Hello,
It looks like, HQ FW is nating all the traffic coming out of tunnel from Site B to HQ firewall's LAN interface IP.
Is there a specific requirement to do this? If not, you can just remove this NATing rule so Server at HQ can see clients with their real IP address.
If there is a specific requirement, then you will have to deploy a NAT that will do one to one translation e.g. 10.20.4.x translated to 10.20.5.x & 10.20.4.y translates to 10.20.5.y & so on.
Try applying a simple NAT on the trust side interface on HQ as below:
set interface "bgroup0" mip 10.20.5.0/24 host 10.20.4.0/24 netmask 255.255.255.0 vr "trust-vr"
Regards,
Rushi