I wouldn’t expose ports or port forward to the WAN → LAN in this case. The traffic will be unencrypted on the Public Internet when it hits WAN. You’d be better off setting up a S2S over WireGuard. Ensure you set a Preshared Key (PSK) for maximum security.
This assumes your Public Internet IP is not behind CG-NAT. If your ISP confirms that’s the case, this will not work.
Side note: I would really diagram your current & desired topology if only to help those following along at home.