The CyberGhost service is based on three main systems plus a few web servers, which are used for hosting the company's web appearance at cyberghostvpn.com:
- The log-in servers, consisting of one master and one backup server
- Different Domain Name Servers (DNS) in different countries
- The exit nodes, where an anonymized user leaves the CyberGhost net and enters the Internet. At this time the service consists of more than 200 OpenVPN servers around the world, mainly Europe and the USA.
The log-in servers contain each their own database, supplied with the least necessary account data (user name and password), exit node data, system settings and statistics – which all is continuously synced between master and backup server. In case a data center or server fails, the backup server becomes immediately master. The DNS settings of the master-URL will also be changed to the backup server IP within seconds, so the exit nodes can reach the new master server for internal communications without interruption.
Domain Name Server
The Domain Name Servers receive all DNS-queries from the exit nodes and give back the answers in an anonymous way, so for any target servers the respective CyberGhost server will be the only partner to communicate with. They also resolve the routes to the master server, to the exit nodes, and the account management.
The exit nodes connect the clients with the Internet. They receive the DNS-queries from the clients, forward them to the DN-Servers and give back the answers in an anonymous way. Furthermore, on all exit nodes a NAT service with firewall-functions is running, and the exit nodes communicate with the master server during a user log-in and an active connection (with a traffic conveyance every five minutes).
CyberGhost works with static shared IP addresses which means that every user has the same address as any other user joining the same server at the same time. That way a single user gets not only a different IP address (different from his original one), but also vanishes into the the background communication noises of all others. The more user a server inhabitant, the better, for your 2nd level anonymity rises with the amount of users. The downside: Many users will slow down a server.
The Web-Servers handle the user registration, the account management and system controlling functions. After a user has been registered through the web site, his user name and password-hash will be stored in the log-in systems’ databases.
And this is, how it functions
The typical pattern of a CyberGhost session usually follows these steps (a little bit different depending on what kind of connection one prefers, the Windows client or native OpenVPN).
- If one uses the Windows client software, he must enter his user name and password after startup. After that happened, he will be connected to an exit node, encrypted with 256bit AES. While connecting, the client PC’s default route and the DNS settings will be adapted to the exit node.
- If one uses the native OpenVPN configuration files, provided for subscribers in their accounts, he must first extract all files from the downloaded ZIP to the config folder of her local OpenVPN installation. After that one starts the OpenVPN GUI and selects one of the shown connections. While the connection is being established, one needs to enter user name and password. The client PC’s default route and the DNS settings will be adapted to the exit node after a successful log-in.
- Is the connection to the exit node fully established, all traffic will use this server, encrypted with 256bit AES. All connected clients will share the public IP of the used exit node. Note: While connecting with 256 SSL a new key will be negotiated and renewed every 30 minutes, so all your traffic will be encrypted with 256bit AES