Google cloud VM forwards minecraft traffic through openVPN to one client but not another

Question

Background info is available from this question: How to make a Google Cloud VM forward Minecraft traffic to an OpenVPN client?

I have an OpenVPN network currently set up in "tap" mode, with the Google VM as the server and a Raspberry Pi 3 client running a Minecraft server. I want to replace the Pi 3 with a Pi 4 by adding it as a new openVPN client.

I successfully set-up the openVPN configs for all the machines and the Pi 4 can ping the cloud VM and other clients, and vice-versa.

In order to move from the Pi 3 to the Pi 4, I executed:

# iptables -F
# iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 25565 -j DNAT --to-destination 10.8.0.6:25565
# iptables -A FORWARD -p tcp -d 10.8.0.6 --dport 25565 -j ACCEPT
# iptables -A POSTROUTING -t nat -s 10.8.0.6 -o eth0 -j MASQUERADE
# iptables -t nat -A POSTROUTING -d 10.8.0.6 -o tap0 -j MASQUERADE

Note that the local IP of the Pi 3 is 10.8.0.3 and the Pi 4 is 10.8.0.6

I saved the settings using iptables-save and rebooted. However, nmap shows port 25565 as "closed" for the VM and I am unable to connect a minecraft client.

When I redo the above steps with 10.8.0.3 instead of 10.8.0.6 and use the Pi 3 config file for the Pi 4, I am able to connect.

Here is the output of iptables-save:

# Generated by iptables-save v1.6.0 on Sun Dec  1 08:08:18 2019
*filter
:INPUT ACCEPT [269:342903]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [246:49036]
-A FORWARD -d 10.8.0.6/32 -p tcp -m tcp --dport 25565 -j ACCEPT
COMMIT
# Completed on Sun Dec  1 08:08:18 2019
# Generated by iptables-save v1.6.0 on Sun Dec  1 08:08:18 2019
*nat
:PREROUTING ACCEPT [26:6833]
:INPUT ACCEPT [7:482]
:OUTPUT ACCEPT [22:1420]
:POSTROUTING ACCEPT [22:1420]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25565 -j DNAT --to-destination 10.8.0.3:25565
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25565 -j DNAT --to-destination 10.8.0.6:25565
-A POSTROUTING -s 10.8.0.3/32 -o eth0 -j MASQUERADE
-A POSTROUTING -d 10.8.0.3/32 -o tap0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.6/32 -o eth0 -j MASQUERADE
-A POSTROUTING -d 10.8.0.6/32 -o tap0 -j MASQUERADE
COMMIT
# Completed on Sun Dec  1 08:08:18 2019

diff of the two config files, besides the private keys and timestamps:

216c216
<                 DNS:rpi4
---
>                 DNS:picraft

Answer 1

Because you haven't flushed the nat table, and as the matching parts of the DNAT rules are identical, the rule that was appended earlier (--to-destination 10.8.0.3:25565) would be in effect, while the one appended later (--to-destination 10.8.0.6:25565) is ignored.

So instead of just iptables -F (-t filter), also iptables -F -t nat (or iptables-restore from both /usr/share/iptables/empty-filter.rules and /usr/share/iptables/empty-nat.rules).