dNAT rule looks fine, as destination address you could specify VTUN interface address.
However, on 2nd reading, I believe synology should still be reachable on port 5000 WAN , not from VTUN.
This means you don't need dNAT , but PBR rule needs an exclusion:
modify OPENVPN_ROUTE {
rule 5 {
action accept
description "ReturnTrafficPortMappingSynology"
source {
address 192.168.2.21/32
port 5000
}
protocol tcp_udp
}
}
