Connect to VPN server via VPN client which is a NAT instance

Main question is how to connect to a vpn server via a vpn client which is a NAT instance, let me describe about it.

Scenes 1:

I have a group of service instance(ubuntu 18.04) named A

One instances which i use for NAT instance named B

both group A and instance B are in same vpc, A has no public ip ,B has one pulibc ip, and which i did is use B as a NAT and set SNAT in vpc so group A can access internet by B.

like this:

And for group A which is (10.0.0.0/16). I only draw two instance in A group, but it has many.

so in my service B i add iptables rule: iptables -A POSTROUTING -t nat -s 10.0.0.0/16 -j MASQUERADE

it's worked will.

# ip route show
default via 10.0.1.253 dev eth0 proto dhcp src 10.0.1.157 metric 100 
10.0.1.0/24 dev eth0 proto kernel scope link src 10.0.1.157 
10.0.1.253 dev eth0 proto dhcp scope link src 10.0.1.157 metric 100

Scenes 2:

Like above scenes but now I can't use B's public ip(X) to access internet, replaced by vpn connection(openvpn).

which is:

note that service C is a vpn service instance which I have no control.

and i have client config file which can connect from B to C, and absolutely connection is created. now B can go internet through C, and now in my B service i have

# ip route show
0.0.0.0/1 via 10.8.0.1 dev tun0 
default via 10.0.1.253 dev eth0 proto dhcp src 10.0.1.157 metric 100 
10.0.1.0/24 dev eth0 proto kernel scope link src 10.0.1.157 
10.0.1.253 dev eth0 proto dhcp scope link src 10.0.1.157 metric 100 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.2 
{C's public ip address here} via 10.0.1.253 dev eth0 
128.0.0.0/1 via 10.8.0.1 dev tun0

OK, i hope my description is clear;

So, in this case i think what i need to do is deal all about in B service. for instance B, i do forward all traffic from eth0 to tun0, so traffic from eth0 would forward to tun0, and A group should have internet via B:

iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

But is't not worked as i expected. then i debug it by analysis traffic in B roughly. i got infomation that B may get the traffic from A. but without response.