linux

How to set up routing (port forwarding) from the Internet via tun to a local network behind NAT?

There is a standard dedicated linux server (Debian) with an external interface, let's say 91.91.91.91 (External server).
There is a virtual machine, somewhere in the depths of the enterprise behind a bunch of nats, but with normal access to the Internet. on which the web server is running (Internal server).
A tunnel has been forwarded between the External and Internal servers (however important, let's say even the standard ssh -w0:0 ...). Those. up interfaces tun0 with addresses 10.0.1.1 on the Internal and 10.0.1.2 on the External.
Servers ping each other at these addresses normally, also the required web server is available from the External server, which hangs on the Internal server (at the local address 10.0.1.1).
The task is simple, to open access to this server outside so that you can go to the External server at its Internet address 91.91.91.91 and get a response from the web server on the Internal server 10.0.1.1. At the same time, the web server logs should display the real Internet IP addresses of visitors, and not the IP address of the gateway.
I'm trying to add a rule on an external server:
iptables -t nat -A PREROUTING -p tcp -d 91.91.91.91 --dport 80 -j DNAT --to-destination 10.0.1.1:80 (I don't forget in sysctl forwaring)
One way signal passes, but no way back. Those. With a sniffer on the internal server, I see the request, but the answer does not go away.
If I understand correctly, you need to add a rule to the routing on the internal so that NAT packets go back through the tun0 interface, but I'm doing something wrong, so the return line does not go away.
The network diagram is: External [ eth0 91.91.91.91, tun0 10.0.1.2 ] <=> Internal [ tun0 10.0.1.1, eth0 192.168.0.50 ]. On both servers now: default gw eth0
Well, the traffic will go like this: 91.91.91.91 <=80=> 10.0.1.2 <=80=> 10.0.1.1