Install Ubiquiti's UniFi Controller on a Raspberry Pi

rpi_unifi.md

Compatibility

I currently run Ubiquiti's UniFi Controller on a Raspberry Pi 3B without issue. I have tried with a Raspberry Pi 1B, but the application crashes on startup. I assume it is due to a lack of RAM. Presumably, it would run on a Raspberry Pi 2B as well (same amount of RAM), but I have not tested it on this model. YMMV.

Instructions

1. Install Raspbian on a SD card. I tested this with Jessie Lite (headless)

2. Use raspi-config to expand the filesystem, rename your PI, etc

   sudo raspi-config

3. Reboot the PI for the filesystem changes to take effect

4. Update packages

   sudo apt-get update
   sudo apt-get upgrade -y

5. Install Java 7 (OpenJDK) and MongoDB

   sudo apt-get install -y openjdk-7-jre-headless mongodb

6. Disable the default MongoDB instance to free up resources (UniFi will run its own copy)

   sudo service mongodb stop
   sudo service mongodb disable

7. Add Ubiquiti's source list

   echo "deb http://www.ubnt.com/downloads/unifi/debian stable ubiquiti" | sudo tee /etc/apt/sources.list.d/100-ubnt.list
   sudo apt-key adv --keyserver keyserver.ubuntu.com --recv C0A52C50
   sudo apt-get update

8. Install the UniFi controller software

   apt-get install -y unifi

9. Create log rotation to avoid disk space issues NOTE: downloads unifi_logrotate.d.sh from this Gist

   sudo wget https://gist.githubusercontent.com/kburdett/006a16316afa62148b16/raw/unifi_logrotate.d.sh -O /etc/logrotate.d/unifi

10. Generate yourself a CSR, replace the details as desired

    sudo java -jar lib/ace.jar new_cert unifi.mydomain.dom "My Company Name" City State US

    This will generate a CSR for you at /var/lib/unifi/unifi_certificate.csr.pem

11. Generate the certificate using your own CA, or a buy a certificate from a real CA

12. Download your certificate(s) to /var/lib/unifi/

13. Import the certificate

    cd /var/lib/unifi
    sudo java -jar /usr/lib/unifi/lib/ace.jar import_cert unifi_certificate.cert.pem intermediate.cert.pem root.cert.pem
    sudo service unifi restart

    NOTE: I am importing a certificate, plus the intermediate and root certs to establish a chain, your chain may differ

14. Verify your service is exposed with netstat, like this:

    pi@hostname:~ $ sudo netstat -tlnp
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 127.0.0.1:27117         0.0.0.0:*               LISTEN      542/mongod      
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      499/sshd        
    tcp6       0      0 :::8843                 :::*                    LISTEN      509/java        
    tcp6       0      0 :::8880                 :::*                    LISTEN      509/java        
    tcp6       0      0 :::8080                 :::*                    LISTEN      509/java        
    tcp6       0      0 :::22                   :::*                    LISTEN      499/sshd        
    tcp6       0      0 :::8443                 :::*                    LISTEN      509/java
    

15. Now you are ready to start using your controller! You can reach it at https://<your-hostname-or-ip>:8443

Bonus

If you (like me) prefer easy to type (and remember) URLs, then we can move the UniFi controller to ports 80 & 443 (standard HTTP and HTTPS ports). This way, no port will be required in the URL bar. The UniFi controller runs under a limited user and cannot bind to these ports, so we cannot do this with UniFi configuration alone. So... iptables to the rescue :) We will set up an internal port forward.

1. Set up the rules

   sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
   sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443
   sudo ip6tables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
   sudo ip6tables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443

2. Install iptables-persistent to automatically reload these for us

   sudo apt-get install iptables-persistent

   Answer "yes" to both prompts to save the rules on install (one for IPv4, one for IPv6), and we are done!

3. Test your controller at https://<your-hostname-or-ip>

unifi_logrotate.d.sh

/var/log/unifi/*.log {
    rotate 7
    daily
    missingok
    notifempty
    delaycompress
    compress
    copytruncate
}

Hi,,

Thanks for you how to..

There is a typo:

sude apt-get update should be sudo apt-get update

Thanks for the correction @tomasnorre. I fixed it.

Hi,
first of all thanks for the great how to.

I just have installed it on a rpi 2b. It seems using apt-get install oracle-java8-jdk instead of the openjdk increases speed enormously.
For the newest controller version I have used the deb source:
deb http://www.ubnt.com/downloads/unifi/debian unifi5 ubiquiti
'cause stable seems to be version 4. See also https://help.ubnt.com/hc/en-us/articles/220066768

Tomorrow I'll try to configure the whole thing ;)

Thanks for this!

I'm golden until step 10, and then I'm lost. When I run the command for step 10, I get the message Error: Unable to access jarfile lib/ace.jar. I also have no idea how to turn the CSR into a certificate. If someone could point me in the right direction that would be awesome! Thanks.

@kburdett

when im writing step 9 I get Error 400:bad request.

Anybody interested in helping me out, PM me.

Thanks and compensation packages available.

@rhinodavid

Try this. The commands will work on linux as well as Windows: https://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-using-java-keytool.html

@kburdett

Hi! Thanks for the great guide.

At step 10, ace.jar only generates unifi_certificate.csr.der unifi_certificate.csr.pem. I tried to import any of these and both together but get an error upon importing with ace. Any suggestion ?

Everything functionally works,
There's only one thing that I can complain: testing wifi speed using mobile app is kind of not working properly,
because it literally test the throughput between RPI and phone which is bounded by the line speed of RPI.