JavaScript is required to view this page.
Skip to content
Get 50% OFF 2x Smart Devices with your HA Yellow Kit + CM4
Get 50% OFF 2x Smart Devices with your HA Yellow Kit + CM4
How-To: Install PiVPN Server on ODROID-XU4 (and other SBCs, including PinePhone!)

How-To: Install PiVPN Server on ODROID-XU4 (and other SBCs, including PinePhone!)

By Greg Rodriguez, resident specialist in Android, Mac, Linux and Windows operating systems, video and audio streaming and conversion, retrogaming, and many other tech disciplines

Introduction

The ODROID-XU4 is a powerful single board computer with many uses. In this guide we will be covering how to use PiVPN to setup the XU4 as either an OpenVPN, or WireGuard server. PiVPN is a script originally made for Raspberry Pi that makes installation and configuration of OpenVPN or WireGuard very simple. But because PiVPN is not made for ODROID it will require some small tweaks to make it work on the XU4. We will cover those as well in this guide.

[Editor's Note: The ODROID-XU4Q, HC1, HC2, and MC1 Solo, as well as the retired ODROID-XU3, all run the exact same operating system image as the XU4, so these instructions can apply without changes to those systems. Some of the above systems lack a video output port, so you will have to SSH into the system from another computer instead of using an attached keyboard / mouse / monitor.

These instructions should also work for most other SBCs running a Debian-based operating system (i.e. Armbian, Ubuntu, etc.), including the PinePhone.]

Note: In order for the VPN server to work you will need to forward the appropriate port in your router to the XU4. This basically means opening a port in your router’s firewall so that Internet traffic on that port is forwarded directly to the XU4 instead of being rejected by the router. This is essential to how a VPN works and we will cover what port needs to be forwarded later in this guide. Because every router is different, and therefore will require different steps, we will not be covering how to port forward in this guide. You will need to look up how that is done with your specific model router.

 

Prerequisites

You will need the following components for this guide: You will also need to download and install the following software utilities: Note that if using a Mac, you will only need to install balenaEtcher. MacOS does not require 7-zip or PuTTY.

 

Setting up Ubuntu on the XU4

Downloading Image

We will begin by downloading Ubuntu 20.04 Minimal as our base operating system to run the VPN server with. Click here to open the ODROID XU4 wiki. Under Downloads, click the tab for ODROID-XU4, then download the Ubuntu Minimal 20.04 image from one of the available mirrors.

Extracting Image

Once downloaded the image will be in the XZ compressed format, similar to ZIP. We will need to extract the image first before flashing it. On a PC we will need to use 7-Zip to extract the image. WinRAR and WinZip can also be used if you own them, but in this guide we will be using 7-Zip. With 7-Zip installed, open File Explorer on your PC and navigate to the file we downloaded. This is probably the Downloads folder on your PC. Double-click the file to open it in 7-Zip.

In 7-zip you should see an ubuntu-20.04-5.4-minimal-odroid-xu4-20210112.img file. Note that the name of the file may change if your version of Ubuntu is newer than the one used at the time this guide was written. Click once on the image file to select it, then click the Extract button at the top of 7-Zip. This will open a Copy dialog window. It should default to the same location that the compressed XZ file was opened from. Simply click OK to extract the image.

Note that on a Mac 7-Zip is not necessary to extract the image from the XZ file. This can be done by opening Finder and navigating to the file we downloaded. Double-click the file to extract the image.

Flashing Image

Connect your eMMC module or microSD card to your Mac or PC and open balenaEtcher. In Etcher click the Flash from file button and navigate to your extracted ubuntu-20.04-5.4-minimal-odroid-xu4-20210112.img file and select it. Next click on the Select target button, then check the box next to your eMMC/SD card reader in the list. Click the Select button at the bottom of the window. Lastly click the Flash button in Etcher to begin flashing the image. If using a PC you may be prompted to allow the Windows Command Processor to make changes. If so, click Yes. Etcher will flash the image then verify it was flashed correctly. When finished Etcher will say Flash Complete. You can now remove your eMMC/SD card.

Note that on PC you may get popups saying you need to format the disk(s). Just click Cancel or ignore them. This is because Windows does not recognize the Linux filesystem used for the XU4.

