new Provider: CyberGhost openVPN files

[FunDeckHermit]

1. What's the feature? CyberGhost is one of the only European VPN providers. As a European I would rather get a VPN from Romania then one from Hong Kong or the USA.

2. Why do you need this feature? I'm using CyberGhost.

3. Extra information?

• I have included an example file from CyberGhost: british_proxy_openvpn.zip.zip
• Username and password are not included in a file of some sort, they are to be copied from the website.
• The VPN configuration page looks like this:

[github-actions[bot]]

Thanks for creating your first issue :+1: Feel free to use Slack if you just need some quick help or want to chat

[qdm12]

Hello, I just added support for surfshark, so maybe it's time to support yours as well 😉

I downloaded the file you sent, careful there is a client.key file with a private key in there, that may be kept 'private'. It should be fine as you didn't put your username+password but still.

Is there a way to download all openvpn files somewhere? Because for example for the british proxy, the address is 87-1-pk.cg-dialup.net which is not really trivial to deduce 😢

I would probably need all their openvpn files for every location, ideally. There may be a way to automate the download of all files if you can find out the url pattern for each zip file; i can probably write you a script/program you can run to download them all.

Thanks!

[FunDeckHermit]

Hi @qdm12,

The VPN configuration is just a throwaway, each password/key is unique for every config. If I remove the device from my dashboard I can just create a new one.

This is what the dashboard looks like:

Selecting a member in the servergroup dropdown triggers a request to https://my.cyberghostvpn.com/api/devices/get-server-countries with this response: link. This is used to fill the Country dropdown.

It looks like CyberGhost has an API I can use.

[qdm12]

Nice! The API looks good, there is a section Fetching available locations which should fit what we want. I'll dig into the doc and write a program, ideally that we could re-use in the future to regenerate constant values for this container from their api directly :wink:

[FunDeckHermit]

I hope the device username/password is enough to query the API. Otherwise users will need to enter their main useraccount username/password.

[qdm12]

Oh I just meant a binary tool program, for example there are these for now:

• Download, unzip and parse openvpn configuration files from VPN providers: go run cmd/ovpnparser/main.go -help
• Resolves VPN server hostnames to IP addresses: go run cmd/resolver/main.go -help

So that we can regenerate values to hardcode in the container (most likely just region - ips mapping). Plus, the user shouldn't access anything except the vpn server ip before tunneling privacy wise :wink:

[qdm12]

Sadly their API requires to pay for the vpn 😢

If you have some API credentials, can you please try the following, replacing:

• XYZ3ehtb43jto with 'the key authenticating the APP creating the request*
• 1234567890 with the 'unique identifier of a user device doing the request in behalf of an APP'
• gs3hu6wr34fzjgsg34wj with the 'secret key of the device that does the request'

docker run -it --rm alpine:3.11 wget -qO- \
    --header 'X-app-key: XYZ3ehtb43jto' \
    --header 'X-device-id: 1234567890' \
    --header 'X-device-secret: gs3hu6wr34fzjgsg34wj' \
    --header 'Content-Type: application/json' \
   'https://payment.cyberghostvpn.com/cg/servers?filter=73'

And see what it returns back?

If you can't find those API credentials (seems like a lot of headaches to me), can you maybe find what's the call made when you click on the download button after selecting a single country/server? Hopefully it's a public accessible url; otherwise if it's using a token specific to you, I can still write a program you can run locally using your token to download all the ovpn configuration files.

Also, one final question, if you create another device, and re-download the ovpn configuration file with the same settings, what are the differences? That may eventually be a deal breaker

[FunDeckHermit]

The helpdesk is pretty responsive when it comes to feature requests. I'll link in this Github issue and ask if they can have a developer look at this.

What part of the API would need to be public for his to work?

I'll also ask if they could make a device API generator on the main dashboard.

We are trying to integrate CyberGhost support into a specific docker container using the API. https://github.com/qdm12/private-internet-access-docker

The typical flow of the API is working a bit against us. We want to query a country/server without having a device created. It would be awesome if you made this query public.

