To further clarify, the intended way to verify a request is from Nightbot is to compare its reverse DNS in both directions:
$ dig A z.y.x.w.tun.nightbot.net
...
z.y.x.w.tun.nightbot.net. 300 IN A w.x.y.z
$ dig -x w.x.y.z
...
w.x.y.z.in-addr.arpa. 86400 IN PTR z.y.x.w.tun.nightbot.net.
The IPs don’t matter in question, but you want to ensure that on both sides it ends with nightbot.net