Skip to content

How to Install and Configure Unifi Controller on DigitalOcean


This guide assumes that a droplet has already been created on DigitalOcean for the Unifi Controller. It's also assumed that Ubuntu is installed and up to date. The guide will begin having already used SSH to log into the droplet.

Create New User

Most Linux machines in the world have root as the default user. The first line of defense is to create a separate login account with the same privileges and then disable root.

Start by creating a new user – for simplicity, for this exercise, our username will be ‘unifiadmin‘:

adduser unifiadmin

This command will have you set a password for the new user, and you can also optionally enter in some additional information such as their real name and contact info.

Next give root (sudo group) privileges to the newly created user:

usermod -aG sudo unifiadmin

This new user will now be able to use the ‘sudo’ command to run commands as root.

At this point, we have created our new user, but we haven’t yet disabled root – we will do that in a moment. First, we will enable private key authentication as a second line of defense.

Modify SSH Settings

The next step is to modify the SSH settings so that we will both disable root user access and password authentication. Start by editing the SSH configuration file:

nano -w /etc/ssh/sshd_config

Now scroll down until you find the line that says:

PermitRootLogin yes

And change ‘yes’ to ‘no’:

PermitRootLogin no

This disables root user login. Next scroll down further and find:

PasswordAuthentication yes

And again change ‘yes’ to ‘no’:

PasswordAuthentication no

This disables password based authentication. (Private key authentication should already be enabled by default – you can verify this by ensuring that PubkeyAuthentication is set to ‘yes’ in the SSH config file).

Press CTRL+X followed by ‘Y’ and ‘Enter’ to save and exit.


This next command commits these changes. If you lose connectivity because you made any mistakes, you should just destroy the Vultr server and start over. ALSO – keep this original PuTTY session open as you go through the next few steps…even after we restart SSH, this session will still be connected, so if you can’t connect in with the private key, you still have the opportunity to make changes.

Restart SSH with:

sudo systemctl reload sshd

Now that we can log in with our secure key, let’s take our SSH security even further by changing the default SSH port from 22 to something non-standard.

Edit the SSH config file again with:

sudo nano -w /etc/ssh/sshd_config

Find the line that says:

Port 22

And change it to:

Port [different port number]

You can use any port number for your SSH connection, but I typcially use port 2222 when I change to something non-standard. CTRL+X followed by ‘Y’ and ‘Enter’ to save and exit Nano.

Restart SSH again with:

sudo systemctl reload sshd

Enable UFW Firewall

At this point, we have now secured our SSH connection pretty well. Now, let’s secure our server even more by using some firewall rules to lock everything down.

Ubuntu uses the UFW firewall, however it is not enabled by default. First, we are going to add all of the firewall rules that we need to connect to UniFi, and then we will turn it on.

First, let’s allow our new SSH port and lock it down so that connections to this port are only allowed from our IP address:

sudo ufw allow from [IP address] to any port [SSH port number]

In this example, if your IP address is, and your SSH port is 2222, the command should be:

sudo ufw allow from to any port 2222

Next, let’s open up access to the UniFi GUI. Important note here – you don’t actually HAVE to open up this port to the outside world if you are instead using Ubiquiti’s Single Sign On (SSO) account to access your UniFi Controller through BUT – you will have to use this port at least once to enable cloud access in UniFi. You can either wait to do your firewall rules until after cloud access has been enabled, or you can disable this rule afterwards.

sudo ufw allow from to any port 8443

Next, there are a couple of ports that we need open to the whole wide world. These are the STUN port and the UniFi inform port:

sudo ufw allow 3478/udp
sudo ufw allow 8080

Note that the STUN port running on 3478 is UDP.

If you are going to be using a guest portal with UniFi, you will also want to open these ports:

sudo ufw allow 8880
sudo ufw allow 8843

We’re also going to need to open up ports 80 and 443 for Let’s Encrypt. If anyone browses directly to those services, they will get a connection refused response.

sudo ufw allow 80
sudo ufw allow 443

At this point, we will now turn on our UFW firewall and take a look at the rules that we created.

sudo ufw enable

When prompted whether or not to proceed, choose yes.

Let’s take a look at our rules:

sudo ufw status

You should see something similar to this (note that I did not add the ports for guest portal access in my example):


The firewall is now running, and if you test your PuTTY connection again, you should still be able to connect. But – if you test connecting in on the standard SSH port 22, you will not be able to connect.

Update Server

Now that access to the server is secured, let’s run our system updates.

sudo apt-get update
sudo apt-get upgrade -y
sudo apt-get dist-upgrade -y

It’s possible that no updates will be needed, but if you are asked whether or not to proceed on any of these steps, just answer Y.

Once the updates are done, let’s give the server a reboot:

sudo reboot

The server should only take about 2 minutes to reboot, and then you can reconnect.

Install Java 8

Install OpenJDK-8

sudo apt update 

sudo apt install openjdk-8-jdk -y

That’s it (actually, this install is much easier than the Oracle one, and still works great).

Install Unifi

Finally, we’re going to install UniFi. There are a few different ways to download and install UniFi, but for me, the easiest way to install and maintain the UniFi package is to use apt, so that is what we will do in our example.

First, we need to add an apt source for UniFi. To do this, run the following commands:

echo 'deb stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg

These commands set up the apt repository for UniFi and install the trusted GPG key. Now let’s install UniFi:

sudo apt-get update
sudo apt-get install unifi -y

You should now have installed the latest stable version of UniFi.

Migrate Existing Unifi Controller to DigitalOcean

The information below will likely vary from more current versions of the Unifi Controller, but will still likely apply, at least at the time of this writing.

Backup the configuration on the source UniFi Controller by navigating to the Settings, Maintenance, Backup and clicking the Download Backup button.


This process will create a file with a UNF extension. Copy this file to the target controller software that was just installed.

Create a new site on the new controller that is named the same as the old site (if one was used) by clicking the Current Site**drop-down menu and selecting the **Add New Site selection.


Once the new site has been created the backup can be restored. Ensure that the correct site is selecting in the Current Site**drop-down menu in the upper right-hand corner of the web page. Navigate to **Settings, Maintenance, Restore and click the Choose File button. Browse to the backup transferred from the source controller and follow the prompts to restore the configuration.


Once the controller has been restored the configurations for the Wireless Networks and the inventory of devices will be configured in the new UniFi Controller software. The access points that are connected to the same network should automatically re-associate to the new controller software “auto-magically.”


If the access points are on a different network you may need to log in to them using ssh and manually re-associate them to the new controller. The device authentication credentials can be found by navigating to Settings, Site, Device Authentication.


Use ssh to remotely connect to the access points using the Device Authentication credentials to log on. Issue the set-inform command using the following syntax:

set-inform http://droplet-ip-address:8080/inform

Understand that you may need to issue the command multiple times to complete the re-association. Once complete you will see the remaining inventory now reports to the new UniFi Controller.


NOTE: The existing controller will need to be shut down BEFORE applying the set-inform command. If not, the devices will continue to look for the existing controller instead of the new controller.