MASQUERADE set, ip_forward enabled, OpenVPN connected, however DNAT failed
I have a linode running Archlinux with latest generic x64 kernel (not linode modified version) and all latest softwares. I set up a OpenVPN server on it and I'm able to connect from somewhere else.
The weird problem is, I've set net/ipv4/ip_forward to 1, and iptables added MASQUERADE rule with all others default accept. I can see packets' source addresses has been rewritten by MASQUERADE in tcpdump. However the response packet cannot be DNATed to VPN client. I can see no return packet with tcpdump -i tun0.
I also tried setting SNAT and DNAT for a single tcp port, ends up with same situation.
My network is configured by systemd-network.
iptables -t nat -A POSTROUTING -s 172.30.0.0/16 -j MASQUERADE
Please help me out. Thanks.