gluetun: CyberGhost ClientKey Not Working

I am not sure what I am missing here, my client key keeps coming back with the error

2020-11-11T14:46:15.338Z INFO openvpn: OpenSSL: error:09091064:PEM routines:PEM_read_bio_ex:bad base64 decode
2020-11-11T14:46:15.338Z INFO openvpn: Cannot load private key file [[INLINE]]
2020-11-11T14:46:15.338Z INFO openvpn: SIGUSR1[soft,private-key-password-failure] received, process restarting

My compose file looks like this, username and password removed.

gluetun:
    image: qmcgaw/private-internet-access
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    network_mode: bridge
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8000:8000/tcp # Built-in HTTP control server
    # command:
    volumes:
      - .\VPN:/gluetun
      - .\VPN\Key:/files:ro
      - .\VPN\Ports:/tmp/gluetun/forwarded_port
    environment:
      # More variables are available, see the readme table
      - VPNSP=Cyberghost

      # Timezone for accurate logs times
      - TZ=Americas/New_York

      # All VPN providers
      - USER=####

      # All VPN providers but Mullvad
      - PASSWORD=####

      # Cyberghost only
      - CLIENT_KEY=/files/client.key
      # All VPN providers but Mullvad
      - REGION=Canada
      - CYBERGHOST_GROUP=Premium UDP USA

      - PORT_FORWARDING=on
      - PORT_FORWARDING_STATUS_FILE=/tmp/gluetun/forwarded_port

    restart: always

Here is the entire log from Docker

2020-11-11T14:45:15.267Z INFO OpenVPN version: 2.4.9
2020-11-11T14:45:15.268Z INFO Unbound version: 1.10.1
2020-11-11T14:45:15.269Z INFO IPtables version: v1.8.4
2020-11-11T14:45:15.270Z INFO Settings summary below:
OpenVPN settings:
|--User: [redacted]
|--Password: [redacted]
|--Verbosity level: 1
|--Run as root: no
|--Cyberghost settings:
|--Network protocol: udp
|--ClientKey: [redacted]
|--Group: premium udp usa
|--Regions: canada
System settings:
|--User ID: 1000
|--Group ID: 1000
|--Timezone: americas/new_york
|--IP Status filepath: /tmp/gluetun/ip
DNS over TLS settings:
|--DNS over TLS provider:
|--cloudflare
|--Caching: enabled
|--Block malicious: enabled
|--Block surveillance: disabled
|--Block ads: disabled
|--Allowed hostnames:
|--
|--Private addresses:
|--127.0.0.1/8
|--10.0.0.0/8
|--172.16.0.0/12
|--192.168.0.0/16
|--169.254.0.0/16
|--::1/128
|--fc00::/7
|--fe80::/10
|--::ffff:0:0/96
|--Verbosity level: 1/5
|--Verbosity details level: 0/4
|--Validation log level: 0/2
|--IPv6 resolution: disabled
|--Update: every 24h0m0s
|--Keep nameserver (disabled blocking): no
Firewall settings:
|--VPN input ports:
|--Input ports:
|--Outbound subnets:
HTTP Proxy settings: disabled
ShadowSocks settings: disabled
HTTP Control server:
|--Listening port: 8000
|--Logging: true
Public IP check period: 12h0m0s
Version information: enabled
Updater: disabled
2020-11-11T14:45:15.298Z INFO storage: Merging by most recent 6735 hardcoded servers and 6735 servers read from /gluetun/servers.json
2020-11-11T14:45:15.322Z INFO routing: default route found: interface eth0, gateway 172.17.0.1
2020-11-11T14:45:15.322Z INFO routing: local subnet found: 172.17.0.0/16
2020-11-11T14:45:15.323Z INFO routing: default route found: interface eth0, gateway 172.17.0.1
2020-11-11T14:45:15.323Z INFO routing: adding route for 0.0.0.0/0
2020-11-11T14:45:15.323Z INFO firewall: firewall disabled, only updating allowed subnets internal list
2020-11-11T14:45:15.323Z INFO routing: default route found: interface eth0, gateway 172.17.0.1
2020-11-11T14:45:15.323Z INFO openvpn configurator: checking for device /dev/net/tun
2020-11-11T14:45:15.323Z WARN TUN device is not available: open /dev/net/tun: no such file or directory
2020-11-11T14:45:15.323Z INFO openvpn configurator: creating /dev/net/tun
2020-11-11T14:45:15.323Z INFO firewall: enabling...
2020-11-11T14:45:15.331Z INFO firewall: enabled successfully
2020-11-11T14:45:15.331Z INFO healthcheck: listening on 127.0.0.1:9999
2020-11-11T14:45:15.331Z INFO Launching standard output merger
2020-11-11T14:45:15.331Z INFO http server: listening on 0.0.0.0:8000
2020-11-11T14:45:15.332Z INFO dns over tls: falling back on plaintext DNS at address 1.1.1.1
2020-11-11T14:45:15.332Z INFO dns configurator: using DNS address 1.1.1.1 internally
2020-11-11T14:45:15.332Z INFO dns configurator: using DNS address 1.1.1.1 system wide
2020-11-11T14:45:15.332Z INFO firewall: setting VPN connection through firewall...
2020-11-11T14:45:15.333Z INFO openvpn configurator: starting openvpn
2020-11-11T14:45:15.334Z INFO openvpn: OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
2020-11-11T14:45:15.334Z INFO openvpn: library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
2020-11-11T14:45:15.336Z INFO openvpn: OpenSSL: error:09091064:PEM routines:PEM_read_bio_ex:bad base64 decode
2020-11-11T14:45:15.336Z INFO openvpn: Cannot load private key file [[INLINE]]
2020-11-11T14:45:15.336Z INFO openvpn: SIGUSR1[soft,private-key-password-failure] received, process restarting