First Boot

Insert your eMMC/micro SD card into your XU4. Now is also the time to connect your keyboard, monitor, and Ethernet cable. Lastly, plug in the power connector and the XU4 will boot. During first boot it will expand the filesystem to take up the entire space of your eMMC/micro SD card. After a minute it will come to a (odroid login) prompt. Type root as the username and press Enter. It will then prompt for the password for the root account. Type odroid and press Enter. Note that the password will not display on screen as you type, so take your time and type it correctly. Once successfully logged in you should see the prompt root@odroid~#

The next step is to find the IP address of the XU4 so we can continue setup via SSH from a Mac or PC. To do this we will type the following command on the XU4 and press Enter.

ip addr show eth0 | grep "inet\b" | awk '{print $2}'

The command should output something like 192.168.1.52/24. Note that this is just an example and your IP address will be different depending on your router and network configuration. Make note of these numbers as we will use them in later steps. For now, we only care about the first four numbers separated by decimal points. That is the IP address we will need to connect to the XU4 via SSH. In this example that would be 192.168.1.52.

 

SSH Into XU4

Now that we have the IP address our router assigned to the XU4 we can return to our Mac or PC and establish an SSH connection. Using SSH from another computer will make setup easier as we will be able to copy and paste commands instead of typing them out.

PC

Open PuTTY on your PC. Once open there will be an empty box with the words Host Name (or IP address) above it. This is where we’ll enter the IP address we found in the previous section. In our example that is 192.168.1.52, but remember your IP address will vary. Enter your IP address in that field, then click the Open button at the bottom of the PuTTY window. If this is the first time you’ve connected to your XU4 via SSH, PuTTY will display a security alert basically asking if you trust this new host. Click the Accept button to continue.

A terminal window will open and you will be asked to (login as). Just like before, type root for the username and press Enter. Then type odroid for the password and press Enter again. Remember, the password will not display on screen as you type, so take your time. If you typed everything correctly you should once again see the root@odroid~# prompt.

Mac

Putty is not necessary to SSH from a Mac. Instead, open the Terminal app and type the following command and press Enter:

ssh root@192.168.1.52

Note that 192.168.1.52 is the example IP address we’re using for this guide. You will need to replace that with the IP address of your XU4 found in the previous section before pressing Enter.

If this is the first time you’ve connected to your XU4 via SSH, Terminal will display a security alert basically asking if you trust this new host. Type yes and press Enter. You will be asked to (login as). Just like before, type root for the username and press Enter. Then type odroid for the password and press Enter again. Remember, the password will not display on screen as you type, so take your time. If you typed everything correctly you should once again see the root@odroid~# prompt.

Getting Ready to Install PiVPN

Before installing PiVPN there are some changes we must make to Ubuntu. Some changes are for security purposes and some are so PiVPN will work correctly.

Changing Root Password

For security we’ll start by changing the password for root to something other than odroid. To do this copy and paste the following command:

passwd root

You will be prompted to enter a new password for root. Choose something you will remember if needed. Remember, the password will not display as you type it. When finished typing press Enter. You will then be prompted to retype the password a second time. Do so and press Enter again. You should see the message passwd: password updated successfully letting you know the password was successfully changed.

Create a New Admin User

It is common practice not to use the root account on Linux systems. For this reason and also because PiVPN requires it, we will be creating a new user with administrative privileges to use going forward. To do this copy and paste the following command then press Enter:

adduser admin

Note that you do not have to use admin as your username. You can choose any username aside from root. Just replace admin with your desired username. Usernames cannot have spaces and should just be simple text names.

After pressing Enter you will be prompted to type a new password for this user, then again to retype the password. Press Enter after both. Remember, the characters of the password will not display as you type them, so take your time. Once you’ve typed the password twice you will also be prompted to enter the following:

Full Name [ ]:
Room Number [ ]:
Work Phone [ ]:
Home Phone [ ]:
Other [ ]:

Leave all of them blank and just press Enter until asked Is the information correct? [Y/n]. Type “y” and press Enter. Next we need to give this new user administrative abilities. To do that copy and paste the following command then press Enter. If you chose to name your user something other than admin replace “admin” with the username chosen.

usermod -aG sudo admin

This will give your new user administrative abilities. To test this out lets switch to the new user with this command:

su admin

Remember to substitute your username for admin if different. You may be prompted to enter the password for the new user. After switching users enter the following command to test the new user has the ability to run things with administrative privileges:

sudo -v

If you get the message “Sorry, user admin may not run sudo on odroid” then you do not have administrative privileges. Switch back to the root account with the command su. Enter the root password and run the usermod -aG sudo admin command again. Make sure “admin” is the username you chose. If not change it to your username.

