OpenVPN -> KVM guest not working

I am trying to configure openvpn and shorewall to be able to connect to virtual machines without SSH tunnels. VMs are KVM with with default NAT networking. VPN Client -> VM HOST -> VM GUESTS (22,80,443, etc.) VPN Client IP 10.8.0.6 VM Guest IP 192.168.20.10 I have followed the tutorial on https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-9 Only difference is that I'm using shorewall instead of ufw and seems I have problems with shorewall configuration. VM Guest is able to connect to VPN Client, but VPN client cannot reach any virtual machine. In the shorewall logs I do not see that anything is blocked, so the question is how one way communication works and vice versa does not. Client routes: 10.8.0.1 via 10.8.0.5 dev tun0 10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6 192.168.20.0/24 via 10.8.0.5 dev tun0 VPN server / VM HOST routes: 10.8.0.0/24 via 10.8.0.2 dev tun0 10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 192.168.20.0/24 dev guest proto kernel scope link src 192.168.20.1 Tcpdump on the client (client -> vm guest), connection refused: 12:46:54.981923 IP eclipse.46456 > 192.168.20.10.ssh: Flags [S], seq 1605744015, win 64240, options [mss 1460,sackOK,TS val 2676138055 ecr 0,nop,wscale 7], length 0 12:46:55.011195 IP 10.8.0.1 > eclipse: ICMP 192.168.20.10 tcp port ssh unreachable, length 68 Tcpdump on the client (vm guest -> client), everything OK: 12:50:15.733952 IP 10.8.0.1.46950 > eclipse.ssh: Flags [S], seq 2778177135, win 29200, options [mss 1358,sackOK,TS val 1743090490 ecr 0,nop,wscale 6], length 0 12:50:15.734087 IP eclipse.ssh > 10.8.0.1.46950: Flags [S.], seq 3341641521, ack 2778177136, win 65160, options [mss 1460,sackOK,TS val 3210526372 ecr 1743090490,nop,wscale 7], length 0 12:50:15.763552 IP 10.8.0.1.46950 > eclipse.ssh: Flags [.], ack 1, win 457, options [nop,nop,TS val 1743090497 ecr 3210526372], length 0 12:50:15.763788 IP 10.8.0.1.46950 > eclipse.ssh: Flags [P.], seq 1:41, ack 1, win 457, options [nop,nop,TS val 1743090498 ecr 3210526372], length 40 12:50:15.763816 IP eclipse.ssh > 10.8.0.1.46950: Flags [.], ack 41, win 509, options [nop,nop,TS val 3210526401 ecr 1743090498], length 0 Any help is appreciated.