Hopefully it is an easy fix and I am just being stupid but help is appreciated.

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 37 (20 by maintainers)

Commits related to this issue

Refers to #296 (Cyberghost) - Breaking change: reads the key from /gluetun/client.key - Improve documentation in readme - Fix client key file parsing if environment variable isn't present — committed to qdm12/gluetun by qdm12 4 years ago
Read client.crt from /gluetun/client.crt, see #296 — committed to qdm12/gluetun by qdm12 4 years ago
Fix #296 (Cyberghost implementation) (#297) * Reads the client key from /gluetun/client.key * Read the client certificate from /gluetun/client.crt * Additional checks for client key and client cert... — committed to qdm12/gluetun by qdm12 4 years ago

Most upvoted comments

I then moved the client.crt to the gluten folder and got this, it looks like the client.crt is missing.

Sorry about that, I forgot to mention client.crt and client.key have to be in /gluetun.

Anyway, what you got definitely solved it (finally!):

Idiot that I am…… if only I would have the time to write unit tests 😅 I was reading the client key and client certificate but overriding the client key, silly mistake. Try pulling and launching again, it might just work ™️

qdm12 on Nov 19, 2020

client.key.txt

There you go, just remove the .txt and you should be good, it wouldn’t let me upload a .key file.

lostbow17 on Nov 14, 2020

Thanks!!

Alright I’ll add the code tonight (maybe tomorrow morning though) to read that client.crt.

Might relate to #210 #179 as well.

Cyberghost is really a pain, I even bruteforce try DNS resolutions using every possible country codes to obtain their servers information 😕 Well it works though 😅 Actually on that note, maybe you can contact them sometime to know if they have a publicly available API/zip file/webpage in order to obtain their server information. No hurry on that side though.

qdm12 on Nov 13, 2020

And to confirm it is different for every user, I just launched another OpenVPN app in Cyberghost and that Client.crt file is different than the current one.

lostbow17 on Nov 13, 2020