You'll see a wireguard network interface on all the connected devices, and you can configure some private address subnet on it, like 192.168.1.0/24 and give the devices some addresses from this range.

Then you can just talk between any of the devices via this subnet. Wireguard will securely tunnel the traffic.

https://www.wireguard.com/

DNAT is just a concept https://en.wikipedia.org/wiki/Network_address_translation

You can set it up using iptables or nftables.

You don't need to use nginx, use http reverse proxy you know.