Skip to content

Instantly share code, notes, and snippets.

@jasco
Last active February 17, 2024 20:47
Show Gist options
  • Save jasco/2d39fdc808a1c482ed3c295d0e09c116 to your computer and use it in GitHub Desktop.
Save jasco/2d39fdc808a1c482ed3c295d0e09c116 to your computer and use it in GitHub Desktop.
ARM64 Raspberry Pi 4 Unifi Controller Setup

Background

The instructions for setting up the Unifi Controller on ARM do not cover ARM64. The documentation states that ARM64 is not supported but hints it can be setup manually. The documentation also states that Java 8 is currently required. The following is therefore clearly in unsupported territory but so far seems to work fine. The internet has numerous references and resources but they weren't all easy to find and the ones I read required some modification for my configuration.

Note for the future: double check versions and source documentation if these instructions are dated. Also these instructions are specifically tailored for Ubuntu. See original references for other platforms.

Last update March 25, 2021

Base configuration

Raspberry PI 4B / 4GB Ubunbu 20.04 Server

Installed into lxc

lxc init
lxc launch ubuntu:20.04 unifi
lxc exec unifi -- sudo --login --user ubuntu
sudo apt-get update && sudo apt-get dist-upgrade
sudo apt-get install rng-tools

Edit /etc/default/rng-tools, uncomment HRNGDEVICE=/dev/hwrng. This allows use of hardware entropy source to improve performance.

sudo reboot

Configure apt Unifi for ARM64

At the time of this writing Ubiquiti does not publish an ARM64 deb package. According to Leif Lindholm's blog the armhf package works on arm64. While the blog describes manual installation, we can configure apt to pull the alternative architecture and get the benefit of apt updates.

By default the Unifi Controller requires Java 8. However, among other limitations, Java 8 does not support TLS 1.3. Rather than installing Java 8 manually here to get immediate functionality, will adapt to a newer Java release in the next section.

Note the important change to standard instruction of adding the preferred architectures to the apt sources specification. This also deviates from the standard instructions by allowing the apt dependencies to install the currently packaged Java. At the time of this writing this resulted in openjdk 14.0.2 and MongoDB 3.6.9.

sudo apt-get update && sudo apt-get install ca-certificates apt-transport-https
echo 'deb [arch=arm64,armhf] https://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg 
sudo apt-get update && sudo apt-get install unifi -y

Configuring Unifi Controller for Java 14 and TLS 1.3

Unifi Controller expects Java 8. Thanks to benc's blog for showing how to get running with a more recent version of Java. The following was adapted for Java 14. Note, that I am not sure if apt update will overwrite the modified service script. Keep an eye out for that.

echo 'JAVA_HOME="$( readlink -f "$( which java )" | sed "s:bin/.*$::" )"' | sudo tee /etc/default/unifi
sudo ln -s /usr/lib/jvm/java-14-openjdk-arm64/lib/ /usr/lib/jvm/java-14-openjdk-arm64/lib/aarch64

Modify /etc/init.d/unifi two places for Java 14. (TODO: Does the modification of the service script obviate the need to define JAVA_HOME in /etc/default/unifi? Also note the blog did not indicate this was required, but it was added based on inspection without testing in its absence.)

sudo vi /etc/init.d/unifi
s/support_java_ver='8'/support_java_ver='14'/
s#JAVA_HOME=/usr/lib/jvm/java-8-openjdk-${arch}#JAVA_HOME=/usr/lib/jvm/java-14-openjdk-${arch}#

Edit /var/lib/unifi/system.properties to append the following to the file. Note the file is not visible to non-root users so do not expect autocomplete for the filename to work.

sudo vi /var/lib/unifi/system/properties
unifi.https.ciphers=TLS_AES_256_GCM_SHA384
unifi.https.sslEnabledProtocols=TLSv1.3

Start the service and verify connectivity

sudo service unifi start
sudo service unifi status

Note the service may be slow to start. Verify connection, curl -v -L -k https://localhost:8443

Adding to entropy

From the unifi controller container

sudo apt-get install haveged

Once you have the package installed, you can simply edit the configuration file located in /etc/default/haveged, ensuring the following options are set (usually already the default options):

DAEMON_ARGS="-w 1024"

Finally, just make sure it's configured to start on boot:

# update-rc.d haveged defaults

Configure port forwarding

If running in lxc without default forwarding enabled, the following may be maybe needed.

From within note the container's IP, hostname -I. The following assumes the container IP is 10.0.0.2, replace with actual.

TODO: why is prerouting required in addition to route forwarding. TODO: which unifi ports do I actually need?

Verify that port forwarding is enabled. In my install it seems like it was enabled and that some iptables rules were already present for lxc forwarding. Perhaps it was configured by lxc init.

All of the following is from the host.

