Set up GL-AR750 family for CyberGhost service

As far as I could find out, there are no ready-made Cyberghost OpenVPN configuration files for the GL-AR750 family of devices. If you are not afraid of the Linux command line, you can easily create your own openvpn.ovpn file.

CAUTION: The forum software has replaced single characters with their HTML representations; examples are the double quotes, the less than and greater than characters, the AND sign, etc. Please find/replace these instances in your computer after you have copied the text here.

Step 1: Go to www.cyberghost.com and sign up as a user. You will get a user ID and a password.

Step 2: Log in to your account with these credentials and select “My Devices”

Step 3: Select Linux as the operating system. Remember the Username and password; you will need it later. Scroll down and select the desired country from a list. Click on the “Download Configuration” button. The downloaded file CyberGhost.ovpn.zip is a ZIP archive.

Now comes the interesting part. You have to assemble a new .ovpn file for your AR-750(S) device from the contents of the ZIP archive content which is

ca.crt

client.crt

client.key

openvpn.ovpn

I suggest to name the file cyberghost-<country>.ovpn where <country> is a placeholder for the two-letter code of the server location. This way you can create several .ovpn files for several countries.

After this intermission, create an executable ‘mkclient750.sh’ script with the following content.

Step 4

#!/bin/bash
#
# File mkclient750.sh
#
# Writes an OpenVPN client configuration file for use with
# CyberGhost. It takes the ca.crt and the client key and
# certificate files from the CyberGhost .zip file.
# Note: No sanity checking of command line parameters.

WHEN=$(date "+%Y%m%d_%H%M%S")
YMD=$(date "+%Y%m%d")
echo "WHEN is $WHEN. YMD is $YMD."

# Extract files from CyberGhost .zip file
UNZIP=/usr/bin/unzip
read -p "Enter the .ZIP filename [CyberGhost.ovpn.zip]: " ZIPFILE
if [[ -z "$ZIPFILE" ]]; then
ZIPFILE="CyberGhost.ovpn.zip"
fi
echo "ZIPFILE is $ZIPFILE."
if [ ! -f "${ZIPFILE}" ]; then
echo "CyberGhost configuration ${ZIPFILE} not found."
exit 99
fi

${UNZIP} ${ZIPFILE}

echo ""
if [ $# -ne 1 ]; then
read -p "Enter a simple client name (example: client001): " CLIENT
else
CLIENT=${1}
fi
echo "You have requested to create a .ovpn file for '$CLIENT'."

if [ ! -f ca.crt ]; then
echo "[ERROR] Sorry, cannot find a CA certificate named ca.crt."
exit 88
else
echo "Found ca.crt - OK"
fi

if [ ! -f client.crt ]; then
echo "[ERROR] Sorry, cannot find a client certificate named client.crt."
exit 88
else
echo "Found client.crt - OK"
fi

if [ ! -f client.key ]; then
echo "[ERROR] Sorry, cannot find a client key named client.key."
exit 88
else
echo "Found client.key - OK"
fi

# =================== GO TO WORK ========================

# This diretory holds all credentials in one place.
CREDENTIALDIR="$YMD-$CLIENT-files"

if [ ! -d "$CREDENTIALDIR" ]; then
echo "Create a new credential directory $CREDENTIALDIR."
mkdir "$CREDENTIALDIR"
else
echo "Cleaning $CREDENTIALDIR."
rm $CREDENTIALDIR/* # start with a clean slate
fi

OUTFILE="$CREDENTIALDIR/$CLIENT.ovpn"

# Create a TIMESTAMP file in the credentials directory
NOW=$(date "+%Y-%m-%d %H:%M:%S")
#echo "[DEBUG] Created at $NOW."
TIMESTAMP="$CREDENTIALDIR/TIMESTAMP.txt"
echo "Created at $NOW." > $TIMESTAMP

# Output several lines to the .ovpn file
cat <<-EOF > "$OUTFILE"
# This is a client.ovpn file for a GL-AR750 OpenVPN client.
# Lines must end the *nix way with a 0x0A (LF) character
# The tools which generate the file ensure that.
# The content has been delivered by CyberGhost
EOF

# Write the openvpn options to $OUTFILE except for the file references
# Method 1: Drop the last 7 lines from the openvpn.ovpn file. This
# assumes that the file references ALWAYS occupy the last 7 lines.
# sed -e :a -e '$d;N;2,7ba' -e 'P;D' openvpn.ovpn >> "${OUTFILE}"

# Method 2 which drops the file references
cat openvpn.ovpn | sed 's/ca ca.crt//g' | sed 's/cert client.crt//g' | sed 's/ke
y client.key//g' >> "${OUTFILE}"

# Insert the ca certificate into the .ovpn file
echo ""
echo "<ca>" >> "$OUTFILE"
cat ca.crt >> "$OUTFILE"
echo "</ca>" >> "$OUTFILE"
echo "Copy the CA certificate to the credentials directory."
cp ca.crt "$CREDENTIALDIR/ca.crt"

# Insert the client certificate into the .ovpn file
echo "<cert>" >> "$OUTFILE"
cat client.crt >> "$OUTFILE"
echo "</cert>" >> "$OUTFILE"
echo "Copy the client certificate to the credentials directory."
cp client.crt "$CREDENTIALDIR/$CLIENT.crt"

