Adopting a Unifi USG into a Remote Controller

Suppose you have two separate physical sites with Unifi devices that you want to control from a single Unifi controller. Not super easily accomplishable, as there are some edge cases it turns out. If your ISP on the remote site has an IP with static IP and no DHCP it's even quite hard. Here's how to do it.

This was my setup:

Site 1: Multiple Unifi APs, Unifi Switches and a Cloud key. All local devices adopted by the Cloud key controller.
Site 2: One AP, a USG - temporarily adopted to a controller installed on a local computer. The locally installed controller no longer accessible.

Task: adopt all devices from site 2 into controller on a cloud key on site 1.

Normally, when all of your devices are unadopted and on the same LAN, there are numerous tools to help you find and adopt them into a controller. You can use the Chrome App to find unadopted devices (works sometimes). You can ssh into the devices and run set-inform and point them to you controller.

Problem 1: Devices are not unadopted.

Once you have adopted a device into a controller, you can't just move it to another one using set-inform. The adoption process creates encryption keys that will ensure the security between device and controller. Trying to set-inform to a new controller will fail with "Server Reject". You need to go into the current controller and select to forget the device. If the current controller is unavailable your only option is to factory reset the device.

Problem 2: Devices are not on same LAN

To adopt a device into a remote controller you need internet access. To adopt devices into a new controller you need to reset your devices. With a USG this makes for a problem if your ISP doesn't use DHCP. Configuring WAN settings using SSH is super tricky and you can't use a local controller to do it, because that will lock the encryption keys to it. Luckily, the USG has its own web ui (see below).

Solution

(skip 5 and 6 if your IP uses DHCP)

1. Make sure that port 8080 TCP and 3478 UDP are opened to the remote controller.
2. Make sure you have two sites that are not the default one in your controller. Move all of your site 1 devices into one site in the controller.
3. Factory reset the USG at site 2 (hold reset button with a paper clip for longer than you think, +10 seconds).
4. Connect a computer to the USG using a network cable. The USG will use its default network, 192.168.1.0.
5. Log into the USG web interface located at 192.168.1.1. Username and password will be the default, ubnt/ubnt.
6. Configure the WAN settings to connect to your ISP (if you have a static IP you need the IP, the gateway, netmask and DNS).
7. SSH into your USG at IP 192.168.1.1. The default name and password are ubnt/ubnt.
8. Run set-inform http://ip-of-remote-controller:8080/inform
   run info
   If Status says Server Reject you haven't properly reset the USG and it still has encryption keys from the previous controller.
   If Status say Unknown 11 there's a problem with your inform url - don't use https (the traffic is encrypted but not with TLS) and don't forget the port in the url.
9. Go into your remote controller at site 1, the site 2 USG should appear as pending adoption.
10. Adopt the USG and move it into your second site in the controller. Only one USG per site is allowed, so if there is no adopt button it could be because a previous USG is in the default site. You can now set up networks and wireless networks separately for the second site.
11. Factory reset your other devices on site 2, ssh into them and run set-inform to the remote controller, adopt them and move them into the second site.

Congratulations, you now have two sites in your single controller, with all your Unifi devices!