Arch Linux User Repository

The problems connecting to openvpn are unrelated to the kernel version. They occur if one uses the updated default /etc/sudoers content.

There has been an update recently: https://gitlab.archlinux.org/archlinux/packaging/packages/sudo/-/commit/4791df5c3deb6355e6a1fe0b40a13ef27ad060b0

that changes

# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

to

Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

Activating the secure_path setting will prevent cyberghostvpn from running the /usr/local/cyberghost/openvpn wrapper. This means the original /usr/bin/openvpn wrapper gets called with the unsupported --ncp-disable parameter again - and fails.

To make cyberghostvpn work again with openvpn

a) either comment out the Defaults secure_path=... line in /etc/sudoers again

b) or add /usr/local/cyberghost to the beginning of that line

/etc/sudoers

Defaults secure_path="/usr/local/cyberghost:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

c) or downgrade openvpn to <2.6 - that makes it support the --ncp-disable command line parameter again

I got another finding about the question why openvpn could refuse to work with cyberghostvpn cli utility.

I followed the support instructions to manually estabilish an openvpn connection.

see i.e. https://support.cyberghostvpn.com/hc/en-us/articles/213811885-Router-How-to-Set-Up-OpenVPN-on-DD-WRT-Routers

If I download my personal openvpn configuration the openvpn.ovpn file contains a setting that is deprecated since openvpn 2.6: ncp-disable

$ sudo openvpn openvpn.ovpn 
Options error: Unrecognized option or missing or extra parameter(s) in openvpn.ovpn:12: ncp-disable (2.6.1)

see https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Option:--ncp-disableStatus:RemovedinOpenVPNv2.6

If I remove the ncp-disable line from the openvpn.ovpn configuration file I am able to manually fire up openvpn and successfully connect to a cyberghost vpn server.

To get rid of the invalid path error setting the REQEUSTS_CA_BUNDLE environment variable reveals a different error for me:

$ sudo REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt cyberghostvpn --country-code US --connect
Prepare OpenVPN connection ...
Select server ... sanfrancisco-s404-i02
Connecting ... 
The "CA" certificate is missing!
Downloading configuration ... 

I checked the install.sh script supplied by with the original download from cyberghostvpn.com and found that they install everything to /usr/local/cyberghostvpn instead of /opt/cyberghostvpn.

If i change the PKGBUILD accordingly...

diff --git a/PKGBUILD b/PKGBUILD
index 42d300c..439c7d3 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -3,7 +3,7 @@

 pkgname=cyberghostvpn
 pkgver=1.4.1
-pkgrel=2
+pkgrel=3
 pkgdesc="CyberGhost VPN"
 url="https://www.cyberghostvpn.com"
 arch=(any)
@@ -24,14 +24,14 @@ _archive="${pkgname}-fedora-32-${pkgver}"
 package() {
   cd "$_archive"

-  install -Dm 755 cyberghost/cyberghostvpn "$pkgdir/opt/cyberghost/cyberghostvpn"
-  install -Dm 755 cyberghost/update-systemd-resolved "$pkgdir/opt/cyberghost/update-systemd-resolved"
+  install -Dm 755 cyberghost/cyberghostvpn "$pkgdir/usr/local/cyberghost/cyberghostvpn"
+  install -Dm 755 cyberghost/update-systemd-resolved "$pkgdir/usr/local/cyberghost/update-systemd-resolved"

