Solução pura de iptables:
# redirect to squid
iptables -t nat -A PREROUTING --src 10.13.37.0/24 -p tcp -m tcp --dport http \
-j DNAT --to-destination 172.27.0.1:8080
# route clients to squid
sysctl -w net.ipv4.ip_forward=1
iptables -t filter -I FORWARD --src 10.13.37.0/24 --dst 172.27.0.1 \
-p tcp -m tcp --dport 8080 \
-j ACCEPT
iptables -t filter -I FORWARD -m conntrack --ctstate ESTABLISHED,RELATED \
-j ACCEPT
# masquerade (snat) clients in case the VPN doesn't know about the LAN
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
Outra solução baseada em iptables e socat caso você não queira mexer muito no iptables:
iptables -t nat -A PREROUTING --src 10.13.37.0/24 -p tcp -m tcp --dport http \
-j REDIRECT --to-ports 8080
socat TCP4-LISTEN:8080,bind=127.0.0.1,fork TCP4:172.27.0.1:8080