# CyberGhost OpenVPN on headless Linux

This reference captures a working pattern for CyberGhost VPN on Ubuntu/Linux without a GUI client.

## What CyberGhost provides

CyberGhost's Linux download flow exposes configuration files for OpenVPN (and on the site, also mentions WireGuard as a general Linux option). A downloaded Linux OpenVPN bundle typically contains:
- `ca.crt`
- `client.crt`
- `client.key`
- `openvpn.ovpn`

The `.ovpn` file may reference the certs as local files or embed them inline. It often includes:
- `proto udp` or `proto tcp`
- `remote <host> 443`
- `auth-user-pass`
- `redirect-gateway def1`
- `remote-cert-tls server`

## Recommended import paths

1. NetworkManager import for a persistent desktop/network profile:
   - `nmcli connection import type openvpn file <profile.ovpn>`
   - then adjust `connection.id`, `connection.autoconnect`, and any secrets policy as needed.

2. Raw OpenVPN for direct command-line connection:
   - `sudo openvpn --config <profile.ovpn>`
   - if the profile uses `auth-user-pass`, supply a temporary auth file or use stdin-compatible handling in a wrapper.

## Headless-safe credentials flow

For a machine without the CyberGhost GUI, use a small local wrapper that:
- prompts for username/password with `zenity` when a display is available,
- encrypts the credentials locally with `gpg --symmetric --cipher-algo AES256`,
- stores the encrypted blob under `~/.config/<app>/credentials.gpg` with mode `600`,
- decrypts to a temp file or in-memory stream only for the duration of the VPN launch,
- removes temp auth files on exit with a trap.

This keeps the credentials local to the machine and avoids leaving them in plaintext on disk.

## Verification checklist

- imported profile exists in NetworkManager or the intended config directory
- cert/key pair matches (`openssl x509 -pubkey` vs `openssl pkey -pubout`)
- encrypted vault file is present and decrypts with the local passphrase
- connection command is able to consume the profile without editing the original bundle

## Pitfalls

- Prefer the non-GUI `Open VPN` profile over the legacy `<= 2.3` variants unless the local OpenVPN client is very old.
- Use TCP only when UDP is blocked or unstable.
- Keep `auth-user-pass` handling out of the permanent profile; pass credentials via a temp file or launcher wrapper.
- Do not store VPN passwords in plaintext shell history, config files, or world-readable desktop launchers.