How to Install Ubiquiti Unifi Controller on Ubuntu 20.04

I have a scenario where an existing Unifi controller has been running on a Windows server. In which case, it’s important to locate the backup files at this common location: C:\Users\USERNAME\Ubiquiti UniFi\data\backup

On Ubuntu or Debian systems, backup files are normally found at: /usr/lib/unifi/data/backup/autobackup/ and /usr/lib/unifi/data/backup/

Here are some quick notes of my current understanding:

# Useful links:
https://unifi.ui.com/
https://network.unifi.ui.com/
https://www.ui.com/download/unifi/
https://help.ui.com/hc/en-us/articles/204952144-UniFi-How-can-I-restore-a-backup-configuration-
https://community.ui.com/questions/UniFi-Installation-Scripts-or-UniFi-Easy-Update-Script-or-UniFi-Lets-Encrypt-or-UniFi-Easy-Encrypt-/ccbc7530-dd61-40a7-82ec-22b17f027776

How to Install Ubiquiti Unifi Controller:
# Scripted install of Unifi Server App on Ubuntu - recommended!
apt-get update; apt-get install ca-certificates wget -y
rm unifi-latest.sh &> /dev/null; wget https://get.glennr.nl/unifi/install/install_latest/unifi-latest.sh && bash unifi-latest.sh

# Enable automatic startup of Unifi controller service
sudo systemctl enable unifi

# For reference: how to disable auto-start
# sudo systemctl disable unifi

# Check if it's now auto-started upon reboots
systemctl is-enabled unifi
systemctl is-active unifi

# Manual install of Unifi Server App on Ubuntu - not 100% reliable
sudo apt-get update && sudo apt-get install ca-certificates apt-transport-https
echo 'deb https://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg 
sudo apt-get update
sudo apt-get update && sudo apt-get install unifi -y
sudo service unifi start

# Change default port 8443 to 443
sudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
# sudo iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443 # How to remove a firewall NAT rule

# Deal with port 80
#sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
# sudo iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 # In case of reversal

### Save configs with persistency upon reboots ###

# Install iptables persistence
sudo apt-get install iptables-persistent -y

# How to manually call iptables-persistent app
# sudo dpkg-reconfigure iptables-persistent

# Set iptables and persistence to autostart
sudo systemctl enable iptables
sudo systemctl enable netfilter-persistent

# Check firewall rules
iptables -L -n

# If not using ufw to add set firewall rules, iptables can be edited directly with these commands
# It's advisable to use ufw as that is easier to admin
# Note that -I appends rule at the start of chain, whereas -A attaches it at the end
sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 8080 -j ACCEPT # Prevent issue with devices showing "Disconnected" after controller reboots
sudo iptables -I INPUT -p tcp --dport 8880 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 8443 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 3478 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 10001 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 6666 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 47763 -j ACCEPT

# How to remove a rule
# sudo iptables -D INPUT -p tcp|udp --dport xxxx -j ACCEPT

# Save existing rules
# Dont do this: sudo /sbin/iptables-save > /etc/iptables/rules.v4
# ERROR: -bash: /etc/iptables/rules.v4: Permission denied
sudo sh -c "iptables-save > /etc/iptables/rules.v4"
sudo sh -c "ip6tables-save > /etc/iptables/rules.v6"

# Check status
rambo@Unifi-Controller:/home/rambo# systemctl status netfilter-persistent
● netfilter-persistent.service - netfilter persistent configuration
     Loaded: loaded (/lib/systemd/system/netfilter-persistent.service; enabled; vendor preset: enabled)
    Drop-In: /etc/systemd/system/netfilter-persistent.service.d
             └─iptables.conf
     Active: failed (Result: exit-code) since Tue 2020-11-24 15:48:27 PST; 14min ago
       Docs: man:netfilter-persistent(8)
    Process: 494 ExecStart=/usr/sbin/netfilter-persistent start (code=exited, status=1/FAILURE)
   Main PID: 494 (code=exited, status=1/FAILURE)

Nov 24 15:48:28 Unifi-Controller netfilter-persistent[502]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15->
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[504]: Another app is currently holding the xtables lock. Perhaps you wan>
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[502]: run-parts: /usr/share/netfilter-persistent/plugins.d/15-ip4tables >
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[502]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25->
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[507]: Another app is currently holding the xtables lock. Perhaps you wan>
Nov 24 15:48:28 Unifi-Controller netfilter-persistent[502]: run-parts: /usr/share/netfilter-persistent/plugins.d/25-ip6tables >

# Fixing startup conflicts between iptables & netfilter-persistent
# sudo systemctl edit netfilter-persistent.service
vim /etc/systemd/system/netfilter-persistent.service.d/iptables.conf
### Verify this content ###
[Unit]
Conflicts=iptables.service ip6tables.service