Secondly it is very hard to retrieve the API key. As a feature request I would like to suggest integrating it into the main Dashboard: a API generator.

If you have Github and want to help us, here is the specific issue: https://github.com/qdm12/private-internet-access-docker/issues/104

[FunDeckHermit]

can you maybe find what's the call made when you click on the download button after selecting a single country/server? Hopefully it's a public accessible url; otherwise if it's using a token specific to you, I can still write a program you can run locally using your token to download all the ovpn configuration files.

I have captured the network response in Chrome. I'm not sure what I'm looking for. Can I send it to you?

[qdm12]

Nice, thanks for pushing this forward!

Did you see if anything changes in a config for the same region but different device?

I need all the openvpn configuration files for each region that I can parse and integrate in the program. I think the servers listing API call would fit that. Ideally they would just have that public as there shouldn't be anything private in those configurations I think. For surfshark, pia, windscribe and mullvad it always was a publicly accessible zip file with all their configurations in there.

For the network response in Chrome, I don't want to steal your cookies / credentials for eventually other websites as well! Maybe record it in incognito mode (no other cookies etc), send it (quentin.mcgaw@gmail.com) and then change your password on Cyberghost :wink:

[FunDeckHermit]

Hello Quintin,

I have send you the trace files over gmail. Here are some config files: The remote addresses seem to follow a pattern:" group category - server index - country code.cg-dailup.net

The ca.crt and client.crt seem to remain the same over multiple instances. Only the config changes slightly as mentioned above and the client.key changes as a whole.

[qdm12]

Ah good to know! Questions!!

• What a re the group categories (if there are not too many)?
• Is the server index starting with 1 (not 0)?
• So udp seems to always be on port 443, how about tcp? (Usually it's 1194 for udp and 443 for tcp, but why not I guess haha)
• Is the client key file changing for each region or for each device or for both?

What I'm thinking of is to:

• Try DNS resolving {{group category}}-{{1...N}}-{{country code one by one}}.cg-dailup.net to gather a list of all servers. Country codes are publicly available too, so I would just need a list of the group categories.
• Depending how the client key file changes, bind mount in the container somewhere, although that's not super ideal.

I also am thinking of allowing the user to plug in any openvpn configuration file, I think that would be possible with a few restrictions (i.e. no hostnames, only IP addresses; put ca certificate inlined in ovpn config etc.). It would be a bit less easy to use the container, but would allow to quickly test out an openvpn config.

[FunDeckHermit]

From the above screenshot: top to bottom:

• openvpn-87-1
• openvpn-94-1
• openvpn-95-1
• openvpn-87-8
• openvpn_legacy-100-1
• openvpn_legacy-104-1
• openvpn_legacy-102-1
• openvpn_tcp-97-1
• openvpn_tcp-93-1
• openvpn_tcp-96-1
• openvpn_tcp-97-8
• openvpn_tcp_legacy-101-1
• openvpn_tcp_legacy-105-1
• openvpn_tcp_legacy-103-1

There seem to be no index in the remote server name, that was an error. They might be a category, the 8 is means a no-spy server.

[FunDeckHermit]

TCP is also on 433. Below is a screenshot of a TCP mongolian vpn: The client.key seems to change always when a new device is made. Two keys with the same server-group and same country are different. Changing the configuration after it's made is not possible.

I also am thinking of allowing the user to plug in any openvpn configuration file, I think that would be possible with a few restrictions (i.e. no hostnames, only IP addresses; put ca certificate inlined in ovpn config etc.). It would be a bit less easy to use the container, but would allow to quickly test out an openvpn config.

This is what I did with the dperson/openvpn-client container. . I had to manual change the config file with hardcoded paths:

[qdm12]

Thanks! One last question, you can only choose a country, or can you choose a country + city combination (i.e us-nyc)? If so, could you send me the options containing a country+city. I'm gonna start working on that script.