Setting Static IP Address

PiVPN requires the server to have a static IP address. Normally, PiVPN would set a static IP when it runs. Because of the differences between Ubuntu on the XU4 and Raspberry Pi OS, PiVPN cannot set a static IP, so we will be doing that here. This can be achieved a couple of ways, but for the purposes of this guide we will be setting a static IP address manually.

Note: Before setting a static IP on the XU4 you need to choose an address that is not within your router’s DHCP pool to avoid conflicts. Because every router is different, that will be outside the scope of this guide. You will need to lookup which addresses are available, or how to free some if none are.

Let’s begin by copying the following information and pasting it into Notepad on a PC, or TextEdit on Mac so we can make some changes:

network:
   ethernets:
      eth0:
         addresses:
            - 192.168.1.52/24
         gateway4: 192.168.1.1
         nameservers:
            addresses:
               - 8.8.8.8
               - 8.8.4.4

The first change we need to make is to replace 192.168.1.52 with the static IP address you want the XU4 to have. Make sure not to delete the dash (-) or space in front of it. Also, do not delete the /24 following it. We will edit that next. Refer back to the first boot section where we found what IP address the XU4 was assigned by the router. If you lost that you can run the command again:

ip addr show eth0 | grep "inet\b" | awk '{print $2}'

This time we’re only concerned about the number following the forward slash (/). If that number is /24 then leave it the same in Notepad/TextEdit. If that number is something other than 24 change it to match that number in Notepad/TextEdit. Next we’re going to change the IP address following gateway4 to whatever your router’s IP address is. The most common possibilities are 192.168.1.1, 192.168.0.1, 10.0.0.1, or 172.16.0.1, but yours may vary. The last two IP addresses (8.8.8.8, 8.8.4.4) at the bottom are DNS servers. They’re currently set to use Google’s public DNS servers. If you would like to use other DNS servers set them now. Remember not to delete the dash (-) or space in front of them.

Now that we’ve made the necessary changes, we’re ready to create the network configuration file on the XU4 and paste this information into it. We will use Nano, the text editor on the XU4 to do this by running this command:

sudo nano /etc/netplan/01-netconf.yaml

When Nano opens on the XU4, copy all the contents of Notepad/TextEdit and paste them into Nano. Once you’ve pasted the information into Nano press Control-O followed by the Enter key to save them to the configuration file. Nano should display a message that it wrote 10 lines. After that press Control-X to quit Nano. Next run the command:

sudo netplan generate

If an error message is displayed then the syntax of the file is incorrect. Rerun the command sudo nano /etc/netplan/01-netconf.yaml and make sure everything is correct. If no error message was displayed then we’re ready to apply these changes. Note that once we run this command the SSH session will stop working. This is expected as we have now changed the IP address to a static IP that should be different than the one it was originally assigned by the router. To apply the changes run this command:

sudo netplan apply

Close and reopen PuTTY on your PC, or Terminal on your Mac. Refer back the section “SSH Into XU4” for instructions. This time, however, we’re going to use the new static IP address to connect to the XU4 and not the original address we used before. This time when PuTTY prompts to (login as), use “admin” or whatever username you chose for the second user instead of “root”. Likewise on the Mac use “admin” and whatever static IP address you just set. If you chose to set your IP address to “192.168.1.10” then you would connect to the XU4 using ssh admin@192.168.1.10.

Updating Ubuntu

The last thing before we install PiVPN is to update Ubuntu on the XU4. This can be done simply with the following command:

sudo apt update && sudo apt -y upgrade

When updates are finished you should return to the admin@odroid:~$ prompt. The final step is to reboot the system to apply those updates. This is done with the command:

sudo reboot

Installing PiVPN

Give the XU4 a minute to reboot, then SSH back into the admin account. As stated before, because PiVPN is made for Raspbian/Raspberry Pi OS, the install script does not work perfectly on the XU4. The script should give the user a choice of either installing OpenVPN or WireGuard, but instead simply installs OpenVPN by default. With a slight tweak to the install script we can make PiVPN install WireGuard instead. You need to decide now whether you want OpenVPN or WireGuard. We’ll begin by downloading the install script with the following command:

wget https://raw.githubusercontent.com/pivpn/pivpn/master/auto_install/install.sh