# Insert the client key into the .ovpn file
echo "<key>" >> "$OUTFILE"
cat client.key >> "$OUTFILE"
echo "</key>" >> "$OUTFILE"
echo "Copy the client key to the credentials directory."
cp client.key "$CREDENTIALDIR/$CLIENT.key"

echo "Done. The $CLIENT.ovpn file is ..."
echo ""
echo "########## BEGIN $CLIENT.ovpn ##########"
cat "$OUTFILE"
echo "########### END $CLIENT.ovpn ###########"
echo ""
echo "All client files are in directory $CREDENTIALDIR"
echo "including the client.ovpn file $CLIENT.ovpn."
tar czf "$CREDENTIALDIR.tgz" "$CREDENTIALDIR/"
if [ -f "$CREDENTIALDIR.tgz" ]; then
cp "$CREDENTIALDIR.tgz" ..
echo "A tar file can be downloaded from ../$CREDENTIALDIR.tgz."
fi

Save the script and make it executable:

chmod 754 mkclient750.sh

Step 5:

Run the script in the directory where the downloaded ZIP file resides; you will be asked for the ZIP file name (a default value is indicated). If the indicated name equals the name of the file, hit <Enter>. Otherwise you have the option to enter the actual name and hit <Enter>.

Next you will be asked for a client file name. Example: cyberghost-DE.ovpn if the server is located in Germany.

The script will now go to work and assemble an .ovpn file for the AR750 family of devices. Example output with the binary blocks shortened:

./mkclient750.sh
WHEN is 20181230_215353. YMD is 20181230.
Enter the .ZIP filename [CyberGhost.ovpn.zip]:
ZIPFILE is CyberGhost.ovpn.zip.
Archive: CyberGhost.ovpn.zip
inflating: ca.crt
inflating: client.crt
inflating: client.key
inflating: openvpn.ovpn

Enter a simple client name (example: client001): cyberghost-DE
You have requested to create a .ovpn file for 'cyberghost-DE'.
Found ca.crt - OK
Found client.crt - OK
Found client.key - OK
Create a new credential directory 20181230-cyberghost-DE-files.

Copy the CA certificate to the credentials directory.
Copy the client certificate to the credentials directory.
Copy the client key to the credentials directory.
Done. The cyberghost-DE.ovpn file is ...

########## BEGIN cyberghost-DE.ovpn ##########
# This is a client.ovpn file for a GL-AR750 OpenVPN client.
# Lines must end the *nix way with a 0x0A (LF) character
# The tools which generate the file ensure that.
# The content has been delivered by CyberGhost
client
remote 1-de.cg-dialup.net 443
dev tun
proto udp
auth-user-pass

resolv-retry infinite
redirect-gateway def1
persist-key
persist-tun
nobind
cipher AES-256-CBC
auth SHA256
ping 5
ping-exit 60
ping-timer-rem
explicit-exit-notify 2
script-security 2
remote-cert-tls server
route-delay 5
tun-mtu 1500
fragment 1300
mssfix 1300
verb 4
comp-lzo

<ca>
-----BEGIN CERTIFICATE-----
<certificate not shown here>
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

<certificate not shown here>
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
<key not shown here>
-----END PRIVATE KEY-----
</key>
########### END cyberghost-DE.ovpn ###########

All client files are in directory 20181230-cyberghost-DE-files
including the client.ovpn file cyberghost-DE.ovpn.
A tar file can be downloaded from ../20181230-cyberghost-DE-files.tgz.

Step 6: Open the AR750 administration web interface to upload the cyberghost-DE.ovpn file into the AR750 device. Enter a description and the Username and Password from Step 3 which CyberGhost has assigned.

Now you should be able to connect to the CyberGhost OpenVPN server with your GL-AR750 device.

A similar script can be used to assemble .ovpn files for the AR750 family of devices from the output of (for instance) an EasyRSA certification agency which you have set up. This opens the way to operate the AR750 devices in any environment over which you have control to create key and certificate files yourself or obtain them from an outside CA. If you create a tls-auth.key file, you can also include it in the .ovpn file.

Here is a snippet of code; the application is left to the reader:

# Optional file tls-auth.key

if [ -f "$TLSFILE" ]; then

echo ""

# Insert the tls-auth key

echo "key-direction 0" >> "$OUTFILE"

echo "<tlsauth" >> "$OUTFILE"

cat $TLSFILE >> "$OUTFILE"

echo "</tlsauth>" >> "$OUTFILE"

echo "Copy the optional tls-auth key to the credentials directory"

cp "$TLSFILE" "$CREDENTIALDIR"

fi

OpenVPN servers only

The Diffie-Hellman prime in the dh1024.pem file is the same for all AR750 devices because it is copied from ROM into the file system. You can, however, create your own dh1024.pem file in your PC externally and overwrite the one in the file system. Just remember that it will be replaced with the ROM content when you reset the device. Since you can create your own DH prime externally, it does not matter how long your computer churns before it comes back with the result; this is after all a one-time process.

HAPPY NEW YEAR!

Thanks for the guide. But seems this is so complicated.

Actually the files can be in one zip separately. You just need to make sure in the ovpn, there are correct path of other files.
ca.crt
client.crt
client.key
openvpn.ovpn