[qdm12]

Hello, so at least for countries, I have found the following (sorted by fqdn)

EDIT: ~There are some missing let me fix the table~ It's fixed now

Group name	Country	FQDN
Premium UDP Europe	Andorra	87-1-ad.cg-dialup.net
Premium UDP Europe	United Arab Emirates	87-1-ae.cg-dialup.net
Premium UDP Europe	Albania	87-1-al.cg-dialup.net
Premium UDP Europe	Armenia	87-1-am.cg-dialup.net
Premium UDP Europe	Austria	87-1-at.cg-dialup.net
Premium UDP Europe	Bosnia and Herzegovina	87-1-ba.cg-dialup.net
Premium UDP Europe	Belgium	87-1-be.cg-dialup.net
Premium UDP Europe	Bulgaria	87-1-bg.cg-dialup.net
Premium UDP Europe	Belarus	87-1-by.cg-dialup.net
Premium UDP Europe	Switzerland	87-1-ch.cg-dialup.net
Premium UDP Europe	Cyprus	87-1-cy.cg-dialup.net
Premium UDP Europe	Czech Republic	87-1-cz.cg-dialup.net
Premium UDP Europe	Germany	87-1-de.cg-dialup.net
Premium UDP Europe	Denmark	87-1-dk.cg-dialup.net
Premium UDP Europe	Algeria	87-1-dz.cg-dialup.net
Premium UDP Europe	Estonia	87-1-ee.cg-dialup.net
Premium UDP Europe	Egypt	87-1-eg.cg-dialup.net
Premium UDP Europe	Spain	87-1-es.cg-dialup.net
Premium UDP Europe	Finland	87-1-fi.cg-dialup.net
Premium UDP Europe	France	87-1-fr.cg-dialup.net
Premium UDP Europe	United Kingdom	87-1-gb.cg-dialup.net
Premium UDP Europe	Georgia	87-1-ge.cg-dialup.net
Premium UDP Europe	Greenland	87-1-gl.cg-dialup.net
Premium UDP Europe	Greece	87-1-gr.cg-dialup.net
Premium UDP Europe	Hungary	87-1-hu.cg-dialup.net
Premium UDP Europe	Ireland	87-1-ie.cg-dialup.net
Premium UDP Europe	Israel	87-1-il.cg-dialup.net
Premium UDP Europe	Isle of Man	87-1-im.cg-dialup.net
Premium UDP Europe	India	87-1-in.cg-dialup.net
Premium UDP Europe	Iran, Islamic Republic of	87-1-ir.cg-dialup.net
Premium UDP Europe	Iceland	87-1-is.cg-dialup.net
Premium UDP Europe	Italy	87-1-it.cg-dialup.net
Premium UDP Europe	Kazakhstan	87-1-kz.cg-dialup.net
Premium UDP Europe	Liechtenstein	87-1-li.cg-dialup.net
Premium UDP Europe	Sri Lanka	87-1-lk.cg-dialup.net
Premium UDP Europe	Lithuania	87-1-lt.cg-dialup.net
Premium UDP Europe	Luxembourg	87-1-lu.cg-dialup.net
Premium UDP Europe	Latvia	87-1-lv.cg-dialup.net
Premium UDP Europe	Morocco	87-1-ma.cg-dialup.net
Premium UDP Europe	Monaco	87-1-mc.cg-dialup.net
Premium UDP Europe	Moldova, Republic of	87-1-md.cg-dialup.net
Premium UDP Europe	Montenegro	87-1-me.cg-dialup.net
Premium UDP Europe	Macedonia, the Former Yugoslav Republic of	87-1-mk.cg-dialup.net
Premium UDP Europe	Malta	87-1-mt.cg-dialup.net
Premium UDP Europe	Nigeria	87-1-ng.cg-dialup.net
Premium UDP Europe	Netherlands	87-1-nl.cg-dialup.net
Premium UDP Europe	Norway	87-1-no.cg-dialup.net
Premium UDP Europe	Panama	87-1-pa.cg-dialup.net
