This article details configuring CyberGhost VPN with a static IP using WireGuard on a Linux system. This setup allows for consistent IP-based access while leveraging CyberGhost's infrastructure.
A CyberGhost VPN subscription that supports static IPs.
WireGuard installed on your Linux system (apt install wireguard or equivalent).
wg-quick tool installed (usually comes with WireGuard).
nftables installed (apt install nftables).
Obtain WireGuard Configuration: Download the WireGuard configuration file (.conf) for your static IP location from the CyberGhost website. This file contains necessary keys and endpoint information.
Interface Setup: Modify the downloaded .conf file:
Locate the [Interface] section.
Set PrivateKey = <your_private_key> (from the downloaded file).
Set Address = <your_static_ip>/32 (the static IP assigned to you).
Add DNS = 1.1.1.1, 1.0.0.1 (or your preferred DNS servers).
Peer Configuration: Within the [Peer] section:
PublicKey = <cyberghost_public_key> (from the downloaded file).
AllowedIPs = 0.0.0.0/0, ::/0 (routes all traffic through the VPN).
Endpoint = <cyberghost_endpoint_address>:<port> (from the downloaded file).
PersistentKeepalive = 25 (keeps the connection alive).
Firewall (nftables) Configuration: Create or modify /etc/nftables.conf:
table inet filter {
chain input {
type filter hook input priority 0;
ct state related,established accept
iifname "wg0" accept # Allow traffic from WireGuard interface
iifname "lo" accept # Allow loopback traffic
drop
}
chain forward {
type filter hook forward priority 0;
oifname "wg0" accept # Allow forwarding to WireGuard interface
drop
}
chain output {
type filter hook output priority 0;
oifname "wg0" accept # Allow output to WireGuard interface
drop
}
}
Replace wg0 with your WireGuard interface name if different.
Enable the nftables service: systemctl enable nftables && systemctl start nftables.
Interface Activation: Activate the WireGuard interface:
wg-quick up wg0 (replace wg0 with your interface name). This will use the /etc/wireguard/wg0.conf file. Rename your config file if needed, or specify it with wg-quick up /path/to/your_config.conf.
Interface Status: wg show wg0 (check for established connection and traffic).
IP Address: ip addr show wg0 (verify the assigned static IP).
Routing Table: ip route (ensure all traffic is routed through the WireGuard interface).
DNS Resolution: nslookup google.com (check if DNS resolution works through the VPN).
Incorrect Keys: Ensure the private and public keys are correctly copied from the CyberGhost configuration.
Firewall Issues: Incorrect nftables rules can block traffic. Double-check your rules.
Conflicting Routes: Existing routes might interfere. Flush existing routes if necessary.
DNS Leaks: Verify that DNS requests are routed through the VPN to prevent leaks.
Downloaded the correct WireGuard configuration from CyberGhost.
Verified and updated private key, static IP address, and endpoint in the .conf file.
Configured nftables to allow traffic through the WireGuard interface.
Activated the WireGuard interface using wg-quick.
Checked the interface status, IP address, routing table, and DNS resolution.