RPI4 running openwrt + docker + wireguard client container (gluetun), no server ping

I've RPI4 with openwrt running docker and having wireguard client running in container (I'm using gluetun)
I'm able to connect to my VPS server running wireguard server (wg-easy), I'm able to ping server and have internet access, but I'm not able to ping client peer from server and from other clients. However if I ping from other clients to server and vice versa it works.

So I'm missing firewall rule here maybe, but I can't figure our which one and where it should be done

Here's example of ping from server ip (10.0.0.1) to client (10.0.0.3)
from server
ping 10.0.0.3
running on client inside container:
tcpdump -tttnei tun0 icmp

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
 00:00:00.000000 ip: 10.0.0.1 > 10.0.0.3: ICMP echo request, id 20699, seq 26, length 64
 00:00:00.996112 ip: 10.0.0.1 > 10.0.0.3: ICMP echo request, id 20699, seq 27, length 64
 00:00:01.003531 ip: 10.0.0.1 > 10.0.0.3: ICMP echo request, id 20699, seq 28, length 64
 00:00:01.003758 ip: 10.0.0.1 > 10.0.0.3: ICMP echo request, id 20699, seq 29, length 64
 00:00:00.995485 ip: 10.0.0.1 > 10.0.0.3: ICMP echo request, id 20699, seq 30, length 64
 00:00:00.997200 ip: 10.0.0.1 > 10.0.0.3: ICMP echo request, id 20699, seq 31, length 64

From tcp dump it seems I receive ping request on client, but client never answers back

ip r get from server inside container wg-easy container:

ip r get 10.0.0.3
10.0.0.3 dev wg0 src 10.0.0.1 uid 0

ip r get on the server:

ip r get 10.0.0.3
10.0.0.3 via serveraddress gateway dev eth0 src serverIP uid 1000

On RPI4/Client

ip r get 10.0.0.1
10.0.0.1 via 192.168.0.1 dev eth1  src 192.168.0.178

inside gluetun container

ip r get 10.0.0.1
10.0.0.1 dev tun0 table 51820 src 10.0.0.3 uid 0

Can anyone able to help or navigate where to dig into to make it work?

  1. On VPS I've 0.0.0.0/0, so all traffic should be allowed in that case
    adding WG show info just in case that helps
wg show
peer: peerID
  preshared key: (hidden)
  endpoint: homeIP
  allowed ips: 10.0.0.3/32
  latest handshake: 1 minute, 54 seconds ago
  transfer: 35.82 MiB received, 117.40 MiB sent
  1. I've VPN interface in the docker network, which accessible in LAN zone, why should I move it to LAN?