Anytime when you creating AWS instance for NAT and/or VPN you must check and disable "source/dest check" option in network settings of instance.