Internal routing in double NAT'ed environment

Home lab setup is almost complete, thanks in large part to info that ive found on this forum. Many Thanks!

I have an Asus ac68u running OpenWRT sitting on my 192.168.1.0 home network. The ac68u is configured as a site to site VPN to azure via StrongSwan. This config is working perfectly.

home ISP (1.2.3.4) <- home router (192.168.1.0) <- Asus ac68u (outside = 192.168.1.138, inside = 10.200.200.1)

Azure Site-to-Site (inside 10.20.20.0, outside = 5.6.7.8) <-> home ISP (1.2.3.4) from above.

The Site to Site VPN is working flawlessly, however, the last step in my quest to be able to route from my mac on the 192.168.1.0 network directly to a host (eg 10.200.200.5) on the inside network of the OpenWRT router. Actually, that is not completely accurate. The goal is route directly to the Azure subnet 10.20.20.0 from my mac located on the 192.168.1.0. If im connected directly to the 10.200.200.0 network, then everything works fine. However, i should be able to route to OpenWRT (outside -> inside) and then (inside -> outside via ipsec) to Azure.

So two questions:

  1. what do i have to configure on OpenWRT to accomplish this? Basically i need to allow inbound traffic from 192.168.1.0 to come in and then be routed back out again over ipsec.

  2. What kind of route do i need to setup on the home router (192.168.1.1).. I assume is something like:

route 10.200.200.0/24 192.168.1.138

Please let me know if this is not clear or if there is a simpler way of doing this.

Very best regards and Thanks!