If your UniFi controller, Cloud Key, UDM, or UDR doesn't have a public IP address—due to CGNAT, Starlink, or network restrictions—you can't use traditional external portal solutions. Spotipo's reverse tunnel creates an SSH connection from your controller to Spotipo's servers, enabling captive portal functionality without requiring a public IP or port forwarding.
This guide walks you through enabling SSH access on your UniFi device, installing autoSSH for persistent connections, generating SSH keys, and establishing the reverse tunnel. The setup requires command-line access and takes approximately 15-20 minutes.
What you'll accomplish:
Enable SSH access on your UniFi controller/Cloud Key/UDM/UDR
Install autoSSH for maintaining persistent reverse tunnel connections
Generate and share SSH keys with Spotipo support
Establish reverse tunnel connection using your assigned username
What you'll need:
UniFi controller without public IP (Cloud Key, UDM, UDR, or software controller)
SSH terminal access (Terminal on Mac/Linux, PuTTY on Windows)
Root access to your UniFi device
Active Spotipo account with support contact
When to use reverse tunnel: This solution is essential for controllers behind CGNAT (carrier-grade NAT), Starlink connections, corporate networks without public IPs, or any situation where port forwarding isn't possible.
Enable SSH access on your UDM/CK/UDR
If you are using a software controller, ie UniFi controller running on a server, skip this.
Make sure to login to your device by going to https://
, and navigate to Console Settings.
Enable Remote Access and SSH, use the Change Password option to set a password.
SSH into your controller
Using your favorite SSH terminal, log in to the UniFi controller. If you got a CK/UDM/UDR etc use root as username and the password you set above.
Install autoSSH
We will use autossh to keep the connection active, install the same using command below after logging into the controller.
apt install autossh
Generate SSH Keys
Check if you already have a set of SSH keys under /root/.ssh/id_rsa.pub if not create them using the command
ssh-keygen
And then copy the content of /root/.ssh/id_rsa.pub and send to us via chat. In return we will assign a USERNAME to you.
Proceed to the next steps once you have a USERNAME from support.
Login to the server again and execute below command, replace
with actual username
bash <(curl -L -s https://spotipo.sh/install.sh) <USERNAME>
You should be seeing something like below
Now you should be able to use
.spotipo.cloud as the Hostname for your server in the Settings tab.
Your Reverse Tunnel Is Now Active
Once you've executed the installation script with your assigned username, your reverse tunnel is established. You can now use <USERNAME>.spotipo.cloud as the hostname when configuring your UniFi controller in Spotipo's settings instead of requiring a public IP address.
What to do next:
Configure your UniFi controller in Spotipo using your
<USERNAME>.spotipo.cloudhostnameVerify the tunnel connection is active and stable
Complete your captive portal setup following the standard UniFi configuration guide
Reverse tunnel advantages:
Works with CGNAT, Starlink, and other scenarios without public IPs
No port forwarding or router configuration required
autoSSH automatically reconnects if the connection drops
More reliable than DDNS for dynamic IP situations
Important notes:
Keep your SSH credentials secure; they provide root access to your controller
The reverse tunnel must remain active for the captive portal to function
Software controllers (not Cloud Key/UDM) can skip the SSH enablement step
Troubleshooting reverse tunnel:
Installation script fails: Ensure you're logged in as root with proper permissions
Connection drops frequently: autoSSH should auto-reconnect; check network stability
Can't SSH into device: Verify SSH is enabled in Console Settings and the password is correct
Username not working: Confirm you received the username from Spotipo support before running install script
Still having trouble enabling reverse tunnel? Contact Spotipo support via live chat or email us at [email protected], we'll assign your username and help troubleshoot the SSH tunnel setup.