The Unifi controller is in OpenBSD's ports tree, so you can simply install it from there.
However, due to the odd amount of space required to build it, you may want to install the whole system on a single partiton, assuming this is a single purpose system that we can back up.
Install OpenBSD normally until you get to the disk set up. Use the (W) Whole Disk, but set a custom layout (c).
- Enter "a " to add a partition.
- Use the default offset, size, and fs type ( 3 times).
- Mount point should be "/" .
- w [Write]
- q [Quit fdisk] Continue installing sets as normal.
(You may want to use doas or just su, my environments sometimes require sudo specifically)
Log in as root, or log in as yourself and run su
to become root.
pkg_add portslist sudo--
echo "%wheel ALL=(ALL) ALL" | EDITOR='tee -a' visudo
Add your user to group 'wheel'
usermod -G wheel <username>
Logout as root or exit su.
As your normal user:
cd /tmp
ftp https://cdn.openbsd.org/pub/OpenBSD/$(uname -r)/{ports.tar.gz,SHA256.sig}
signify -Cp /etc/signify/openbsd-$(uname -r | cut -c 1,3)-base.pub -x SHA256.sig ports.tar.gz
As root (sudo -s
, sudo su
, or su
):
cd /usr
tar xzf /tmp/ports.tar.gz
Type exit
to return to your normal account.
cd /usr/ports/net/unifi/main
sudo -s
make FETCH_PACKAGES= install
This should take a few minutes. The FETCH_PACKAGES= is optional, but will result in checking that packages exist rather than building things that are already packaged as binaries. Note there is a space after the equals sign. Once this is done, you can start the controller and go to https://<IP Address>:8443/
in a browesr (not putting the trailing / resulted in a 404).
(This took less than 7 minutes on a vultr CPU-optimized instance)
rcctl start unifi
If you are setting up for paranoia:
- Name the application and click Next
- Click Advanced Setup.
- Uncheck the two options (Enable Remote Access, Use your Ubiquiti account for local access)
- Set a local username and password, click next.
- The auto-backup does not use cloud, it creates them in a folder on the system. I'd turn this on.
- You can skip adoption if you want (cloud adoption requires additional setup), or adopt devices now.
- It took less than 7 minutes from clicking Deploy in the Vultr control panel to having a working install on a Vultr $28/mo CPU Optimized Instance (I used a large instance for testing - this is excesssive for something this low throughput)
- df -h on the server with OpenBSD 7.4 (without cleanup or compression):
vultr$ df -h .
Filesystem Size Used Avail Capacity Mounted on
/dev/sd0a 21.3G 3.6G 16.6G 18% /
vultr$ uname -a
OpenBSD vultr.guest 7.4 GENERIC.MP#1396 amd64
- Memory usage: System was using 586MB (2GB available). It can probably use less if the system is smaller.
(Optional, but for reference) To search the ports:
cd /usr/ports
make search key=unifi
(make the key whatever you want to search for in the ports tree)
The firewall shoupd be configured appropriately. I used the following pf to allow the Unifi device ports from anywhere (temporarily) and allow access to the console only from my IP address.
- It may be better to access the console only over SSH.
- Some of the sites have dynamic IP addresses, so setting up a firewall for this is not immediately straightforward. Ideally, the controller would be accessed over a VPN it seems.
set skip on lo
#anti lockout
pass in quick proto tcp from any to any port 22
block all
block return # block stateless traffic
#pass # establish keep-state, default pass
pass out quick proto { tcp, udp } from any to { 8.8.8.8, 1.1.1.1 } port domain
# Allow anything from my IP addresses
pass in proto {icmp, tcp, udp} from { 136.28.2.0/23 209.200.230.0/24 } to any
# Allow ICMP
pass in inet proto icmp icmp-type echoreq
# Allow Unifi ports - Device configuration (8080) and speed test (6789)
pass in proto tcp from any to any port { 8080, 6789 }
# Allow STUN - no use if there's no Unifi router.
# pass in proto udp from any to any port { 3478 }
# Allow Unifi ports - portal redirection
#pass in proto tcp from any to any port { 8880, 8843 }
# Unifi: NTP
pass out proto udp from any to any port 123
pass in proto udp from any to any port 123
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
This is really easy if you have an EdgeRouter - go to Services > DHCP Server > Actions (drop-down for the relevant subnet) > Details There's a field for Unifi Controller. Enter the hostname or IP address of the Unifi controller.
If you're using a different DHCP server, it's DHCP Option 43.
See: https://help.ui.com/hc/en-us/articles/204909754-UniFi-Network-UniFi-Cloud-Adoption-Layer-3-
To test connectivity from the network, accessing http://:8080/inform should cause an HTTP 400 (instead of 404).