I have a web service which normally listens on port 9888 and provides
a RESTful interface over HTTP. If not behind a NAT, no biggie,
everything works.

If behind a NAT, the web service uses a relay service by opening a
client connection to the relay server. Clients then should be able to
connect to the web service by connecting to a published port on the
relay server, which then funnels the data over the existing connection
to the web service.

The problem is that I'd really like the existing web service to not
know anything about this (changing it involves rewriting major pieces
of the infrastructure). I'd like it to continue thinking that it is
just listening on port 9888 locally for the data coming back over the
client connection to the relay service.

Can vtun be used for this purpose?

example diagrams:

non-NAT operation:
WS | <---- port 9888 -----> | client

NAT operation (WS and local proxy client on same machine):
WS <-- port 9888 --> local proxy client | <-- port X --> | relay
service | <-- port Y ---> | client

Can vtun fill this role? Easy to setup?

Thanks,
Gary