How to Securely Install TP-Link Omada Controller on a Vultr Cloud Server

TP-Link Omada SDN Controller is a centralized remote network control application used to manage multiple network devices that may consist of wireless access points, security gateways, switches. This article describes how you can securely install a TP-Link Omada Controller on a Vultr Cloud Server and link devices to the controller.

Prerequisites

Before you start, make sure you:

• Deploy a fresh Vultr Cloud Linux Server.

  This article uses a Ubuntu 20.04 server, but the described instructions work on any Linux distribution. This article uses the example IP Address 192.168.0.2 as the server IP Address in this article. Please replace all occurrences with your actual Server IP Address.

• Setup a subdomain A record pointing to the server.
• Use SSH to access the server as a non-root user with sudo privileges.
• Update the server.

Installation

To successfully install TP-Link Omada Controller, the following software dependencies must be available on your server:

• Open Java Development Kit 8.0.
• Java Service JSVC.
• MongoDB v4 or above.

1. Install the Open JDK 8.0.

     $ sudo apt install openjdk-8-jdk

2. Install JSVC.

     $ apt install jsvc

3. To Install MongoDB, import the community edition public GPG key from the official website.

     $ wget -qO - https://www.mongodb.org/static/pgp/server-6.0.asc | sudo apt-key add -

4. Add the MongoDB repository to your sources list.

     $ echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/6.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-6.0.list

5. Update the server.

     $ sudo apt update

6. Install MongoDB.

     $ apt install mongodb-org

   To install MongoDB on a non-Ubuntu Linux server, please follow the official installation instructions for your distribution.

7. Switch to your user home directory.

     $ cd ~/

8. Using the wget utility, download the latest Omada SDN Controller release file from the official TP-Link Website.

     $ wget https://static.tp-link.com/upload/software/2022/202211/20221121/Omada_SDN_Controller_v5.7.4_Linux_x64.tar.gz

9. Extract files from the tarball.

     $ tar xvf Omada_SDN_Controller_v5.7.4_Linux_x64.tar.gz

10. Verify that a new Omada SDN Controller directory is available.

     $ ls

11. Switch to the directory.

     $ cd Omada_SDN_Controller_v5.7.4_Linux_x64/

12. Run the install.sh script to start Installing the TP-Link Omada Controller.

     $ ./install.sh

    Output:

     Omada Controller will be installed in [/opt/tp-link/EAPController] (y/n):

13. Enter y to start the installation process. When complete, you should receive the following output:

     ==========================
     Omada Controller will start up with system boot. You can also control it by [/usr/bin/tpeap].
     Starting Omada Controller. Please wait......................................
     Started successfully.
     You can visit http://localhost:8088 on this host to manage the wireless network.
     ========================

14. Run the following command to verify that the controller status is running.

     $ tpeap status

15. To save server space, delete the controller tarball and extracted files.

     $ rm -r Omada_SDN_Controller_v5.7.4_Linux_x64/ && rm Omada_SDN_Controller_v5.7.4_Linux_x64.tar.gz

Security

By default, Uncomplicated Firewall (UFW) for Debian and Ubuntu, Firewalld for CentOS/Rocky Linux/AlmaLinux are activate on Vultr servers. Setup the firewall to allow the following TP-Link Omada Controller Ports:

• TCP 8088 – Manages the Omada Controller using an HTTP connection.
• 8043 – Manages the Controller over HTTPS.
• 8843 – Users authenticate over HTTPS when the captive portal is on.
• 29811,29812 – Manages devices on the controller.
• 29814 – Adopts devices to the controller.
• 27217 – Grants the application access to the database.
• UDP 29810 – Discovers devices pointed to the server.

1. Allow the Omada Controller TCP ports through the UFW firewall.

     $ sudo ufw allow 8088,8043,8843,29811,29812,29814,27217/tcp comment "Omada Controller Ports"

2. Allow the controller's UDP port through the firewall.

     $ sudo ufw allow 29810/udp comment "Omada Controller UDP"

3. To successfully generate SSL certificates, allow the HTTP port 80.

     $ sudo ufw allow 80/tcp

4. Restart the firewall to activate changes.

     $ sudo ufw reload

If you are using the Vultr Firewall, please allow all ports to access the controller services. To tighten server security, limit access to the 8088 and 8043 management ports to only your IP Address.

Install Trusted SSL Certificates on the Server

If you access the Omada Controller HTTPS port, you may receive the untrusted connection prompt as a self-signed certificate is pre-installed with the controller. To secure your server, install trusted SSL certificates from Let's Encrypt as described below.

1. Install the Certbot Let's encrypt client application.

     $ sudo snap install --classic certbot

2. Activate the system-wide Certbot command.

     $ sudo ln -s /snap/bin/certbot /usr/bin/certbot

3. Request a free SSL certificate. Replace controller.example.com with your actual domain name.

     $ sudo certbot certonly --standalone -d controller.example.com

   Enter your active email address and agree to the Let's Encrypt certificate terms when prompted.