$ sudo sysctl net.ipv4.ip_forward

If output is not net.ipv4.ip_foward = 1 then add net.ipv4.ip_forward=1 to /etc/ufw/sysctl.conf.

Assuming use of ufw and that status ufw status shows not yet enabled.

sudo ufw allow OpenSSH

# STUN port required
sudo ufw route allow in on eth0 to 10.0.0.2 port 3748 proto udp

# INFORM port required
sudo ufw route allow in on eth0 to 10.0.0.2 port 8080 proto tcp

# Allow L2 Controller Discoverability (SSDP) -- opt
sudo ufw route allow in on eth0 to 10.0.0.2 port 1900 proto udp

# Device discovery -- opt. Purpose?
sudo ufw route allow in on eth0 to 10.0.0.2 port 10001 proto udp

# Web console -- opt. Alternatives include ssh port forwarding
sudo ufw route allow in on eth0 to 10.0.0.2 port 8443 proto tcp

Modify ufw before.rules. (Why isn't route sufficient?)

sudo vi /etc/ufw/before.rules

At the end, after COMMIT for the *filter section. Note that prominent stackoverflow answer says before but the UFW documentation clearly says after.

Add to the end of /etc/ufw/before.rules, after the *filter section

sudo  vi /etc/ufw/before.rules
*nat
:PREROUTING ACCEPT [0:0]
# required
-A PREROUTING -p udp -i eth0 --dport 3478 -j DNAT --to-destination 10.0.0.2:3478
-A PREROUTING -p tcp -i eth0 --dport 8080 -j DNAT --to-destination 10.0.0.2:8080
# install dependent
-A PREROUTING -p tcp -i eth0 --dport 8443 -j DNAT --to-destination 10.0.0.2:8443
-A PREROUTING -p udp -i eth0 --dport 10001 -j DNAT --to-destination 10.0.0.2:10001
-A PREROUTING -p tcp -i eth0 --dport 8080 -j DNAT --to-destination 10.0.0.2:8080
COMMIT

Verify that the forwarding is working by just making sure connection is possible. (Not currently testing the udp ports.)

curl -v http://unifi.host.ip:8080/inform
curl -k -L -v http://unifi.host.ip:8443

Adoption

If the controller and access point are not on the same subnet or otherwise configured to allow l2 discoverability, the AP might need some help becoming discoverable. After device reset, ssh to the access point and set the inform host. Replace the your.unifi.controller, with a DNS resolvable name or IP address for the unifi controller host.

ssh [email protected] "set-inform http://your.unifi.controller:8080/inform"

Optionally setup certificates

There are various good references for configuring certificates, but it is not currently covered here.

Troubleshooting

The default install with Java 8 resulted in a SSL_ERROR_NO_CYPHER_OVERLAP error because the ciphers are old (sslv3, tlsv1) and deprecated.

References

@abhayap
Copy link

abhayap commented May 3, 2022

Thanks for the writeup @jasco. My setup is failing at this line sudo apt-get update && sudo apt-get install unifi -y. It says that it can't install MongoDB. Do you have any advice?

The following packages have unmet dependencies:
 unifi : Depends: mongodb-server (>= 2.4.10) but it is not installable or
                  mongodb-10gen (>= 2.4.14) but it is not installable or
                  mongodb-org-server (>= 2.6.0) but it is not installable
         Depends: mongodb-server (< 1:4.0.0) but it is not installable or
                  mongodb-10gen (< 4.0.0) but it is not installable or
                  mongodb-org-server (< 4.0.0) but it is not installable
E: Unable to correct problems, you have held broken packages.

@jasco
Copy link
Author

jasco commented May 4, 2022

Is that a typo in the mongodb-server maximum version number? It looks like it should be 4.0.0. One idea might be to check if you could install a suitable version of mongodb manually and tell it to ignore that dependency or the dependency check.

@antwal
Copy link

antwal commented May 23, 2022

Thanks for the writeup @jasco. My setup is failing at this line sudo apt-get update && sudo apt-get install unifi -y. It says that it can't install MongoDB. Do you have any advice?

The following packages have unmet dependencies:
 unifi : Depends: mongodb-server (>= 2.4.10) but it is not installable or
                  mongodb-10gen (>= 2.4.14) but it is not installable or
                  mongodb-org-server (>= 2.6.0) but it is not installable
         Depends: mongodb-server (< 1:4.0.0) but it is not installable or
                  mongodb-10gen (< 4.0.0) but it is not installable or
                  mongodb-org-server (< 4.0.0) but it is not installable
E: Unable to correct problems, you have held broken packages.

similar problem:

# apt-get install unifi
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 unifi : Depends: mongodb-server (< 1:4.0.0) but it is not installable or
                  mongodb-10gen (< 4.0.0) but it is not installable or
                  mongodb-org-server (< 4.0.0) but 4.2.20 is to be installed
E: Unable to correct problems, you have held broken packages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment