SNAT from Port-forward over VPN

[sirianthe3rd]

Hello all, I am looking for some help regarding a special kind of configuration that I am trying to get working. I have a server that is in another location that has a VPN tunnel to a datacenter with a static IP. So, the datacenter has an Internet connection with a static IP, and the other has an Internet connection behind CG-NAT. There is a VPN tunnel between them that works as intended. What I am trying to accomplish is to host a server behind the OPNsense box with the CG-NAT by bringing in the traffic via the site with the static IP.

To keep traffic symmetrical, I am thinking to source NAT the traffic coming in to the datacenter so that it get correctly routed back to the firewall with the static IP, otherwise it will go out the connection with the default out of the CG-NAT interface and get stopped by that site's OPNsense box.

For instance:

Inbound:
Source of traffic 1.1.1.1 -> DST public IP 2.2.2.2 -> Port Forward / DNAT -> Real Server 10.10.10.2 -> SNAT 192.168.10.2 -> VPN tunnel -> Server 10.10.10.2

Outbound:
Source of traffic 10.10.10.2 -> DST IP 192.168.10.2 -> VPN tunnel -> Datacenter OPNsense -> Reverse SNAT 10.10.10.2 to Public IP 2.2.2.2 -> Destination 1.1.1.1

Is this possible? So far I haven't been able to get it working. Thanks!

[bartjsmit]

If traffic == http, you could consider a web proxy