X Marks the Spot

random commentary on life, the universe, and anything

Remote L3 adoption of UniFi Security Gateway (USG) by Cloud Key controller


I have an EdgeRouter 4 and dual WAN set up at our primary location with the WLAN managed by a Cloud Key gen 2. I needed to set up a Unifi Security Gateway at a secondary site for the usual reasons but wanted to use the primary site Cloud Key controller to manage the USG (vs having a second controller).

I started with the UniFi – Device Adoption guide which, in hindsight, was both generally informative and totally unhelpful. Almost anti-helpful in fact. Following the guide, I wound up setting up a ‘temporary’ controller on a laptop to do the basic config for the USG.

I was able to set up a site-to-site L2TP VPN between the EdgeRouter and the USG using the very clear EdgeRouter – Site-to-Site IPsec VPN to USG guide.


As a side note, easiest way to verify that the VPN is up using the Feature Wizard > VPN Status (https://edgerouterip/#Wizard/feature/VPN_status).

Although the VPN was up, the Cloud Key controller could not see the USG at all. The UniFi – Troubleshooting Device Adoption guide was generally informative and helped to identify the issue. The USG needs an “inform address” to phone home to in order to be adopted over the internet. Unfortunately, it pointed to the UniFi – Device Adoption Methods for Remote UniFi Controllers guide which was quite the waste of time. With the one exception of needing to set the inform URL on the USG – which you can’t do if you can’t connect to it remotely.

I found the solution in USG set-inform for dummies.

Here’s what worked for me:

Primary Site
  1. Set up dynamic DNS for my primary site WAN connection (as the WAN IP is assigned via DHCP). If you have a static address, create a DNS A record.
  2. Map TCP port 8080 at the EdgeRouter through to the Cloud Key inform port. (UniFi – Ports Used)
  3. Map UDP port 3478 at the EdgeRouter through to the Cloud Key for STUN support. (UniFi – Troubleshooting STUN Communication Errors)
Secondary Site
  1. Reset USG to factory default state (or start from there if you didn’t waste time configuring the USG like me)
  2. Plug the WAN connection into eth0. It’ll pull an IP from your ISP DHCP server. Should be live on internet at this point.
  3. Plug a computer into eth1. The default USG runs a DHCP server and assigns an IP from
  4. ssh into the USG ( using the username/password: ubnt/ubnt
  5. Enter the following:
# mca-cli set-inform http://unifi.controller.com:8080/inform
# exit
# reboot

The USG should now be visible in your Cloud Key controller for adoption. It disappears and then reappears when provisioned. Keep in mind you can only have one USG per controller site, so if you have a USG already you will need to have a second controller site for the new USG.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.