it at https://<your-hostname-or-ip>:8443

Bonus

If you (like me) prefer easy to type (and remember) URLs, then we can move the UniFi controller to ports 80 & 443 (standard HTTP and HTTPS ports). This way, no port will be required in the URL bar. The UniFi controller runs under a limited user and cannot bind to these ports, so we cannot do this with UniFi configuration alone. So… iptables to the rescue 🙂 We will set up an internal port forward.

1. Set up the rulessudo iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-port 8080 sudo iptables -t nat -A PREROUTING -p tcp –dport 443 -j REDIRECT –to-port 8443 sudo ip6tables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-port 8080 sudo ip6tables -t nat -A PREROUTING -p tcp –dport 443 -j REDIRECT –to-port 8443
2. Install iptables-persistent to automatically reload these for ussudo apt-get install iptables-persistentAnswer “yes” to both prompts to save the rules on install (one for IPv4, one for IPv6), and we are done!
3. Test your controller at https://<your-hostname-or-ip>