Iptables – How to implement twice nat with iptables

Is there a requirement for LAN A and LAN B to use the same subnet, or could that be changed?

I also sincerely hope the 1.1.xx and 2.2.xx IPs you give are purely illustrative - in the real world, you would want to use RFC1918 addresses.

On a basic level, what you describe is applying both Source and Destination NAT, i.e. SNAT and DNAT.

So in theory, the below should work:

-t nat -A PREROUTING -d 2.2.2.10 -j DNAT --to-destination 192.168.1.20
-t nat -A POSTROUTING -s 192.168.1.10 -j SNAT --to-source 1.1.1.10

Unfortunately, if you do not have access to site B's VPN server, then this will not work.

And the reason it will not work is that while the machine on LAN A is trying to reach 1.1.1.10, your LAN A VPN server needs to translate that back to 192.168.1.20. There is also the issue of what LAN B's VPN server should do with the 1.1.1.10 source IP - you would need routing in place for the packet to be sent back to its originator, and it seems (to me) a whole lot simpler to just have LAN A use 10.1.1.1/24

And as you have mentioned, you can't make your LAN A VPN server route correctly to 192.168.1.20, because your LAN A VPN server believes that subnet to be local to it.

Adding a specific route might help (e.g. ip r add 192.168.1.20/32 via IP), but this all sounds a little brittle - I would have thought a much more workable solution would be to split your /24, and assign a /25 on either side of your VPN (if you must maintain the same LAN IPs on both ends).

So I would tend to think your best bet is trying to change LAN A.

A different /24 from B's would work, and it would also work to have a /25 on either side of the tunnel.