Definitive Guide to Hosted UniFi 2021

Just by the title, this is really needed since the update.

Oh my, makes a Synology hosted UNiFi controller look easy. I’d rather buy a cloud key than do command line green screen. Thanks for putting this type of video together.

Superb, I've use this guide to install and run my own cloud hosted controller for a couple of years, works perfect, Chris is an amazing teacher!

Great video, for the unifi install you can also use the script Glenn R. created.

I assume that you need to have static WAN ISP IP address (for connecting from specific Ip address) to server/unify?
And many of us have dynamic ip not static.

Thanks Chris! You are awesome.

Superb, my cloudkey is for sale :P migrated to cloud controller without any problems.

Question: using ufw to allow from [IP address] to any port [SSH port number] does not sound like a good idea for the majority of people watching this video. As they likely have a dynamic IP. Is there a way to get around this? I have not found a solution.

Chris' cookbook worked perfectly. I now have a controller running in the cloud. One hitch though. My UniFi DHCP server does not seem to be working. Which makes sense I guess. Is there a way to make UniFi's DHCP server work in this cloud based implementation?

What are your views on the new cloud key update that does not allow remote site management ?

So your hosting a cloud key on your own server? Why would you be doing that? I mean are you charging a monthly maintenance fee to all your hosted clients? And how do you get the datacenter where your hosting this machine to install the cloud key?

Awesome 👍🏼👍🏼

Can you make a similar video with AWS lightsail

Hi Chris, thank you.
I was able to install a hosted controller and imported all of my previous sites using a backup.
Today I want to add my first new remote site, but while doing the SET-INFORM command on that device (U6-LR), it mentions "server rejected", and it seems like no new device is pending in any of my already wording sites on the same hosted cloud controller.
Did I forgot something? Thanks !

How do you make a SSL certificate to work on a unifi controller running on Rpi ?

SSH Port should not be above 1024. This is because non-root users can open ports 1024 and above, but cannot open lower ports. Thus, if someone takes over your node but has yet to achieve full root access, they could replace your SSH server with a nefarious one, wait for you to log in and have commands run via your sudo enabled account. Please don't recommend higher ports as "more secure" for this use case.

Great video - any plans to add a part 2 for how to setup different locations and actually control remote devices that are not on the same local LAN as the hosted server?

The video is 2 years old, but I would skip parts 18 and 19 (32:50) the rest of the video is still great. Glennr in the UniFi community has written scripts that work very well. If you follow parts 18 and 19, you will run into many current day dependencies with MongoDB, LibSSL, JDK. I would post a link to the post, but then my comment gets automatically deleted.

i think you missed an important step - adopting a remote device

You should probably test logging in with a new user before disabling root access in case you lose connectivity with the server

Really nice guide there Chris!
Just a couple of thoughts from my own perspective as an IT professional:
My personal opinion is that changing the SSH port probably is just more hassle than it's work, because once you have only public/private key authentication enabled, even if someone does discover your server, it would be practically impossible for them to get it (with current compute power, as long as the SSH key is strong enough).
Nice touch on restricting SSH (and other ports) to only specific IP Address ranges :) but it's worth noting that most people won't have a static IP Address assigned by their ISP at their home, due to the global IPv4 shortage, ISPs are typically only giving out static IP Addresses for people on business plans and using dynamically assigned IPv4 addresses for the majority of their home (and even business) customers. I'm in that exact position with my own ISP where my public IP Address changes frequently. So I would add a warning to only do that unless you know you're only going to be working from a static IP Address.
With the Swap file, in the video you allocated 4GB, which is a good size, but I could totally see someone getting a cheap VPS that has say only 2GB or 4GB or 6GB of storage, and then having a swap file which could be larger than the amount of available storage they have, so worth noting that it should be small enough that's it doesn't have the potential to eat up all of the available storage.
Small note, when you install UniFi, because you just added a new repository to Apt, this time apt update would be required, otherwise trying to install UniFi without the apt update would likely give an error since it wouldn't have known about the repository we just added. I thought I'd mention that because, just before installing UniFi, you mentioned that you don't need to run Apt update with every Apt command, which is true except for in this case.
One last tiny thing, in the cron.daily file for updating the Let's Encrypt certificate, instead of #!/bin/bash, a more platform independent method would be "#!/usr/bin/env bash" (or even "#!/usr/bin/env sh" if you want to be even more platform independent). Again, this is a really minor thing, but it just means that in the event the Bash binary isn't at /bin/bash (some systems might have it as /usr/bin/bash for example) there's no risk of errors being thrown up.
Like I said, great guide there overall, really well done :)

Nice ! now the only thing is missing is adopting remotes devices to this new hosting controller.

