Openvpn: client can ping server, server cannot ping client

I have weird problem with openvpn setup between AWS and GoGrid datacenters. My network looks like this

/----------------\               /----------------\               /------------------\               /----------------\
|  VPS-DEVEL.gg  |               |    VPS-VPN.gg  |               |   VPS-VPN.aws    |               | VPS-PROVIS.aws |
| 10.160.64.7/24 | eth1 --- eth1 | 10.160.64.9/24 | tun0 --- tun0 | 10.160.48.219/24 | eth0 --- eth0 | 10.160.52.8/24 |
\----------------/               \----------------/               \------------------/               \----------------/

I can ping from aws to gogrid without problem (both VPS-DEVEL.gg and VPS-VPN.gg from both aws VMs), but I cannot ping from gogrid to AWS.

My routing table on VPS-VPN.gg looks this:

[root@VPSVPN ~]# route -n
Směrovací tabulka v jádru pro IP
Adresát         Brána           Maska           Přízn Metrik Odkaz  Užt Rozhraní
169.254.4.1     164.40.132.83   255.255.255.255 UGH   0      0        0 eth0
169.254.4.2     10.160.64.9     255.255.255.255 UGH   0      0        0 eth1
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
164.40.132.80   0.0.0.0         255.255.255.240 U     0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.240 UG    0      0        0 tun0
10.159.254.0    10.160.64.1     255.255.255.0   UG    0      0        0 eth1
10.160.64.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
10.160.0.0      10.8.0.2        255.255.192.0   UG    0      0        0 tun0
0.0.0.0         164.40.132.81   0.0.0.0         UG    0      0        0 eth0

My routing table on VPS-VPN.aws:

admin@ip-10-160-48-219:~$ sudo route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.160.48.1     0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.9        255.255.255.240 UG    0      0        0 tun0
10.8.0.9        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.160.48.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.160.64.0     10.8.0.9        255.255.255.0   UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0

My openvpn server config (gogrid side):

[root@VPSVPN ~]# cat /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert vpsvpn.crt
key vpsvpn.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.240
ifconfig-pool-persist ipp.txt
client-config-dir /etc/openvpn/ccd # ghor
client-to-client # ghor
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
max-clients 100
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 11
route 10.160.0.0 255.255.192.0
push "route 10.160.64.0 255.255.255.0"

My openvpn client config (aws side):

admin@ip-10-160-48-219:~$ cat /etc/openvpn/gogrid/gogrid.ovpn 
client
dev tun
proto udp
remote 164.40.132.83 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca /etc/openvpn/gogrid/ca.crt
cert /etc/openvpn/gogrid/test-eu-west-1-aws.crt
key /etc/openvpn/gogrid/test-eu-west-1-aws.key
askpass /etc/openvpn/gogrid/test-eu-west-1-aws.pass

TCPDump shows this:

1. Ping from aws (both VMs) goes on VPS-VPN.aws tun0 interface into vpn tunnel, comes to tun0 on VPS-VPN.gg and reply goes back right
2. Ping from gogrid goes on VPS-VPN.gg tun0 interface into vpn tunnel but didn't arrive to tun0 interface on VPS-VPN.aws
3. Ping from VPS-VPN.gg to VPS-VPN.aws IP of tun0 (10.8.0.10) works well

Both VPS-VPN has enabled ip_forward.

IPTables on VPS-VPN.aws looks this, AWS security groups is set to allow all traffic from everywhere (I don't like to use SecGroups when I can use iptables on VMs):

admin@ip-10-160-48-219:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 867 packets, 68073 bytes)
 pkts bytes target        prot opt in     out     source            destination         
 1426  117K fail2ban-ssh  tcp  --  *      *       0.0.0.0/0         0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1360  105K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 743 packets, 72322 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain fail2ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1400  115K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0          

admin@ip-10-160-48-219:~$ sudo iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 1743 packets, 105K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 1359 packets, 69760 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 390 packets, 40130 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target      prot opt in     out     source              destination         
  748 67734 MASQUERADE  all  --  *      eth0    0.0.0.0/0           0.0.0.0/0           
   17  1428 MASQUERADE  all  --  *      tun0    0.0.0.0/0           0.0.0.0/0           

I'm using 10.160.0.0/18 in routing just because I will have more VPCs with subnets in this range. Each AWS VPC has subnet /21. Everything is in subnet 10.160.64.0/24 in GoGrid side and aws routing table is set to route everything for this subnet to VPS-VPN.aws instance. This is working, I can ping GoGrid from AWS.

Can you point me where I'm making some mistake? This setup AFAIK should be working for both directions. Thanks a lot.