openvpn

How to properly configure the gateway on a Debian virtual machine?

Good afternoon everyone!
I really ask for the help of experts, since I have already despaired and am absolutely not sure of the correctness of the current solution used. I ask you not to kick too much - I googled everything that is possible - everywhere such situations are described differently, and besides, I have never met a situation identical to mine.
-------------------------------
Essence of the question:
correctly configure the gateway on the virtual machine (vmware) debian 9.9 for going to the Internet of the second virtual machine (also debian) through this gateway. I want to clarify that the scheme is working at the moment, but I highly doubt that it works correctly and in the way I would like.
Initial data:
Virtualka debian-gateway:
Has 3 network (virtual, of course) adapters:
1a) eth0- with the help of which debian has the original Internet access - this is a custom type adapter, with NAT, DHCP enabled; setting "connect host to this network" - disabled;
settings in the network manager inside the virtual machine at the connection: "Automatically by DHCP, address only", that is, I specified public DNSs (for example, 8.8.8.8 - not so important);
in total, let's say that
IP 192.168.19.5 mask
24
gateway 192.168.19.2
DNS
8.8.8.8 3a) eth1
- adapter of "created" virtual locale, also custom-type; here are the following network adapter settings: NAT - no, DHCP - no, connect to host - no;
settings in the network manager inside the virtual machine for this connection: "Shared with other computers", with the specified static ip, for example, 192.168.2.1, mask 24 and gateway
192.168.2.1
LAN with a gateway and has 1 network adapter eth0, identical to adapter 3a) of the debian gateway, with settings in the network manager:
static IP 192.168.2.2
mask 24
gateway 192.168.2.1
DNS, for example, 77.88.8.8
Task - you need to:
the debian client accessed the Internet through the local 3a) interface (eth1 connection) of the debian gateway;
in turn, eth1 of the debian gateway must distribute the Internet to the client using eth0 of the same debian gateway through tun0 of the same debian gateway.
That is: ETH0 client --> ETH1 gateway --> TUN0 gateway --> ETH0 gateway --> host physical adapter --> Internet.
I think that many will now twist their fingers to their heads. I beg you , help me figure out a correctly working scheme, because I'm not sure that it is now routed-natted-working as described in the desired scheme-task above.
For the purity of the "experiment", I would like to hear from knowledgeable people exactly the solution, at least in brief, and, I emphasize,if it is at all realistic in your opinion . Do not take it for impudence ...
I hope that someone will respond!
Thanks in advance!