Premium UDP Europe	Pakistan	87-1-pk.cg-dialup.net
Premium UDP Europe	Poland	87-1-pl.cg-dialup.net
Premium UDP Europe	Portugal	87-1-pt.cg-dialup.net
Premium UDP Europe	Qatar	87-1-qa.cg-dialup.net
Premium UDP Europe	Romania	87-1-ro.cg-dialup.net
Premium UDP Europe	Serbia	87-1-rs.cg-dialup.net
Premium UDP Europe	Russian Federation	87-1-ru.cg-dialup.net
Premium UDP Europe	Saudi Arabia	87-1-sa.cg-dialup.net
Premium UDP Europe	Sweden	87-1-se.cg-dialup.net
Premium UDP Europe	Slovenia	87-1-si.cg-dialup.net
Premium UDP Europe	Slovakia	87-1-sk.cg-dialup.net
Premium UDP Europe	Turkey	87-1-tr.cg-dialup.net
Premium UDP Europe	Ukraine	87-1-ua.cg-dialup.net
Premium UDP Europe	Venezuela, Bolivarian Republic of	87-1-ve.cg-dialup.net
Premium UDP Europe	South Africa	87-1-za.cg-dialup.net
NoSpy UDP Europe	Romania	87-8-ro.cg-dialup.net
Premium TCP USA	Argentina	93-1-ar.cg-dialup.net
Premium TCP USA	Brazil	93-1-br.cg-dialup.net
Premium TCP USA	Bahamas	93-1-bs.cg-dialup.net
Premium TCP USA	Canada	93-1-ca.cg-dialup.net
Premium TCP USA	Chile	93-1-cl.cg-dialup.net
Premium TCP USA	Colombia	93-1-co.cg-dialup.net
Premium TCP USA	Costa Rica	93-1-cr.cg-dialup.net
Premium TCP USA	Mexico	93-1-mx.cg-dialup.net
Premium TCP USA	United States	93-1-us.cg-dialup.net
Premium UDP USA	Argentina	94-1-ar.cg-dialup.net
Premium UDP USA	Brazil	94-1-br.cg-dialup.net
Premium UDP USA	Bahamas	94-1-bs.cg-dialup.net
Premium UDP USA	Canada	94-1-ca.cg-dialup.net
Premium UDP USA	Chile	94-1-cl.cg-dialup.net
Premium UDP USA	Colombia	94-1-co.cg-dialup.net
Premium UDP USA	Costa Rica	94-1-cr.cg-dialup.net
Premium UDP USA	Mexico	94-1-mx.cg-dialup.net
Premium UDP USA	United States	94-1-us.cg-dialup.net
Premium UDP Asia	Australia	95-1-au.cg-dialup.net
Premium UDP Asia	Bangladesh	95-1-bd.cg-dialup.net
Premium UDP Asia	China	95-1-cn.cg-dialup.net
Premium UDP Asia	Hong Kong	95-1-hk.cg-dialup.net
Premium UDP Asia	Indonesia	95-1-id.cg-dialup.net
Premium UDP Asia	Japan	95-1-jp.cg-dialup.net
Premium UDP Asia	Kenya	95-1-ke.cg-dialup.net
Premium UDP Asia	Cambodia	95-1-kh.cg-dialup.net
Premium UDP Asia	Korea, Republic of	95-1-kr.cg-dialup.net
Premium UDP Asia	Mongolia	95-1-mn.cg-dialup.net
Premium UDP Asia	Macao	95-1-mo.cg-dialup.net
Premium UDP Asia	Malaysia	95-1-my.cg-dialup.net
Premium UDP Asia	New Zealand	95-1-nz.cg-dialup.net
Premium UDP Asia	Philippines	95-1-ph.cg-dialup.net
Premium UDP Asia	Singapore	95-1-sg.cg-dialup.net
Premium UDP Asia	Thailand	95-1-th.cg-dialup.net
Premium UDP Asia	Taiwan, Province of China	95-1-tw.cg-dialup.net
Premium UDP Asia	Viet Nam	95-1-vn.cg-dialup.net
Premium UDP Asia	South Africa	95-1-za.cg-dialup.net
Premium TCP Asia	Australia	96-1-au.cg-dialup.net
