This is pretty much not possible because with a single-NIC server DMZ1 and DMZ2 needs to be connected on the same physical network and therefore it aren't 2 DMZ's anymore, unless:
- The server will act as a "lollypop" router and forwards the packets from the network to a firewall which seperates the 2 DMZ's. But then technically your server is not in DMZ2
or
- Configure the server it can handle VLAN's. Configure one VLAN-tag inside DMZ1 and another VLAN-tag in DMZ2. Allow trafic from the VPN-interface into DMZ2 (via the VLAN). In this setup your server is again some kind of lollypop-bridge between the 2 DMZ's
Both setups has there advantages and drawbacks. In the first setup you have a different machine which can control and inspect traffic on the separation-point between the 2 networks and the security isn't entirely relied on a single device. But is more complex to build.