-  install -Dm 644 cyberghost/certs/openvpn/ca.crt "$pkgdir/opt/cyberghost/certs/openvpn/ca.crt"
-  install -Dm 644 cyberghost/certs/openvpn/client.crt "$pkgdir/opt/cyberghost/certs/openvpn/client.crt"
-  install -Dm 644 cyberghost/certs/openvpn/client.key "$pkgdir/opt/cyberghost/certs/openvpn/client.key"
+  install -Dm 644 cyberghost/certs/openvpn/ca.crt "$pkgdir/usr/local/cyberghost/certs/openvpn/ca.crt"
+  install -Dm 644 cyberghost/certs/openvpn/client.crt "$pkgdir/usr/local/cyberghost/certs/openvpn/client.crt"
+  install -Dm 644 cyberghost/certs/openvpn/client.key "$pkgdir/usr/local/cyberghost/certs/openvpn/client.key"

   install -dm 755 $pkgdir/usr/bin
-  ln -s /opt/cyberghost/cyberghostvpn $pkgdir/usr/bin/cyberghostvpn
-  ln -s /opt/cyberghost/update-systemd-resolved $pkgdir/usr/bin/update-systemd-resolved
+  ln -s /usr/local/cyberghost/cyberghostvpn $pkgdir/usr/bin/cyberghostvpn
+  ln -s /usr/local/cyberghost/update-systemd-resolved $pkgdir/usr/bin/update-systemd-resolved
 }

... and do a makepkg si to install cyberghostvpn I still need to set the environment variable REQUESTS_CA_BUNDLE to make all the certificate error messages disappear.

But it still fails to estabilish a connection :(

$ sudo REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt cyberghostvpn --country-code US --connect
Prepare OpenVPN connection ...
Select server ... losangeles-s404-i19
Connecting ... 
An error occured! The VPN connection failed!

Tested and same behavior than what i reported below : with the fedora image, i also have the certificate issue.

root@moon /opt/cyberghost# cyberghostvpn --country-code FR --wireguard --connect
Perform authentication ...
Traceback (most recent call last):
  File "cyberghostvpn.py", line 762, in <module>
  File "cyberghostvpn.py", line 510, in main
  File "servers/traffic.py", line 13, in __init__
  File "libs/services.py", line 21, in __init__
  File "libs/locales.py", line 24, in __init__
  File "libs/user.py", line 37, in __init__
  File "libs/auth.py", line 61, in __init__
  File "libs/auth.py", line 80, in authenticate
  File "libs/api.py", line 212, in doPost
  File "libs/api.py", line 278, in __doRequest
  File "requests/api.py", line 116, in post
  File "requests/api.py", line 60, in request
  File "requests/sessions.py", line 533, in request
  File "requests/sessions.py", line 646, in send
  File "requests/adapters.py", line 416, in send
  File "requests/adapters.py", line 227, in cert_verify
OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /etc/pki/tls/certs/ca-bundle.crt
[119258] Failed to execute script 'cyberghostvpn' due to unhandled exception!

Or

root@moon /opt/cyberghost# cyberghostvpn --country-code DE --openvpn --connect  
Perform authentication ...
Traceback (most recent call last):
  File "cyberghostvpn.py", line 762, in <module>
  File "cyberghostvpn.py", line 510, in main
  File "servers/traffic.py", line 13, in __init__
  File "libs/services.py", line 21, in __init__
  File "libs/locales.py", line 24, in __init__
  File "libs/user.py", line 37, in __init__
  File "libs/auth.py", line 61, in __init__
  File "libs/auth.py", line 80, in authenticate
  File "libs/api.py", line 212, in doPost
  File "libs/api.py", line 278, in __doRequest
  File "requests/api.py", line 116, in post
  File "requests/api.py", line 60, in request
  File "requests/sessions.py", line 533, in request
  File "requests/sessions.py", line 646, in send
  File "requests/adapters.py", line 416, in send
  File "requests/adapters.py", line 227, in cert_verify
OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /etc/pki/tls/certs/ca-bundle.crt
[119680] Failed to execute script 'cyberghostvpn' due to unhandled exception!