Premium TCP Asia	Bangladesh	96-1-bd.cg-dialup.net
Premium TCP Asia	China	96-1-cn.cg-dialup.net
Premium TCP Asia	Hong Kong	96-1-hk.cg-dialup.net
Premium TCP Asia	Indonesia	96-1-id.cg-dialup.net
Premium TCP Asia	Japan	96-1-jp.cg-dialup.net
Premium TCP Asia	Kenya	96-1-ke.cg-dialup.net
Premium TCP Asia	Cambodia	96-1-kh.cg-dialup.net
Premium TCP Asia	Korea, Republic of	96-1-kr.cg-dialup.net
Premium TCP Asia	Mongolia	96-1-mn.cg-dialup.net
Premium TCP Asia	Macao	96-1-mo.cg-dialup.net
Premium TCP Asia	Malaysia	96-1-my.cg-dialup.net
Premium TCP Asia	New Zealand	96-1-nz.cg-dialup.net
Premium TCP Asia	Philippines	96-1-ph.cg-dialup.net
Premium TCP Asia	Singapore	96-1-sg.cg-dialup.net
Premium TCP Asia	Thailand	96-1-th.cg-dialup.net
Premium TCP Asia	Taiwan, Province of China	96-1-tw.cg-dialup.net
Premium TCP Asia	Viet Nam	96-1-vn.cg-dialup.net
Premium TCP Asia	South Africa	96-1-za.cg-dialup.net
Premium TCP Europe	Andorra	97-1-ad.cg-dialup.net
Premium TCP Europe	United Arab Emirates	97-1-ae.cg-dialup.net
Premium TCP Europe	Albania	97-1-al.cg-dialup.net
Premium TCP Europe	Armenia	97-1-am.cg-dialup.net
Premium TCP Europe	Austria	97-1-at.cg-dialup.net
Premium TCP Europe	Bosnia and Herzegovina	97-1-ba.cg-dialup.net
Premium TCP Europe	Belgium	97-1-be.cg-dialup.net
Premium TCP Europe	Bulgaria	97-1-bg.cg-dialup.net
Premium TCP Europe	Belarus	97-1-by.cg-dialup.net
Premium TCP Europe	Switzerland	97-1-ch.cg-dialup.net
Premium TCP Europe	Cyprus	97-1-cy.cg-dialup.net
Premium TCP Europe	Czech Republic	97-1-cz.cg-dialup.net
Premium TCP Europe	Germany	97-1-de.cg-dialup.net
Premium TCP Europe	Denmark	97-1-dk.cg-dialup.net
Premium TCP Europe	Algeria	97-1-dz.cg-dialup.net
Premium TCP Europe	Estonia	97-1-ee.cg-dialup.net
Premium TCP Europe	Egypt	97-1-eg.cg-dialup.net
Premium TCP Europe	Spain	97-1-es.cg-dialup.net
Premium TCP Europe	Finland	97-1-fi.cg-dialup.net
Premium TCP Europe	France	97-1-fr.cg-dialup.net
Premium TCP Europe	United Kingdom	97-1-gb.cg-dialup.net
Premium TCP Europe	Georgia	97-1-ge.cg-dialup.net
Premium TCP Europe	Greenland	97-1-gl.cg-dialup.net
Premium TCP Europe	Greece	97-1-gr.cg-dialup.net
Premium TCP Europe	Hungary	97-1-hu.cg-dialup.net
Premium TCP Europe	Ireland	97-1-ie.cg-dialup.net
Premium TCP Europe	Israel	97-1-il.cg-dialup.net
Premium TCP Europe	Isle of Man	97-1-im.cg-dialup.net
Premium TCP Europe	India	97-1-in.cg-dialup.net
Premium TCP Europe	Iran, Islamic Republic of	97-1-ir.cg-dialup.net
Premium TCP Europe	Iceland	97-1-is.cg-dialup.net
Premium TCP Europe	Italy	97-1-it.cg-dialup.net
Premium TCP Europe	Kazakhstan	97-1-kz.cg-dialup.net
Premium TCP Europe	Liechtenstein	97-1-li.cg-dialup.net
Premium TCP Europe	Sri Lanka	97-1-lk.cg-dialup.net
