Here is our problem:
We have several webservers, which should be reached from public. The database servers that store the data for the web apps on those webservers though shall not have a public IP.
So, since I want to be able to connect to the SQL servers using ssh for example, and those servers need to talk with each other, I had this idea:
Internet
|
------------------
| |
Webserver 1 Webserver 2 Database Server
| | |
-------------- vLAN --------------
|
PPTP
|
Workstation (my PC)
My idea was that I can connect to the vLAN using PPTP so that I have access to all servers in that LAN, but the database server remains unvisible to the public.
Is this infrastructure a good idea?
You just described a DMZ. There's no need to vpn to get to this. Simple routing from the internal network to the DMZ is normally sufficient.
A typical company network looks like this.
The only time I would resort to a VPN is to access the protected networks or management services/ports on the dmz servers from somewhere on the internet....like from home.