So you want to have something like a VPN-Gateway (or same with different term: Whonix-VPN-Gateway).
Good question. Unfortunately, also a big question. It’s like asking “how to make a Tor-only Gateway” or “how to make Whonix”.
Yes, I'd like to (user -> VPN -> Tor), but instead of run the openvpn client on host or Whonix-Gateway, I was thinking about a extra VM as a Gateway for Whonix-Gateway, so I would be able to chain multiple VPN or could implement a second layer on Tor (user->Tor->VPN) with more security e.g against rootkits and stuff on my Whonix-Workstation.
It wouldn' t help against rootkits, at least I am not seeing how at the moment. Nevertheless having pluggable gateways that one can stack in arbitrary orders would be interesting. See also:
https://www.whonix.org/wiki/Advanced_Security_Guide#Chaining_Anonymizing_Gateways
Maybe help / could be to be off the track:
I need to know now how it is possible to establish a internal network between two VM like you did with Wonix-Gateway and the Workstation
My advice for this approach:
1) first, learn how to do without involving Whonix
2) after you figured out, combine this with Whonix
Don't try to start involving Whonix, then it's getting too complex.
Virtual Machines support connections between internal networks. Documentation about virtualizers explains how to set this up. For /etc/network/interfaces examples, have a look at eth1 on Whonix-Gateway as well as Whonix-Workstation eth0. Then you should be able to ping each other. Next step would be make the supposed VPN-Gateway forward traffic for clients. Start with clearnet traffic. If that works, configure the VPN-Gateway to route all traffic through a VPN and use something like VPN-Firewall (https://github.com/adrelanos/VPN-Firewall).
Maybe asking on wilderssecurity forum would maybe make mirimir answer and help getting a pfSense based VPN-Gateway up and running in conjunction with Whonix. I’ll also ask mirimir to have a look at this thread.