Version

cyberghostvpn 

cyberghost - 1.4.1

CKSUM

1861779412 6085064 cyberghostvpn       <-- the one from this AUR package
734640184 6085072 cyberghostvpn-fedora-1.4.1   <-- the one i extracted from the ZIP

I do have the /opt/cyberghost/certs/ folder...

root@moon /opt/cyberghost# tree
.
├── certs
│   └── openvpn
│       ├── ca.crt
│       ├── client.crt
│       └── client.key

I tried to manually copy them in /etc/pki/tls/certs but no success (not even when renaming ca.crt as ca-bundle.crt)

root@moon /opt/cyberghost# cyberghostvpn --country-code FR --wireguard --connect
Perform authentication ...
Traceback (most recent call last):
  File "urllib3/connectionpool.py", line 665, in urlopen
  File "urllib3/connectionpool.py", line 376, in _make_request
  File "urllib3/connectionpool.py", line 994, in _validate_conn
  File "urllib3/connection.py", line 386, in connect
  File "urllib3/util/ssl_.py", line 370, in ssl_wrap_socket
  File "ssl.py", line 500, in wrap_socket
  File "ssl.py", line 1040, in _create
  File "ssl.py", line 1309, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "requests/adapters.py", line 439, in send
  File "urllib3/connectionpool.py", line 719, in urlopen
  File "urllib3/util/retry.py", line 436, in increment
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='v2-api.cyberghostvpn.com', port=443): Max retries exceeded with url: /v2/my/account/jwt?language=en (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "cyberghostvpn.py", line 762, in <module>
  File "cyberghostvpn.py", line 510, in main
  File "servers/traffic.py", line 13, in __init__
  File "libs/services.py", line 21, in __init__
  File "libs/locales.py", line 24, in __init__
  File "libs/user.py", line 37, in __init__
  File "libs/auth.py", line 61, in __init__
  File "libs/auth.py", line 80, in authenticate
  File "libs/api.py", line 212, in doPost
  File "libs/api.py", line 278, in __doRequest
  File "requests/api.py", line 116, in post
  File "requests/api.py", line 60, in request
  File "requests/sessions.py", line 533, in request
  File "requests/sessions.py", line 646, in send
  File "requests/adapters.py", line 514, in send
requests.exceptions.SSLError: HTTPSConnectionPool(host='v2-api.cyberghostvpn.com', port=443): Max retries exceeded with url: /v2/my/account/jwt?language=en (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)')))
[119879] Failed to execute script 'cyberghostvpn' due to unhandled exception!

(and exact same stacktrace also here with --openvpn)

@SR-G I changed the source to the Fedora 32 one, which correctly reports version 1.4.1. Would you mind testing again? Both with --openvpn and --wireguard would be great.

Mhh i don't know, when i launch the ubuntu 18 or 20.04 (1.4.1 per the package), i have a reported 1.4.1 version (same with fedora) :

root@moon /opt/cyberghost# ./cyberghostvpn-ubuntu1804-1.4.1 
cyberghost - 1.4.1

root@moon /opt/cyberghost# ./cyberghostvpn-fedora-1.4.1 
cyberghost - 1.4.1

And when using the ubuntu1604 one, then it reports as 1.3.4 (this is why my mistake has been - there is probably no 1.4.1 for ubuntu1604), but at least that one is fully working on my system...

root@moon /opt/cyberghost# ./cyberghostvpn-ubuntu1604-1.4.1 # <-- i mistakenly renamed the binary as 1.4.1 here
cyberghost - 1.3.4

Proof of concept :

root@moon /opt/cyberghost# ./cyberghostvpn-ubuntu1604-1.4.1 --country-code DE --wireguard --connect 
Prepare Wireguard connection ...
Select server ... berlin-s458-i22
Connecting ... 
VPN connection established.

I think they have messed something up with the versioning, as all artifacts are named with version 1.4.1, but they report 1.3.5.

If someone could contact their support and mention this that would be very much appreciated.

