Why do my OpenVPN iptables rules cause a port forward to hang?

Question

I have a VPS running an OpenVPN Access Server and a Raspberry Pi running an OpenVPN Client. The client is connected to the server, and I would like to access the client via SSH through the server. Thus, I forward port 667 on the server to port 22 on the client with the following two rules:

sudo iptables -t nat -I PREROUTING 1 -d {WAN-IP} -p tcp --dport 667 -j DNAT --to-dest 172.27.200.2:22
sudo iptables -t nat -I POSTROUTING 1 -d 172.27.200.2 -p tcp --dport 667 -j SNAT --to-source {WAN-IP}

However, the connection attempt hangs. tcpdump shows that the [S] packets are coming in from the source initiating the connection, but there is no response on the end of the server – not even a "connection refused". I also cannot ping the server's VPN-IP from the client. Clearing the server's existing iptables rules and then applying the new ones fixes this, but breaks the functionality of the VPN, rendering the client unable to access the internet.

These are the iptables rules which cause the connection to hang. What would be the way to fix this without breaking the functionality of the VPN?

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             {WANIP}              tcp dpt:667 to:172.27.200.2:22
AS0_NAT_PRE_REL_EST  all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       tcp  --  anywhere             172.27.200.2         tcp dpt:667 to:172.27.232.1
AS0_NAT_POST_REL_EST  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
AS0_NAT_PRE  all  --  anywhere             anywhere             mark match 0x2000000/0x2000000

Chain AS0_NAT (3 references)
target     prot opt source               destination         
SNAT       all  --  anywhere             anywhere             to:{WAN-IP}
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_NAT_POST_REL_EST (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_NAT_PRE (1 references)
target     prot opt source               destination         
AS0_NAT    all  --  anywhere             anywhere             mark match 0x8000000/0x8000000
AS0_NAT_TEST  all  --  anywhere             169.254.0.0/16      
AS0_NAT_TEST  all  --  anywhere             192.168.0.0/16      
AS0_NAT_TEST  all  --  anywhere             172.16.0.0/12       
AS0_NAT_TEST  all  --  anywhere             10.0.0.0/8          
AS0_NAT    all  --  anywhere             anywhere            

Chain AS0_NAT_PRE_REL_EST (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_NAT_TEST (4 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             mark match 0x4000000/0x4000000
ACCEPT     all  --  anywhere             172.27.200.0/24     
ACCEPT     all  --  anywhere             172.27.224.0/20     
AS0_NAT    all  --  anywhere             anywhere   

KEY: VPS WAN-IP = {WANIP}, VPS VPN-IP = 172.27.232.1, Client VPN-IP = 172.27.200.2

EDIT: Here are the results of iptables-save.

# Generated by iptables-save v1.8.7 on Tue Aug  2 05:18:22 2022
*mangle
:PREROUTING ACCEPT [3503:176762]
:INPUT ACCEPT [9309:2594148]
:FORWARD ACCEPT [16:920]
:OUTPUT ACCEPT [8990:4483087]
:POSTROUTING ACCEPT [8994:4483331]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
-A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
-A AS0_MANGLE_PRE_REL_EST -j ACCEPT
-A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
-A AS0_MANGLE_TUN -j ACCEPT
COMMIT
# Completed on Tue Aug  2 05:18:22 2022
# Generated by iptables-save v1.8.7 on Tue Aug  2 05:18:22 2022
*filter
:INPUT ACCEPT [3179:157338]
:FORWARD ACCEPT [1:52]
:OUTPUT ACCEPT [8988:4482919]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_NAT - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_IN_ROUTE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_POST - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_WEBACCEPT - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A INPUT -i lo -j AS0_ACCEPT
-A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j AS0_ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j AS0_ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A FORWARD -o as0t+ -j AS0_OUT_S2C
-A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
-A AS0_ACCEPT -j ACCEPT
-A AS0_IN -d 172.27.224.1/32 -j ACCEPT
-A AS0_IN -j AS0_IN_POST
-A AS0_IN_NAT -j MARK --set-xmark 0x8000000/0x8000000
-A AS0_IN_NAT -j ACCEPT
-A AS0_IN_POST -d 172.27.200.2/32 -j ACCEPT
-A AS0_IN_POST -o as0t+ -j AS0_OUT
-A AS0_IN_POST -j DROP
-A AS0_IN_PRE -d 169.254.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN
-A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN
-A AS0_IN_PRE -j ACCEPT
-A AS0_IN_ROUTE -j MARK --set-xmark 0x4000000/0x4000000
-A AS0_IN_ROUTE -j ACCEPT
-A AS0_OUT -j AS0_OUT_POST
-A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
-A AS0_OUT_LOCAL -j ACCEPT
-A AS0_OUT_POST -j DROP
-A AS0_OUT_S2C -j AS0_OUT
-A AS0_WEBACCEPT -j ACCEPT
COMMIT
# Completed on Tue Aug  2 05:18:22 2022
# Generated by iptables-save v1.8.7 on Tue Aug  2 05:18:22 2022
*nat
:PREROUTING ACCEPT [3273:165446]
:INPUT ACCEPT [3268:165034]
:OUTPUT ACCEPT [224:15606]
:POSTROUTING ACCEPT [225:15658]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
-A PREROUTING -d {WAN-IP}/32 -p tcp -m tcp --dport 667 -j DNAT --to-destination 172.27.200.2:22
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
-A POSTROUTING -d 172.27.200.2/32 -p tcp -m tcp --dport 667 -j SNAT --to-source {WAN-IP}
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
-A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
-A AS0_NAT -o ens3 -j SNAT --to-source {WAN-IP}
-A AS0_NAT -j ACCEPT
-A AS0_NAT_POST_REL_EST -j ACCEPT
-A AS0_NAT_PRE -m mark --mark 0x8000000/0x8000000 -j AS0_NAT
-A AS0_NAT_PRE -d 169.254.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST
-A AS0_NAT_PRE -j AS0_NAT
-A AS0_NAT_PRE_REL_EST -j ACCEPT
-A AS0_NAT_TEST -o as0t+ -j ACCEPT
-A AS0_NAT_TEST -m mark --mark 0x4000000/0x4000000 -j ACCEPT
-A AS0_NAT_TEST -d 172.27.200.0/24 -j ACCEPT
-A AS0_NAT_TEST -d 172.27.224.0/20 -j ACCEPT
-A AS0_NAT_TEST -j AS0_NAT
COMMIT
# Completed on Tue Aug  2 05:18:22 2022

EDIT2: I got it to work using the three rules indicated in this post on a completely reset, unmodified server instance: https://unix.stackexchange.com/questions/449853/port-forwarding-using-openvpn-client