Local AI Engineering with Ollama

Installing and Using Open WebUI

By the end of this section you have Open WebUI running in Docker, talking to your local Ollama, and you know where the features you will actually use live.

Installation

Pin the image to a specific release. Do not run :main or :latest for anything you depend on, because an unattended pull can change behavior or run a database migration under you. Get the current tag from the releases page.

The following instructions assume you're running Open WebUI in a Docker container on the same machine as Ollama. There are other installation options, and the official documentation describes them well.

# replace with the current release tag
OWUI_VERSION=v0.9.6        

# Generate the secret key once and keep it. Reuse the same value on every
# update, or all logins get invalidated when the container is recreated.
WEBUI_SECRET_KEY=$(openssl rand -hex 32)
echo "$WEBUI_SECRET_KEY"   # save this somewhere safe

# Install Docker if you don't already have it.
curl -fsSL https://get.docker.com | sh

# Run the container
docker run -d \
  --name open-webui \
  --restart unless-stopped \
  --network=host \
  -e OLLAMA_BASE_URL=http://127.0.0.1:11434 \
  -e WEBUI_SECRET_KEY="${WEBUI_SECRET_KEY}" \
  -v open-webui:/app/backend/data \
  ghcr.io/open-webui/open-webui:${OWUI_VERSION}

The --network=host configuration means the container drops Docker's isolated network and shares the host's network stack directly, so localhost inside the container is the host's localhost. We use it here so Open WebUI reaches Ollama on 127.0.0.1:11434 with no rebinding and no bridge-gateway address to get wrong, which removes the most common connection failure in this setup.

(w) WEBUI_SECRET_KEY is a secret key used for signing JSON Web Tokens (JWTs) and encrypting sensitive data at rest (including OAuth tokens for MCP).
Generate the key once with openssl rand -hex 32, save it in a .env file, and pass it on every docker run with --env-file so updates and reboots reuse the same key instead of generating a new one. That keeps sessions and saved secrets working across restarts.

Now create an SSH tunnel from your local machine to your server to use your browser to reach Open WebUI.

ssh -Nf -p  @ -L :localhost:8080

8080 is the default port Open WebUI listens on, but you can change it by setting the OPENWEBUI_PORT environment variable.

Example:

ssh -Nf -p 22 root@70.30.158.46 -L 3000:localhost:8080

Open your browser and go to http://localhost:3000.

Running Open WebUI on a Separate Machine

If you want the UI on a different machine from Ollama (a laptop talking to a GPU box, or a dedicated UI host), two things change: the container no longer shares Ollama's network, so --network=host and 127.0.0.1 will not find it, and Ollama must accept connections from outside its own host.

First, bind Ollama to all interfaces so it answers on the network, not just localhost:

sudo systemctl edit ollama

Add this block:

[Service]
Environment="OLLAMA_HOST=0.0.0.0:11434"

Then reload and restart:

sudo systemctl daemon-reload
sudo systemctl restart ollama
ss -ltnp | grep 11434      # want 0.0.0.0:11434, not 127.0.0.1:11434

(w) Reminder: Ollama ships no authentication, so anyone who can reach port 11434 can use your models and hardware. Only do this on a trusted network, and on a public box keep Ollama bound to 127.0.0.1 and put it behind an nginx or Caddy reverse proxy that handles auth and TLS instead.

Now run Open WebUI on the second machine. Drop --network=host, map the UI port with -p, and point OLLAMA_BASE_URL at the Ollama machine's address:

# Replace with the current release tag
OWUI_VERSION=v0.9.6        
# The port to run the UI on
UI_PORT=3000
# The IP or hostname of the Ollama machine
OLLAMA_HOST=[CHANGE_ME]
# Generate the secret key once and keep it. Reuse the same value on every
WEBUI_SECRET_KEY