With Chris, this can't go wrong. Many thanks!!

To further secure, you can also lock down to Ubiquiti's ASN. For instance Instead of allowing ports to the whole internet, can specify the required IP range for Ubiquiti its 192.76.255.0/24. Mitigates your attack surface :) Really awesome vid Chris as always bud.

Some extra tips for Putty:
1. To paste a text in Windows clipboard to Putty just left click in the Putty window, I use to copy commands with enter applied.
2. To copy text form Putty to the Windows clipboard just select the text in Putty.
3. You can also save the username in the putty saved session, it’s in Connection-Data.

Great Guide! Thanks for putting this and the blog together!

just FYI as of the latest windows 10 update there is now a built-in ssh client that is enabled by default. So you can ssh directly from the command prompt and you don't need to worry about using putty-gen, it was something sneaky MS did recently, but I will say it works great.

I have a UDM (not the pro) which won't update the firmware or controller past the one it shipped with. I can't even force it. Any advice?

as of 18/10/2021 when installing unifi i get this
E: Unable to correct problems, you have held broken packages.
The following packages have unmet dependencies:
unifi : Depends: mongodb-server (>= 2.4.10) but it is not installable or
mongodb-10gen (>= 2.4.14) but it is not installable or
mongodb-org-server (>= 2.6.0) but it is not installable
Depends: mongodb-server (< 1:4.0.0) but it is not installable or
mongodb-10gen (< 4.0.0) but it is not installable or
mongodb-org-server (< 4.0.0) but it is not installable
E: Unable to correct problems, you have held broken packages.
has anyone seen this before?

How do we go about securing the controller when we have a dynamic IP address from our ISP?

following instructions here everything goes well until the change of the port 22 step. I comment out that line, change it to 2222, save, reload, and then open a new session. When trying to login with the updated port 2222 and the FQDN, it gives me a Network timed out error. any thoughts on what may be missing there?

I'm Struggling with this, I used the old guide no problem but this guide my Vultr is refusing a connection once the ssh port has been changed away from 22.

Hi Chris. Thanks for this amazing guide. Do you plan a newer guide for 2022?

I am dying inside. I have the controller all set up and working but cannot for the life of me get my access points to connect. I was able to ssh into one after resetting and performing set-inform to new controller but it just does not show up to adopt. I'm using an Edgemax router with firewall set up. Do I need a new rule set?

It would be good to use the Let's Encrypt cert on Cockpit as well.

There is no purpose to deploy hosted controller, what if internet connection go down, you can’t do anything with your UniFi network. Even check the WAN. But if you have internal controller, you will be able to connect to it from outside of the network.

Love these vids. Would really love to see what the differences are for self hosted controllers as I would love to set one up on my own server rather than paying for cloud hosting.

what if you are locking down with site to site VPNs?

Linux makes the whole process so complicated (as always).

how can I make a login in ubuntu using Mac Terminal with RSA key?

Great video as always. Excuse a dumb question, but at the beginning you show a starter kit that includes a cloud key device. Would I need or want a cloud key if I am running a Unifi controller from an Ubuntu server? I'm off to buy you a beer my friend!

Could I lock down 3478/udp and 8080 to just the sites this controller is controlling (like how you've locked down ssh port) or does the inform get passed through unifi servers?

Q: Why do you disable root and Password Authentication before testing the certificate login? I'm still not confident to set up the key pair for fear of locking myself out.

Next part a secure UNVR on separete VLAN vs cameras vs user? Thank you for those nice and clear videos!

Chris - excellent guide - thank you very much. This will keep me quiet for a little while. I normally use Linode but happy to look at Vultr as well.
Will you be creating further videos on the best way to adopt and manage devices at remote sites into the cloud controller?
Thanks again, Tim

what to do in case of dynamic ip address?

Super complete guide, well done! Perhaps a dumb/noob question: how does one add a new device to a controller not on the same network (i.e. this new cloud controller)?