### Modify content and save file ###
[Unit]
After=iptables.service ip6tables.service ufw.service

# Check firewall rules
sudo iptables -L
sudo ip6tables -L

# Optional: disable ufw as it may conflict with iptables-persistent / netfilter-persistent
sudo ufw disable

# Once done, Unifi controller is accessible at both of these URLs
# https://ip.of.your.server:8443
# https://ip.of.your.server
How to Upgrade Controller:
sudo apt upgrade # that's it!
How To Adopt New Access Points:

How to Migrate AP From One Controller to Another

Optional: Configuring Alternative Firewall
# Alternative method to allow traffic through the firewall
# Also, avoid this error: "WARN Unable to load properties from '/usr/lib/unifi/data/system.properties' - /usr/li>"
sudo ufw enable
sudo ufw allow 8443/tcp
sudo ufw allow 443/tcp
sudo ufw allow 8080/tcp # This will prevent issue of devices showing as 'disconnected' within Unifi Controller UI
sudo ufw allow 6789/tcp
sudo ufw allow 8880/tcp
sudo ufw allow 3478/udp
sudo ufw allow 10001/udp
sudo ufw allow 6666/udp
sudo ufw allow 47763/udp
sudo service unifi restart

# Check firewall rules
sudo ufw status

# How to remove a firewall rule using ufw
sudo delete allow 80/tcp

sudo vim /etc/sysctl.conf
#### Add these lines at the bottom ###
DEFAULT_FORWARD_POLICY="ACCEPT"
net.ipv4.ip_forward=1
#net/ipv6/conf/default/forwarding=1 # optional
#net/ipv6/conf/all/forwarding=1 # optional

# Reload sysctl
sudo sysctl -p

sudo vim /etc/ufw/before.rules
#### Add these lines at the bottom, before the COMMIT section ###
# Port forwarding section:
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-F # flush rules before adding new ones
-A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443 # Needs to be followed by 'sudo ufw allow 443/tcp'
# setup routing
-A POSTROUTING -s 192.168.0.0/24 ! -d 192.168.0.0/24 -j MASQUERADE
COMMIT

# Reload and set ufw to autostart
sudo service ufw restart
sudo ufw enable
Check port and service associations
rambo@Unifi-Controller:~$ sudo netstat -tulpn

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      56433/cupsd         
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      1078/pihole-FTL     
tcp        0      0 127.0.0.1:27117         0.0.0.0:*               LISTEN      1394/bin/mongod     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1020/lighttpd       
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      1078/pihole-FTL     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      800/sshd: /usr/sbin 
tcp6       0      0 ::1:631                 :::*                    LISTEN      56433/cupsd         
tcp6       0      0 :::8443                 :::*                    LISTEN      1280/java           
tcp6       0      0 :::6789                 :::*                    LISTEN      1280/java           
tcp6       0      0 ::1:4711                :::*                    LISTEN      1078/pihole-FTL     
tcp6       0      0 :::8843                 :::*                    LISTEN      1280/java           
tcp6       0      0 :::8880                 :::*                    LISTEN      1280/java           
tcp6       0      0 :::8080                 :::*                    LISTEN      1280/java           
tcp6       0      0 :::80                   :::*                    LISTEN      1020/lighttpd       
tcp6       0      0 :::53                   :::*                    LISTEN      1078/pihole-FTL     
tcp6       0      0 :::22                   :::*                    LISTEN      800/sshd: /usr/sbin 
udp        0      0 0.0.0.0:68              0.0.0.0:*                           752/dhcpcd          
udp        0      0 0.0.0.0:631             0.0.0.0:*                           56434/cups-browsed  
udp        0      0 0.0.0.0:35959           0.0.0.0:*                           594/avahi-daemon: r 
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           594/avahi-daemon: r 
udp        0      0 0.0.0.0:53              0.0.0.0:*                           1078/pihole-FTL     
udp6       0      0 :::6666                 :::*                                1311/qlipper        
udp6       0      0 :::5353                 :::*                                594/avahi-daemon: r 
udp6       0      0 :::3478                 :::*                                1280/java           
udp6       0      0 10.10.10.10:38572   :::*                                1280/java           
udp6       0      0 :::10001                :::*                                1280/java           
udp6       0      0 :::53156                :::*                                594/avahi-daemon: r 
udp6       0      0 :::53                   :::*                                1078/pihole-FTL
Posted on Categories Linux

2 thoughts on “How to Install Ubiquiti Unifi Controller on Ubuntu 20.04”

Leave a Reply

Your email address will not be published. Required fields are marked *