Seems to be working fine for me.
dietpi@kakadu:[~]$ ip ru sh
0: from all lookup local
16000: from all sport 1190 lookup 100
32766: from all lookup main
32767: from all lookup default
dietpi@kakadu:[~]$ ip ro li tab 100
default via 172.30.30.1 dev eth0
dietpi@kakadu:[~]$ ip ro li tab main
0.0.0.0/1 via 10.17.0.1 dev proton0
default via 172.30.30.1 dev eth0
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
10.17.0.0/16 dev proton0 proto kernel scope link src 10.17.0.13
107.152.101.211 via 172.30.30.1 dev eth0
128.0.0.0/1 via 10.17.0.1 dev proton0
172.30.30.0/24 dev eth0 proto kernel scope link src 172.30.30.2
dietpi@kakadu:[~]$ sudo ss -anp | grep vpn
u_str ESTAB 0 0 * 9676028 * 0 users:(("openvpn",pid=10277,fd=2),("openvpn",pid=10277,fd=1))
u_dgr ESTAB 0 0 * 9676064 * 0 users:(("openvpn",pid=10277,fd=3))
udp UNCONN 0 0 0.0.0.0:38907 0.0.0.0:* users:(("openvpn",pid=9785,fd=3))
udp UNCONN 0 0 0.0.0.0:1190 0.0.0.0:* users:(("openvpn",pid=10277,fd=6))
dietpi@kakadu:[~]$ sudo iptables-save -c
# Generated by xtables-save v1.8.2 on Tue Mar 30 17:30:42 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Mar 30 17:30:42 2021
# Generated by xtables-save v1.8.2 on Tue Mar 30 17:30:42 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[407:32474] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -m comment --comment openvpn-nat-rule -j MASQUERADE
[121:10093] -A POSTROUTING -s 10.8.0.0/24 -o proton0 -m comment --comment proton-nat-rule -j MASQUERADE
COMMIT
# Completed on Tue Mar 30 17:30:42 2021
dietpi@kakadu:[~]$ sudo tcpdump -i any -evn icmp
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
17:30:59.542795 In ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 50, id 41395, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.2 > 147.52.80.1: ICMP echo request, id 1221, seq 1, length 64
17:30:59.543084 Out ethertype IPv4 (0x0800), length 100: (tos 0x0, ttl 49, id 41395, offset 0, flags [DF], proto ICMP (1), length 84)
10.17.0.13 > 147.52.80.1: ICMP echo request, id 1221, seq 1, length 64
17:30:59.763061 In ethertype IPv4 (0x0800), length 100: (tos 0x28, ttl 49, id 40881, offset 0, flags [none], proto ICMP (1), length 84)
147.52.80.1 > 10.17.0.13: ICMP echo reply, id 1221, seq 1, length 64
17:30:59.763241 Out ethertype IPv4 (0x0800), length 100: (tos 0x28, ttl 48, id 40881, offset 0, flags [none], proto ICMP (1), length 84)
147.52.80.1 > 10.8.0.2: ICMP echo reply, id 1221, seq 1, length 64
I used 1190 in my case, but this doesn’t matter.
Openvpn server was created with pivpn package of dietpi. OpenVPN client is running with protonvpn profile.
One thing I had to do manually was to add the proton masquerade rule in iptables.
As you can see in tcpdump android phone client (10.8.0.2) sends an icmp echo request to dietpi over ISP, then dietpi (10.17.0.13) forwards it to protonvpn tunnel, receives the reply, and sends it to the android phone over eth0.