Arch Linux User Repository

The problems connecting to openvpn are unrelated to the kernel version. They occur if one uses the updated default /etc/sudoers content.

There has been an update recently: https://gitlab.archlinux.org/archlinux/packaging/packages/sudo/-/commit/4791df5c3deb6355e6a1fe0b40a13ef27ad060b0

that changes

# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

to

Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

Activating the secure_path setting will prevent cyberghostvpn from running the /usr/local/cyberghost/openvpn wrapper. This means the original /usr/bin/openvpn wrapper gets called with the unsupported --ncp-disable parameter again - and fails.

To make cyberghostvpn work again with openvpn

a) either comment out the Defaults secure_path=... line in /etc/sudoers again

b) or add /usr/local/cyberghost to the beginning of that line

/etc/sudoers

Defaults secure_path="/usr/local/cyberghost:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

c) or downgrade openvpn to <2.6 - that makes it support the --ncp-disable command line parameter again

Their ssl certificate expired on 2023 07 06 - nothing I could do about it.

Since a few weeks, i'm back on my side in the previous situation - CYBERGHOSTVPN on my up-to-date arch system :

• does not work anymore through WIREGUARD (it is silently failing)
• is however still working through OPENVPN

(i've reinstalled it, but no difference - anyway everything seems to be there, the shell wrapper, the certificates, ...)

Any ideas what may be the issue ? Could it be some issues with the certificates ? How to "re-export" them from some CYBERGHOSTVPN servers (as it seems this is what has been done at some point) ?

For some reason the generated /etc/wireguard/cyberghost.conf contains a different DNS server than what is used for openvpn connections. Currently that DNS server 10.101.0.243 does not respond to any queries on my side.

After estabilishing a wireguard connection manually switching back to the DNS server 10.0.0.243 that also works with openvpn connections

$ resolvectl dns cyberghost 10.0.0.243

helps to make it work even with a wireguard connection.

Ok, just saw the message you've written just before mine ;) So yes, it's working, good job / good investigations on your isde about having found that issue (indeed, seems quite cyberghostvpn related + it has been a change on their side compared to ubuntu 16 version)

Well, i have the feeling that with the latest .6 package, the wireguard connection is now working

root@moon ~# cyberghostvpn --country-code FR --wireguard --connect
Prepare Wireguard connection ...
Select server ... marseille-s407-i10
Connecting ... 
VPN connection established.
root@moon ~# cyberghostvpn --status                               
Wireguard connection found.

Was the folder change (that it seems you have applied in the wrapper script) enough to correct the issue (regarding the ../certs/ location of the certificates) ? Good catch, then.

I did some analyzing. The problem is that cyberghostvpn estabilishes an https connection with verification of the correct ssl certificate. The certificate to check against is expected to be located at a relative path '../certs/wireguard/ca.crt'. But the package does not contain any ca.crt file for wireguard - only for openvpn.

This is why wireguard connections also fail under ubuntu.

As a workaround the ssl certificate can be extracted from one of cyberghosts vpn servers and be placed in a location where the cyberghostvpn binary expects it to find '../certs/wireguard/ca.crt'.

Both - the fact that the binary is using a relative path to look for the ca.crt and the fact that the certificate is missing in the current downloads of the cyberghostvpn - indicates that this is an issue that should be fixed on the side of cyberghostvpn.

Until then the aur package tries to create the missing ca.crt file on its own. Could you please test if a wireguard connection is now possible for you?

Well, it was working with latest cyberghostvpn at some point in time (some weeks/months ago), so the problem seems clearly related to the other libraries at OS level under archlinux (not compatible anymore in some way with the cyberghost binaries). + the fact that Cyberghost does not officially support Arch Linux + the fact that they are not very active regarding their linux releases + the fact that their software is probably not 100% robust (that kind of issues should generate a clear error message (with some directions about the issue) and not a silent failing)

Otherwise i'm indeed willing to use wireguard and not openvpn (wireguard is way faster and is one of the reason i went for Cyberghost in the first place).

I get the same behaviour when trying to connect under Ubuntu 20.04 with wireguard. May be this is not a packaging issue but rather a bug? Have you tried to open a ticket to address the wireguard issue at the cyberghostvpn support?

If you don't depend on using wireguard you could try to omit the --wireguard start parameter so that openvpn is used instead. This should work.

Well, thanks for the repackaging, but in my case, that latest version is still not working :

11:10 root@moon ~# cyberghostvpn --country-code FR --wireguard --connect
Perform authentication ...
Prepare Wireguard connection ...
Select server ... paris-s421-i14
Connecting ... 
11:10 root@moon ~# cyberghostvpn --status                               
No VPN connections found.

I still have to use the "ubuntu1604" 1.4.1 version, which seems to be the only one working on my (up-to-date) archlinux system.

Cyberghostvpn updated the zip at the download location - the hash value is now updated in AUR accordingly