CyberGhost in a transparent manner: technical basics and equipment of the service

The CyberGhost service is based on three main systems plus a few web servers, which are used for hosting the company’s web appearance at www.cyberghostvpn.com:

  1. The log-in servers, consisting of one master and one backup server
  2. The Domain Name Servers (DNS), consisting of one master server located in Switzerland and two backup servers, located in the USA resp. Poland
  3. The exit nodes, where an anonymized user leaves the CyberGhost net and enters the Internet. At this time the service consists of 65 OpenVPN servers around the world, mainly Europe and the USA.

Log-in servers

The log-in servers contain each their own database, supplied with the least necessary account data (user name and password), exit node data, system settings and statistics – which all is continuously synced between master and backup server. In case a data center or server fails, the backup server becomes immediately master. The DNS settings of the master-URL will also be changed to the backup server IP within seconds, so the exit nodes can reach the new master server for internal communications without interruption.

DN-Servers

The Domain Name Server receive all DNS-queries from the exit nodes and give back the answers in an anonymous way, so for any target servers the respective CyberGhost server will be the only partner to communicate with. They also resolve the routes to the master server, to the exit nodes, and the account management.

Exit nodes

The exit nodes connect the clients with the Internet. They receive the DNS-queries from the clients, forward them to the DN-Servers and give back the answers in an anonymous way. Furthermore, on all exit nodes a NAT service with firewall-functions is running, and the exit nodes communicate with the master server during a user log-in and an active connection (with a traffic conveyance every five minutes).

Web servers

The Web-Servers handle the user registration, the account management and system controlling functions. After a user has been registered through the web site, his username and password-hash will be stored in the log-in systems’ databases.

And this is, how it functions:

The typical pattern of a CyberGhost session usually follows these steps (a little bit different depending on what kind of connection one prefers, the Windows client or native OpenVPN).

  • If one uses the Windows client software, she must enter her user name and password after startup. After that happened, she will be connected to an exit node, encrypted with 128Bit AES. While connecting, the client PC’s default route and the DNS settings will be adapted to the exit node.
  • If one uses the native OpenVPN configuration files, provided for subscribers in their accounts, she must first extract all files from the downloaded ZIP to the config folder of her local OpenVPN installation. After that one starts the OpenVPN GUI and selects one of the shown connections. While the connection is being established, one needs to enter user name and password. The client PC’s default route and the DNS settings will be adapted to the exit node after a successful log-in.
  • Is the connection to the exit node fully established, all traffic will use this server, encrypted with 128Bit AES. All connected clients will share the public IP of the used exit node. Note: While connecting with 128 SSL a new key will be negotiated and renewed every 30 minutes, so all your traffic will be encrypted with 128Bit AES.