Premium TCP Europe	Lithuania	97-1-lt.cg-dialup.net
Premium TCP Europe	Luxembourg	97-1-lu.cg-dialup.net
Premium TCP Europe	Latvia	97-1-lv.cg-dialup.net
Premium TCP Europe	Morocco	97-1-ma.cg-dialup.net
Premium TCP Europe	Monaco	97-1-mc.cg-dialup.net
Premium TCP Europe	Moldova, Republic of	97-1-md.cg-dialup.net
Premium TCP Europe	Montenegro	97-1-me.cg-dialup.net
Premium TCP Europe	Macedonia, the Former Yugoslav Republic of	97-1-mk.cg-dialup.net
Premium TCP Europe	Malta	97-1-mt.cg-dialup.net
Premium TCP Europe	Nigeria	97-1-ng.cg-dialup.net
Premium TCP Europe	Netherlands	97-1-nl.cg-dialup.net
Premium TCP Europe	Norway	97-1-no.cg-dialup.net
Premium TCP Europe	Panama	97-1-pa.cg-dialup.net
Premium TCP Europe	Pakistan	97-1-pk.cg-dialup.net
Premium TCP Europe	Poland	97-1-pl.cg-dialup.net
Premium TCP Europe	Portugal	97-1-pt.cg-dialup.net
Premium TCP Europe	Qatar	97-1-qa.cg-dialup.net
Premium TCP Europe	Romania	97-1-ro.cg-dialup.net
Premium TCP Europe	Serbia	97-1-rs.cg-dialup.net
Premium TCP Europe	Russian Federation	97-1-ru.cg-dialup.net
Premium TCP Europe	Saudi Arabia	97-1-sa.cg-dialup.net
Premium TCP Europe	Sweden	97-1-se.cg-dialup.net
Premium TCP Europe	Slovenia	97-1-si.cg-dialup.net
Premium TCP Europe	Slovakia	97-1-sk.cg-dialup.net
Premium TCP Europe	Ukraine	97-1-ua.cg-dialup.net
Premium TCP Europe	Venezuela, Bolivarian Republic of	97-1-ve.cg-dialup.net
Premium TCP Europe	South Africa	97-1-za.cg-dialup.net
NoSpy TCP Europe	Romania	97-8-ro.cg-dialup.net

Can you please have a quick look and check if there is for example a big chunk of countries missing for some category? NoSpy group only has romania for example.

I'll start coding the rest around these constant values.

[FunDeckHermit]

Except for the openVPN <2.3 they seem to be all there. No-spy only has Romania, so that's correct.

[FunDeckHermit]

Thanks! One last question, you can only choose a country, or can you choose a country + city combination (i.e us-nyc)? If so, could you send me the options containing a country+city. I'm gonna start working on that script.

The dropdown only shows countries*, no specific cities.

*Not meant to be offensive to any Chinese citizens.

[qdm12]

Tadaaa 🥳 You can try with the image tag :cyberghost. Let's continue the discussion on the pull request 👍

[qdm12]

Hello, no hurry, but please let me know if it works for you 😉 Again, no hurry, I'm busy with plenty of things so... no hurry 😄 Thanks!

[qdm12]

Hello there, please note that the Cyberghost setup got fixed and was changed slightly from :latest and :v3.8.0, see the newer readme. Essentially you need to move both your client.key and client.crt in the /gluetun directory.