Postrouting chain for VPN00 had no packets going in or out => tun00 interface had no NAT, and it’s not listed in NAT enabled interfaces.

If adding manually

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

routing from ETH00 -> VPN00 works.

Based on that, I found this thread which deals with the same thing.