Hi folks, you may ask why do we need to hide a VPN behind a VPN. The answer may be not the good one but we add an other level of security, especially if one of our VPN server is corrupted.


For that we will need two different VPN and a client.
I will choose one of the many VPN provider around the world as a point of exit (Amsterdam) and a debian server as front VPN (Paris).
My client will use OpenVPN protocol in order to connect to the front VPN.


sudo aptitude install openvpn
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

Setup server

Edit your file


Create your keys

cd /etc/openvpn/easy-rsa/
source vars
./pkitool --initca
./pkitool --server server
sudo openvpn --genkey --secret keys/ta.key
sudo cp keys/ca.crt keys/ta.key keys/server.crt keys/server.key keys/dh1024.pem /etc/openvpn/
sudo mkdir /etc/openvpn/jail
sudo mkdir /etc/openvpn/clientconf
sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

Create the server config file

# /etc/openvpn/server.conf

# Server
mode server
proto udp
port 7080
dev tun
# Important with some internet provider
mssfix 1300

# Keys
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 1
key-direction 0
cipher AES-256-CBC

# Network
push "redirect-gateway def1 bypass-dhcp"
# Google or other
push "dhcp-option DNS"
push "dhcp-option DNS"
# If you want that client can communicate each other
keepalive 4000 8000

# Security
max-clients 10
# I choose to restrict ips
ifconfig-pool-persist ipp.txt
user nobody
group nogroup
chroot /etc/openvpn/jail

# Log
verb 3
mute 20
status openvpn-status.log
log-append /var/log/openvpn.log

Setup network (Most important and case of failure part)

# /etc/init.d/firewall
# VPN Server
iptables -A INPUT -p udp -m state --state NEW -m udp --dport 7080 -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

As far you could already start the server with

openvpn /etc/openvpn/server.conf

Setup a client

cd /etc/openvpn/easy-rsa
source vars
./build-key myclient
sudo mkdir /etc/openvpn/clientconf/myclient/
sudo cp /etc/openvpn/ca.crt /etc/openvpn/ta.key keys/myclient.crt keys/myclient.key /etc/openvpn/clientconf/myclient/
cd /etc/openvpn/clientconf/myclient/

Create client config file

# /etc/openvpn/clientconf/myclient/client.conf
# Client
dev tun
proto udp
# Your debian VPN ip
remote x.x.x.x 7080
resolv-retry infinite
cipher AES-256-CBC

ping 10
ping-restart 20

# Clé
ca ca.crt
cert myclient.crt
key myclient.key
tls-auth ta.key 1
key-direction 1

# Sécurité
verb 3
sudo cp client.conf client.ovpn

You can now try the connexion with files created in /etc/openvpn/clientconf/myclient folder.
Your client must have your debian server IP.

The next part is to connect our debian server to our VPN provider. You VPN provider probably allow you to get a OpenVPN configuration files. Here mine:

# /etc/openvpn/amsterdam.conf
dev tun
proto udp
remote *.*.*.*.* 1194
comp-lzo adaptive
ca amsterdam.crt
script-security 3 system
cipher AES-256-CBC
mute 10

route-delay 5
resolv-retry infinite
remote-cert-tls server

up /etc/openvpn/up.sh
down /etc/openvpn/down.sh
auth-user-pass pass
verb 3