I’ve a VPS and tunneling it with OpenVPN. For connect to the VPS in VPN i use an OpenWRT hardware, connected to my local lan and any machine in my LAN is direct connect to the VPS.
For it, i’ve use a simple routes in myt router (RB2011) to route the LAN to TUN.
If I understand it correctly, there will be packets coming from tunnel to 1.2.3.120:2000 and you want to forward them to 192.168.1.31, right? If so, what is going to be their source address? If 1.2.3.1, then just add dstnat rule to OpenWRT device. If source address is going to be different, then also add masquerade rule for these packets when they are sent to LAN.
Openwrt device. Because that’s what has 1.2.3.120. So if packets are going to be coming to 1.2.3.120 and you want to forward them elsewhere, that’s the only place you can do it. And then, depending on their source address, you may or may not need additional srcnat rule. If they will be coming from 1.2.3.0/24, you don’t need it, because you already have a route to this subnet on your main router. But if they were coming from e.g. 5.6.7.8, you would either need to add another route, or you can just masquerade them. If you do the latter, they’ll look to your 192.168.1.31 device like they come from 192.168.1.11, so it will send replies correctly to Openwrt device and it will route them back to tunnel.