Hi folks, you may ask why do we need to hide a VPN behind a VPN. The answer may be not the good one but we add an other level of security, especially if one of our VPN server is corrupted.

Requirements

For that we will need two different VPN and a client.
I will choose one of the many VPN provider around the world as a point of exit (Amsterdam) and a debian server as front VPN (Paris).
My client will use OpenVPN protocol in order to connect to the front VPN.

Installation

sudo aptitude install openvpn
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

Setup server

Edit your file

/etc/openvpn/easy-rsa/vars

Create your keys

cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
sudo openvpn --genkey --secret keys/ta.key
sudo cp keys/ca.crt keys/ta.key keys/server.crt keys/server.key keys/dh1024.pem /etc/openvpn/
sudo mkdir /etc/openvpn/jail
sudo mkdir /etc/openvpn/clientconf
sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

Create the server config file

# /etc/openvpn/server.conf

# Server
mode server
proto udp
port 7080
dev tun
# Important with some internet provider
mssfix 1300

# Keys
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 1
key-direction 0
cipher AES-256-CBC

# Network
server 192.168.88.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
# Google or other
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# If you want that client can communicate each other
#client-to-client
keepalive 4000 8000

# Security
max-clients 10
# I choose to restrict ips
ifconfig-pool-persist ipp.txt
user nobody
group nogroup
chroot /etc/openvpn/jail
persist-key
persist-tun
comp-lzo

# Log
verb 3
mute 20
status openvpn-status.log
log-append /var/log/openvpn.log

Setup network (Most important and case of failure part)

# /etc/init.d/firewall
...
# VPN Server
iptables -A INPUT -p udp -m state --state NEW -m udp --dport 7080 -j ACCEPT
iptables -A FORWARD -s 192.168.88.0/24 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

As far you could already start the server with

openvpn /etc/openvpn/server.conf

Setup a client

cd /etc/openvpn/easy-rsa
source vars
./build-key myclient
sudo mkdir /etc/openvpn/clientconf/myclient/
sudo cp /etc/openvpn/ca.crt /etc/openvpn/ta.key keys/myclient.crt keys/myclient.key /etc/openvpn/clientconf/myclient/
cd /etc/openvpn/clientconf/myclient/

Create client config file

# /etc/openvpn/clientconf/myclient/client.conf
# Client
client
dev tun
proto udp
# Your debian VPN ip
remote x.x.x.x 7080
resolv-retry infinite
cipher AES-256-CBC

ping 10
ping-restart 20

# Clé
ca ca.crt
cert myclient.crt
key myclient.key
tls-auth ta.key 1
key-direction 1

# Sécurité
nobind
persist-key
persist-tun
comp-lzo
verb 3
sudo cp client.conf client.ovpn

You can now try the connexion with files created in /etc/openvpn/clientconf/myclient folder.
Your client must have your debian server IP.

The next part is to connect our debian server to our VPN provider. You VPN provider probably allow you to get a OpenVPN configuration files. Here mine:

# /etc/openvpn/amsterdam.conf
float
client
route-nopull
dev tun
nobind
proto udp
remote *.*.*.*.* 1194
comp-lzo adaptive
ca amsterdam.crt
tls-client
script-security 3 system
cipher AES-256-CBC
mute 10

route-delay 5
resolv-retry infinite
persist-key
persist-tun
remote-cert-tls server
mssfix

up /etc/openvpn/up.sh
down /etc/openvpn/down.sh
auth-user-pass pass
verb 3