This is some great guidance thank you so much, for those who stuck at the step for digital ocean in regards to ssh-copy-id do the following:
Log in as root
Edit ssh config:
sudo nano /etc/ssh/sshd_config
Change this line:
PasswordAuthentication no
to
PasswordAuthentication yes
Restart daemon:
sudo systemctl restart sshd
Do ssh-copy-id:
ssh-copy-id someuser@
Revert changes to ssh_config if you are security conscious and restart daemon.
P.S. To Author, can you please give a guidance on how to set the same certificate for cockpit application?

Thanks for the informative video and article.
My only hurdle, and it took a while to figure this out, is that my webhosting service doesn't accept Let's Encrypt certificates.
So I either have to change my hosting service or get another domain name it seems.

I just watched you video Definitive Guide to Hosted Unifi 2021 and I choose to use Digital Ocean. After my account was set up, they locked me out and kept my money. Wow. I guess I should haver used Vultr or AWS.

Ok, Q. I been running controller for some time in Docker in my synology, ( you got me on the unifi systems ) if I was to move this away and into a stand-alone option is that the Unifi key? I don't want "off site hosted" solution, might be silly Q. but don't look to find a clear answer, is all as simple as getting a Cloud Key, and what functions do I lose, I'm asking as have issues with DHCP when some parts of network go offline

This is a great step by step. I've had my own hosted controller set up now for several months. Although I'm having trouble with the auto backup. Can't seam to find the auto backup folder in the usual /var/lib/unifi/backup/autobackup location. Is this because when we connect via ssh we aren't actually root? I thought we had set up via the document and the video that the user created has root permissions. Any chance of doing a video on how to manage these backup and save to a Synology offsite? Willie Howe actually has a video on saving to the Synology. However he uses root.

I first watched your videos after I bought an Edgerouter X and AP-AC LITE.
There's been a lot of water under the bridge (and some over it) since then, and now I'm installing a new Unifi controller.
I'm glad to see this; I'll watch it again tomorrow and git-er done.
I'll buy you a beer when I can. God bless you.

I'm looking to upgrade my current routers from google mesh to ubiquiti for my house. I see that they now have udm pro. Do i need that cloudkey anymore or is that only used for multi client options now. I'm thinking of buying the udm pro a 24 port poe switch and a couple access points my house is no bigger then about 800sqft. could i possibly get some feedback from you on this i don't want to purchase the wrong stuff thanks

I have the 2GB RAM server and I keep getting an out of memory message and the controller keeps restarting. Anyone has an idea of what is going on?

I would like to buy the 4G security doorbell as I have a unified protect system however we can’t seem to get it in Europe or the UK can I still buy it from the American store and would it work many thanks from David

I've done a similar setup using AWS EC2 for hosting my UniFi controller on a t2.micro. One thing I like about AWS is that you can setup the virtual machine where a password isn't used, but a SSH key instead. Can't log in with a password to the virtual machine, so have to always use the SSH key. I feel that using SSH keys are more secure than passwords, so I didn't have to worry about the password part of the setup process to secure the passwords or ability to login with a password.
It's worked great and I've got my mother's network setup as a site on there along with my home site. I chose not to buy a cloud key when I got into the Ubiquiti ecosystem. I like this setup more because I can get notifications and if the notifications are for all devices on my network, then I know that either the internet is out or the power has gone out. Once I get a UPS for my network cabinet, then I'll know that it'll most likely be a internet outages.
The only thing that took a bit of time to get working properly is getting the LetsEncrypt SSL it auto renew every 3 months so I wouldn't have to do the renewal manually every 3 months.
Loved how easy the setup for the UniFi controller was on Ubuntu and the update process is fairly simple as well. I've had very few issues with my setup.
Overall great tutorial for those what are looking to want to play around with the UniFi controller and don't have a cloud key, don't have a cloud key or they were on of the ones affected by the updated Cloud Key Gen 2+ firmware update that removed the multisite feature from the controller.

Can you tell me where to get the design for that wall?

Hi, excelent video, everything was going ok until i tried to verify the status of unifi service, i got failed insted of avtive with this message " some journal files were not opened due to insufficient permissions." can you help me?

Can you provide instructions on how to block or redirect access to the "Apache2 Ubuntu Default Page" when the URL unifi.example.com is entered?

Hoi. Thanks for all the good videos. I'm wondering if you can do a video on how to solve IPTV with Ubiquiti eq.

Hey Chris!! thank you so much, I have everything working but when I enable ufw cannot access t the controller, any suggestions?