Next we need to make the script executable with this command:

chmod 755 install.sh

If we want to install OpenVPN, no changes to the script are necessary. Simply run the script with this command:

sudo ./install.sh

If we want to install WireGuard instead we will need to make a small edit to the install script. To do this we need to open the install script in Nano with this command:

nano install.sh

Once open in Nano we’re going to search for a specific line of text in the script. To do this, press Control-W to start a search in Nano. Type askwhichvpn then press Enter. This should locate the line askWhichVPN in the script. Using the arrow keys on your keyboard, position the cursor at the end of askWhichVPN. Press the Enter key once to move the cursor down one line, then press the TAB key once to bring the cursor over in-line with the “a” in askWhichVPN. Type VPN=wireguard on that new line and press Control-O, followed by Enter to save the changes. Then press Control-X to quit Nano. Now we can run the script to install WireGuard with the command:

sudo ./install.sh

Configuring OpenVPN with PiVPN

After running the install.sh script, PiVPN will begin guiding you through the process of installing and configuring OpenVPN. PiVPN will load a purple screen telling you it’s installing packages. Eventually it will open some dialog boxes. The first couple of them just contain info. Read what they say and press Enter to move to the next.

The first dialog box of importance will be the one asking you which user account to store your .ovpn config files in. These are the files that you install on your VPN clients so they can authenticate and connect to the VPN. It should default to the admin account we created earlier, so all you need to do here is press Enter.

The next dialog will be titled “Installation Mode” and will basically be asking you if you want to use default settings, or if you want to customize your VPN settings. For the purposes of this guide, we will be using the default settings. Select No and press Enter.

Next it will ask if we want to use the default port for OpenVPN, which is 1194, or change it to something else. We will be using the default port in this guide. Make note of that port number as you will need to forward that port to your XU4’s IP address in your router for the VPN to work. Unfortunately, as stated before every router is different and you will have to figure out how to do that on your own. The next window will ask us to confirm that the port number is correct. Press Enter.

The next dialog will ask you to select a DNS provider. Use the arrow keys to scroll down to Google then press the spacebar to check the box next to Google. Press Enter. You may also scroll all the way down and select Custom if you wish to manually enter your own DNS addresses.

You will then be asked if you want to connect to the server using your public IP address, or via a domain name. For this guide we will be selecting the option Use this public IP. Note that unless you have a static public IP address from you Internet provider, this address will likely change over time. You will need to rerun PiVPN to update the IP address or change it manually on each client device. The way around that would be using a public domain name, but that is beyond the scope of this guide.

The last few options you can just press Enter to select the default options. Eventually PiVPN will tell you installation is complete. Press Enter and you will be asked to reboot the device. Select Yes and press Enter again.

Give your XU4 a minute to reboot then SSH back into it using the admin account. To generate a new VPN certificate for a client simply run the command:

pivpn add

You will be asked for the password for your admin account. Enter it then you will be asked to pick a name for your new VPN client. Choose a name that will help you easily identify which device the certificate is for (i.e. MyPhone, or MyLaptop). You should use a different certificate for each device you want to connect to your VPN. Do not use the same certificate for multiple devices. When asked how many days the certificate should last just press Enter to select the default of 1080 days. You will then be asked to choose are password for the VPN client. This is a password that will need to be entered when connecting to the VPN, so whatever you choose, don’t forget it.

After that PiVPN will generate the certificates and create a .ovpn file in the /home/admin/ovpn directory of your XU4. That file will need to be copied to the VPN client device and imported into the OpenVPN client app.

Configuring WireGuard with PiVPN

Just like with OpenVPN, after running the install.sh script with the modification we made, PiVPN will begin guiding you through the process of installing and configuring WireGuard. PiVPN will load a purple screen telling you it’s installing packages. Eventually it will open some dialog boxes. The first couple of them just contain info. Read what they say and press Enter to move to the next.

The first dialog box of importance will be the one asking you which user account to store your .ovpn config files in. This is technically incorrect as WireGuard uses .conf files and not .ovpn, but that does not matter for this setup. These are the files that you install on your VPN clients so they can authenticate and connect to the VPN. It should default to the admin account we created earlier, so all you need to do here is press Enter.