4. When successful, switch to your home directory.

     $ cd ~/

5. Create a new directory named SSL.

     $ mkdir SSL

6. Copy your cert.pem SSL certificate file from the /etc/letsencrypt/live/ directory to your SSL directory.

     $ sudo cp /etc/letsencrypt/live/controller.example.com/cert.pem ~/SSL/

7. Copy the private key privkey.pem file.

     $ sudo cp /etc/letsencrypt/live/controller.example.com/privkey.pem ~/SSL/

8. Verify that the files exist in your SSL directory.

     $ ls ~/SSL/

9. Change ownership of the files to your non-root user account.

     $ sudo chown -R example-user:example-user SSL/

10. In a new terminal window, use a secure transfer protocol such as sftp, or scp to download the certificate files from your server. For this article, use sftp which follows the syntax below.

     sftp user@host remoteFile localFile

11. To download the cert.pem SSL certificate file to your current directory, run the following command.

     $ sftp example-user@192.168.0.2:SSL/cert.pem .

12. Download the privkey.pem SSL certificate private key.

     $ sftp example-user@192.168.0.2:SSL/privkey.pem .

13. Verify that the files are available in your computer's terminal directory.

     $ ls *.pem

Windows

     > dir *.pem

Configure the TP-Link Omada Controller

1. Using a web browser such as Chrome, visit your Server IP Address on port 8088.

   If redirected to the 8043 port, click Advanced, and continue to 192.168.0.2(unsafe)

2. Click Let's Get Started to start the controller setup wizard.

3. Enter your desired controller name.

   

4. Click the region dropdown and set the value to your country.

5. Click the Timezone dropdown and select your region's timezone.

6. Select your desired application scenario to use its preset, click Customized to proceed without a template, then click Next.

7. On the configure devices page, click Skip to discover devices later.

8. Skip configure WAN settings overrides.

9. On the Configure Wi-Fi page, enter your desired Wi-Fi name in the Network Name (SSID) field, set a password and click Next to proceed.

10. Fill in the Controller Main Administrator fields to create a new Omada Controller administrator on your server.

11. In the Device Account section, enter a Username,Password different from your administrator details to assign to devices when adopted by your controller.

12. Enter your TP-Link ID and password to associate it with your new Omada controller. Toggle Cloud Access to OFF if you don't have an existing TP-LINK ID.

13. Click Next to view a summary of your setup.

14. Click Finish to save your configuration choices.

    

15. On the Omada SDN Controller login page, enter your administrator Username, Password created in the setup wizard, and click Log in to access the management panel.

16. Toggle through the controller tutorial or click the X symbol to close.

17. Within the main Omada controller dashboard, click the Settings symbol in the bottom left corner.

18. In the Controller Settings section, and click Controller.

19. Scroll to the HTTPS Certificate section, and click the File Format: drop down option.

20. Select PEM from the list of options, then, click Import next to SSL Certificate:¬.

21. In the file selector window, navigate to the directory where you stored your cert.pem file and open it.

22. Click Import next to SSL Key:, and open the privkey.pem file in the pop-up window.

23. When uploaded successfully, scroll to the Access Config section.

24. Enter your domain name in the Controller Hostname/IP field.

    

25. Scroll to the bottom of the page and click Save to load changes.

26. In a terminal window, use SSH to re-access your Vultr server.

     $ ssh example-user@192.168.0.2

27. Stop the Omada Controller.

     $ sudo tpeap stop

28. Start the Omada Controller.

     $ sudo tpeap start

29. Verify the controller status that it's up and running.

     $ sudo tpeap status

    Your Output should look like the one below:

     Omada Controller is running. You can visit http://localhost:8088 on this host to manage the wireless network.

30. In a web browser, visit your domain name on port 8043 and verify that your browser HTTPS connection warning is secure.

     https://controller.example.com:8043

Test and Point TP-Link devices to the Omada Controller

1. To manage devices in the Omada Controller. Access your TP-Link devices management URL, for example:

     http://192.168.0.1

2. Log in to the device using the administrator username and password.

3. Navigate to System.

4. Click Controller Settings.

5. In the Inform Address field, enter your Omada controller domain name.

6. Click Save to load changes.

7. In a web browser, log in to your Omada Controller.

     https://controller.example.com:8043

8. Navigate to Devices on the main navigation menu.

9. Verify that your TP-Link Omada device displays on the list with the status Requesting Adoption.

10. Click the ✓ symbol to adopt the device.

11. Enter the local device administrator username and password to start the adoption process.

12. When complete, your device status changes to Connected, and now managed by the controller.

If the device does not display in your devices list, verify that all necessary Omada Controller ports are open in your server firewall table.

Conclusion

In this article, you have installed the TP-Link Omada Controller on a Vultr Cloud Server and protected it with SSL certificates. You can associate hundreds of devices in multiple locations to the controller and manage them remotely through the Omada controller interface without any need to connect to the device's local network.

For more information, please visit the official Omada SDN Controller User Guide.