Router Backup

Posted on 5 2026

The source material this page replaces covers an elaborate OpenWrt backup script using opkg, dropbear, gnupg, and a custom cron job. For UniFi, the backup model is considerably simpler: the UniFi Network application maintains its own backup mechanism, and the configuration is stored in a portable .unf file that can restore the entire network from scratch.

The job here is not to build a backup system from scratch. It is to understand what UniFi backs up, configure automatic backups, and ensure copies land somewhere safe outside the device itself.

What UniFi backs up

The UniFi backup file contains the complete Network application configuration:

All network definitions (VLANs, subnets, DHCP settings)
All WiFi networks (SSIDs, passwords, VLAN mappings)
All firewall rules and traffic policies
All device configuration (access points, switches)
All WireGuard VPN server and client configurations
All static DHCP assignments
All port forwarding rules
Admin accounts and permissions
Site settings and preferences

What it does not contain:

UniFi Protect recordings (these are on the HDD bay)
UniFi OS system configuration (network interfaces, SSH keys)
Current device runtime state

A backup from today plus a factory-reset device plus the backup restore process gets you back to a fully configured network. The restore takes around five minutes.

Automatic backups

Navigate to Settings > System > Backups.

Configure automatic backups:

Setting	Value
Automatic backup	Enabled
Frequency	Daily
Retention	Keep 7 backups
Storage location	Local storage (integrated SSD)

With daily backups and 7-day retention, the last week of configurations is always available. Adjust retention based on available storage and how often configuration changes are made.

Backup storage location

The default backup location is the UDM-SE’s integrated SSD. This is the correct first location, but it is not sufficient on its own: if the device fails or needs to be factory reset, the backups on the SSD may be inaccessible.

Backups need to go off the device. There are two approaches:

Option 1: Pull backups from the desktop via the anacron script (already configured in the Ubiquiti management section):

# From ~/.anacron/cron.weekly/unifi-backup
rsync -avz --quiet "root@prevernal:/data/autobackup/" \
    "/media/${USER}/NAS/Backups/UniFi/prevernal/"

Option 2: Push backups to network storage directly from the UDM-SE once cloud backup is configured.

Both approaches result in backups on the NAS. The anacron approach is already in place from the Ubiquiti management page.

Cloud backup

UniFi supports optional cloud backup to Ubiquiti’s servers. Navigate to Settings > System > Backups > Cloud Backup.

This provides an additional off-site copy without any infrastructure on your part. The trade-off is that configuration data (including network topology, VPN keys, and WiFi passwords) is stored on Ubiquiti’s servers. For a home network, this is a reasonable convenience. For a setup with sensitive information, the local-only approach may be preferable.

This is a personal decision. The local backup approach described below is sufficient without cloud backup.

Manual backup

Before making any significant configuration change, export a manual backup:

Settings > System > Backups > Download Backup.

This downloads a timestamped .unf file. Store it in:

KeePassXC as a file attachment under Infrastructure > UniFi > Prevernal
The NAS backup directory
Optionally, the offline encrypted USB safe storage for the most current configuration snapshot

The manual backup is the most important backup to have before:

Upgrading firmware
Changing the VLAN structure
Modifying firewall rules
Reconfiguring the WireGuard VPN

If the change goes wrong, restoring from the manual backup taken immediately before is the fastest recovery path.

Backup retention and naming

The automatic backup files are named with timestamps:

autobackup_UDM-SE_x.x.xx_YYYYMMDD_HHMM_xxxxxxxxxx.unf

The anacron script pulls all files from /data/autobackup/ to the NAS. Over time, old backups accumulate. Add a cleanup step to the backup script:

cat > ~/.anacron/cron.weekly/unifi-backup << 'EOF'
#!/usr/bin/env bash
# Pull UniFi configuration backups from all three routers
# and clean up backups older than 30 days

for router in prevernal vernal estival; do
    rsync -avz --quiet "root@${router}:/data/autobackup/" \
        "/media/${USER}/NAS/Backups/UniFi/${router}/" 2>/dev/null \
        || echo "Backup pull failed for ${router}"

    # Remove backups older than 30 days from NAS
    find "/media/${USER}/NAS/Backups/UniFi/${router}/" \
        -name "*.unf" \
        -mtime +30 \
        -delete 2>/dev/null
done
EOF

chmod 0755 ~/.anacron/cron.weekly/unifi-backup

Restoring from backup

To restore a configuration backup:

Navigate to Settings > System > Backups
Click Restore and select the .unf file
Confirm the restore. The controller restarts and applies the configuration.

Alternatively, during initial setup of a replacement device, the setup wizard offers to restore from a backup file.

For a full device replacement:

Factory reset the new UDM-SE
Complete the initial setup wizard
Stop at the point where the wizard asks about configuration
Upload the backup file
The controller restores all networks, devices, and settings

Adopted devices (access points, switches) re-adopt automatically once they can reach the restored controller at its known IP address.

Backing up Vernal and Estival

The same backup approach applies to the secondary site gateways. Configure automatic backups on each device in the same way, and include them in the anacron backup pull script as shown above.

Each site’s backups land in a separate directory on the NAS:

/media/username/NAS/Backups/UniFi/
├── prevernal/
│   └── autobackup_UDM-SE_*.unf
├── vernal/
│   └── autobackup_*.unf
└── estival/
    └── autobackup_*.unf

SSH key backup

The UDM-SE generates SSH host keys during initial setup. These are not included in the UniFi backup. After a factory reset or device replacement, new SSH host keys are generated, which triggers an SSH host key mismatch warning when connecting from the desktop.

Back up the SSH host keys separately via SSH immediately after initial configuration:

# From the desktop
scp root@prevernal:/etc/dropbear/dropbear_rsa_host_key \
    /media/${USER}/NAS/Backups/UniFi/prevernal/dropbear_rsa_host_key

Or accept the key mismatch after a factory reset by removing the old host key from the desktop’s known hosts:

ssh-keygen -R prevernal
ssh-keygen -R 10.1.0.1

Then connect again to accept the new host key.

A backup that has never been tested is not a backup. Restore a recent backup to a test environment, or verify the restore process on a spare device, before relying on the backups for a real recovery scenario. The restore process is straightforward with UniFi, but knowing it works before you need it is worth the thirty minutes it takes to verify.