Unifi controller on OpenWRT (on a Pi4)

It turns out that it’s not too hard to get the Unifi Controller software to work on OpenWRT. “Not too hard” is a relative term, mind you. You can’t install it on the base OS, but since OpenWRT provides LXC in the form of “lxc v1”, a container can be set up running something like Debian (officially supported distro for the controller package). An alternative would be Docker, either building your own docker image, or using one provided by LinuxServer. After trying the Docker route and failing to get the networking to work in the way I wanted, I switched to LXC.

Basic setup was

  • Via LuCI, I installed the luci-app-lxc package and a few other lxc-* tools (like lxc-destroy)
  • No network changes were needed
  • Mount a USB stick on /srv/lxc, formatted ext4
  • Used the UI to create a new LXC container from Debian Buster
  • Edited the config file to enable veth networking, and mapped the veth network to br-lan
  • Booted the container, installed wget
  • Used the latest script from AmazedMender16 to do the controller installation. Args were --skip-swap --local-controller --own-certificate (didn’t want to deal with LetsEncrypt for a local-only UI)

Container config:

lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = linux64

# Container specific configuration
lxc.rootfs.path = dir:/srv/lxc/unifi/rootfs
lxc.uts.name = unifi

# Network configuration
lxc.net.0.type = veth
lxc.net.0.name = eth0
lxc.net.0.link = br-lan
lxc.net.0.flags = up

The benefit of the veth configuration is I can access the container from the LAN without issue; it’s bridged onto the OpenWRT br-lan interface, ensuring it’s protected by the firewall etcetera. I also get full IPv4 and IPv6 connectivity, DHCPing from the OpenWRT installation automatically. With Docker, I was bashing my head against host vs bridge networking and routing, and couldn’t get macvlan to behave at all.

Once the script was finished, it was a simple matter of setting up the controller software (local username/password only please), factory resetting the APs (because they were owned/managed by an installation of the controller that I don’t have any more), and putting back my wireless configuration (which is basically defaults). Were I to use the “login with cloud account” option, then the reset business wouldn’t be needed, but I don’t need that functionality.