This is a great video but the question still hanging in the air is how do you use it? How do I set up brand new equipment at a remote site using a hosted controller? The only answers I’ve been able to come up with seem rather daunting in which case the cloudkey just seems like the no brainer option.

Excellent videos, one of my favorite channels. Hey, since you're a big Unifi fan, what is your response to all the hate the UDMP gets? I also run pfsense, but I'm seeing a tremendous amount of bad press surrounding the stability/reliability of the UDMP. I realize it may not have all the features pfsense has, but what's so bad about it?

I see some similar comments here but want to add my name to this wish list. I would like a video about how to use this hosted Unifi to set up and maintain multiple remote clients. Thanks for this great video.

Great video. Although I'm stuck because I am trying to do this on a Mac with terminal. I'm not aware of the process to use the public/private keys. If anyone can point me in a direction that would be great.

Cannot wait to do this .... did a UniFi install for my old church and have been trying to figure out a way to do this for my own home network. Thanks!!

Very detailed. Thanks.
I followed the guide to the letter except using a script from the Ubiquiti forums to set up the controller.
Working fine on Linode as well.

I was wondering if Dream Machine can be used with captive portal

Great Video, I was just thinking of setting up a hosted instance of Unifi on my TrueNAS box. When I do I will follow this guide for sure. Thanks for taking the time to make it.

Great video as always Chris. 👍
Maybe an idea for another video. You have two Pi’s running Pihole, and I suspect you keep them in sync so that you only need to change things or black-/whitelist sites on one device and it syncs to the other automatically.
Can’t remember if you ever mentioned this in one of your videos on how you keeps them Pi’s in sync.

Great as always Chris. Got up to v6.1.71 ready for the U6 devices!

This tutorial is great. Just small tip with FW rules. When you take those in use add temporarily to the crontab or with "at" command sudo ufw reset. Then you are in safe side if the rules doesn't work and you don't have to go under the hood via console to fix the problem.

Fantastic guide, thanks Chris!

I wish there was a guide for a local controller controlling multiple sites.

Any guides for updating your self hosted controller?

Great video (as always). Question, looking at deploying this cloud solution in the UK for multiple small home users, but how many sites (or customers) can you host on the one controller? Loving the work keep it up.

Great guide.... I already have a Google UniFi controller, but changed to using local controller on 3 x networks with, UDM-pro, UDM and Cloudkey 2. Would it make sense to move those 3 networks to the centralize controller rather than using the local controller included in the mentioned devices?

Looks like you got your paint from David over on 8 Bit Guy. :)

So those who followed the old guide... how can we transition our existing installation to Ubuntu 20.04? I'm guessing I can just run a command to update ubuntu itself

Great stuff! Thank you for yet again a helpful video! Enjoy some beers... 😉

This is the best walkthrough yet! Thanks so much. I've tried to get through a setup in linux previously and got completely lost. But behold, it's running now! Thanks!

Right clicking pastes in putty

Thank you for the write up and video! I've been needing to improve my practices for a while now. This is just what I needed.

well put chris , fully agree ,

Thank you very helpful.
Keep up the great step-by-step guides ;)

I like what you did to the wall with the circuit

Awesome Chris! Always a pleasure checking out your videos. I will go through the guide and put it my new Proxmox server and free up the Pi that it is currently on for another project. Like the circuit lines on the wall behind you. Is it painted or are you using some sort of tape for the lines?

Installation started at 32:41

Hehe sudu

While I don't have any Unify equipment, this is still a great guide for bringing up a cloud host and hardening it.
Just curious, how does one tell the hosted Unify controller to look on your home LAN for devices ?

Great guide. For step 11 is there an option to enter a FQDN rather than an IP address? I ask because I don't have a fixed IP address at home and don't want to get locked out when my ISP updates my IP address

Thanks for sharing. It would be nearly impossible to remember all this. This is something I really want to try out, having a single hosted unifi with multiple sites. Now just need to find video with how to add devices... also, i am curious if I need a USG on each physical site to make it work?.

Ahh! Java!

Wow that was a lot of information

bruh use MobaXterm. Good video though

Nice!

Thanks a bunch!

why use a controller in the cloud instead of a cloudkey?

Well, I haven't ever set up my own FQDN, so this guide is not definitive for me. Anyone have a link on how to do that? I mean, I can go GoDaddy and buy one, and potentially set it up, but I don't know the best way (or cheapest).