Yes, regarding URLs, i've been able to retrieve these ones BUT it seems i made a mistake about the versionning - the ubuntu 16.04 binary (the one working on my system - by the way, an up-to-date archlinux) is still 1.3.4 and not 1.4.1 :

• https://download.cyberghostvpn.com/linux/cyberghostvpn-ubuntu-16.04-1.3.4.zip
• https://download.cyberghostvpn.com/linux/cyberghostvpn-ubuntu-18.04-1.4.1.zip
• https://download.cyberghostvpn.com/linux/cyberghostvpn-ubuntu-20.04-1.3.4.zip
• https://download.cyberghostvpn.com/linux/cyberghostvpn-ubuntu-20.04-1.4.1.zip
• https://download.cyberghostvpn.com/linux/cyberghostvpn-fedora-32-1.4.1.zip
• https://download.cyberghostvpn.com/linux/cyberghostvpn-mint-20-1.3.3.zip
• https://download.cyberghostvpn.com/linux/cyberghostvpn-centos-7-1.4.1.zip

So for people having the same issue, as a temporary behavior (probably not going to be working in the long run), that 1.3.4 "ubuntu 16.04" flavor should be working in the meanwhile.

But

@SR-G Could you get me the URLs for those downloads?

Copy the links from the browser and run this on them:

curl -Ls -o /dev/null -w '%{url_effective}\n' "$LINK_HERE"

I'm also unable to have cyberghostvpn working on archlinux with this AUR package (but it seems there is a temporary workaround, see at the end) :

• same error than others with "openvpn" : "Connecting ... An error occured! The VPN connection failed!"
• nothing happening (no error, but also no connections" with "--wireguard" : the command ends immediately but when checking with "cyberghostvpn --status", i have the "No VPN connections found" message

I'm surprised by the version reported by that AUR package : when i install the package, it tells it is 1.4.1, but when i launch the cyberghostvpn binary (without any paramters), it reports as ... still being 1.3.5

Also, I tested several other binaries (downloaded manually from the official site) :

• same behavior with the latest Ubuntu(20.04 AND 18.04) distribution BUT the reported version is correct
• with the fedora latest binary, i also have the issue about the CA root, as reported by @shuggy999
• however, it seems to be working with the 1.4.1 binary for ubuntu 16.04 !

Content of my /opt/cyberghostvpn/ folder :

total 48M
lrwxrwxrwx 1 root root   30 2023-03-12 23:50 cyberghostvpn -> cyberghostvpn-ubuntu1604-1.4.1
-rwxr-xr-x 1 root root   6.7M 2023-03-03 23:37 cyberghostvpn-aur-1.3.5
-rwxr-xr-x 1 root root   8.1M 2023-03-10 12:46 cyberghostvpn-centos-1.4.1
-rwxr-xr-x 1 root root   5.9M 2023-03-12 23:36 cyberghostvpn-fedora-1.4.1
-rwxr-xr-x 1 root root   8.0M 2020-07-27 05:29 cyberghostvpn-mint-1.4.1
-rwx--x--x 1 root root   5.7M 2020-09-11 08:50 cyberghostvpn-ubuntu1604-1.4.1
-rwxr-xr-x 1 root root   7.1M 2023-03-10 11:13 cyberghostvpn-ubuntu1804-1.4.1
-rwxr-xr-x 1 root root   6.7M 2023-03-10 11:15 cyberghostvpn-ubuntu2004-1.4.1
-rwxr-xr-x 1 root root   1.8K 2023-03-03 23:37 update-systemd-resolved

CKSUMs :

1675420200 5934944 cyberghostvpn
3486801012 6976128 cyberghostvpn-aur-1.3.5
2919433521 8452432 cyberghostvpn-centos-1.4.1
734640184 6085072 cyberghostvpn-fedora-1.4.1
3348458643 8289696 cyberghostvpn-mint-1.4.1
1675420200 5934944 cyberghostvpn-ubuntu1604-1.4.1
1145629769 7350408 cyberghostvpn-ubuntu1804-1.4.1
329145804 6976128 cyberghostvpn-ubuntu2004-1.4.1

I found that for the mean time you can use the --wireguard argument that will use wireguard rather than openvpn and it seems to work well