Next PiVPN will say it’s installing packages. This step usually takes a couple minutes and the progress bar will hang at a few points along the way. Just wait for it to finish. Next you will be asked if you want to use the default WireGuard port of 51820, or choose another. For this guide we will be using the default, so press Enter. You will then be asked to confirm the port number is correct. Select Yes then press Enter. Make note of that port number as you will need to forward that port to your XU4’s IP address in your router for the VPN to work. Unfortunately, as stated before every router is different and you will have to figure out how to do that on your own.

The next dialog will ask you to select a DNS provider. Use the arrow keys to scroll down to Google then press the spacebar to check the box next to Google. Press Enter. You may also scroll all the way down and select Custom if you wish to manually enter your own DNS addresses.

You will then be asked if you want to connect to the server using your public IP address, or via a domain name. For this guide we will be selecting the option Use this public IP. Note that unless you have a static public IP address from you Internet provider, this address will likely change over time. You will need to rerun PiVPN to update the IP address or change it manually on each client device. The way around that would be using a public domain name, but that is beyond the scope of this guide.

The last few options you can just press Enter to select the default options. Eventually PiVPN will tell you installation is complete. Press Enter and you will be asked to reboot the device. Select Yes and press Enter again.

Give your XU4 a minute to reboot then SSH back into it using the admin account. To generate a new VPN certificate for a client simply run the command:

pivpn add

You will be asked for the password for your admin account. Enter it, then you will be asked to pick a name for your new VPN client. Choose a name that will help you easily identify which device the certificate is for (i.e. MyPhone, or MyLaptop). You should use a different certificate for each device you want to connect to your VPN. Do not use the same certificate for multiple devices.

After that PiVPN will generate the certificates and create a .conf file in the /home/admin/configs directory of your XU4. That file will need to be copied to the VPN client device and imported into the WireGuard client app.

Adding Certificates to Client Devices

The final step is to copy either the .ovpn or .conf files to your client devices so they can be imported into their respective apps. There are a couple of ways we can do this. For example, if you chose to use WireGuard and want to add a certificate to your phone you can run the command

pivpn -qr

This will let you generate a QR code that can be scanned with the WireGuard app on your phone to quickly add the certificate. However, this only works for phones and only for WireGuard, not OpenVPN. For this guide we will instead be using a USB flash drive formatted FAT32. This typically means a flash drive 32GB or smaller. Connect your flash drive to one of the USB ports on the XU4 then run this command

sudo fdisk -l | grep sd

If you have no other storage devices connected to your XU4 this should return results for /dev/sda1 and should say it’s roughly the same size as your flash drive. It should also say at the very end FAT32. With that information we know that your flash drive is /dev/sda1 (remember this) and that it is formatted FAT32 as is necessary for this step. The first thing we need to do is create a folder to mount the USB drive to. We will do that with this command:

sudo mkdir /mnt/USB

Next mount the USB flash drive to the newly created USB folder with the command:

sudo mount /dev/sda1 /mnt/USB -o umask=000

Once mounted you can navigate to the admin home folder where the ovpn/conf files are stored with the command:

cd /home/admin

List the contents of this folder using the command

ls

If you’re using OpenVPN there should be an ovpns folder. If you’re using WireGuard there should be a configs folder. We will copy these folders with either of the following commands

OpenVPN only:

cp -R /home/admin/ovpns /mnt/USB

WireGuard only:

cp -R /home/admin/configs /mnt/USB

Remember to use the first command only if you’re using OpenVPN and the second command only if you’re using WireGuard. The very last step is to unmount the USB flash drive to you can unplug it and transfer the configuration files to their respective devices. To do that use the command:

sudo umount /mnt/USB

Note that sometimes you may get the message that the device is busy and can’t be unmounted. If this happens the safest thing to do is reboot the XU4. After it reboots the USB drive will no longer be mounted and can be safely removed.

sudo reboot

Conclusion

If you've followed this guide, you should now have a working VPN server on your network, and you should be able to connect to it from your own devices outside of your network in a secure manner.

This setup should consume less than 100MB of RAM (~0.1GB) and should be relatively performant, allowing numerous devices to be connected at the same time.

If you have a dynamic IP address from your Internet Service Provider, you can use a service such as duckdns.org which you can install on your SBC along with PiVPN to assign a public domain name to your dynamic IP address. This should override the need to reset your client files when your dynamic IP address changes.

Previous article New Shelly Kits

Leave a comment

Comments must be approved before appearing

* Required fields

x