iax2 broken over VPN

Not strictly asterisk, but that is the piece that is broken for me…
Asterisk 1.8.13
Two systems, on two separate ISPs.
VPN set up between the two using OpenVPN.

Something changed in the last two weeks (may have been prepped & caused by a reboot) where my iax2 trunk between the two systems has failed. On system “P”, system “O” showed “not reachable” for iax2; but on system “O” (until a reboot), system “P” was reachable; not not.

A tcpdump on both sides shows pongs outbound; before “O” reboot, system “P” was responding to system “O” pongs.

on both sides:
asterisk[eth0][lan][eth1]firewall[eth0] => world

When i do tcpdump on my tun0 tunnel, i see that the source address changes from the internal LAN address to the external address of the firewall system?!? Destination address of the ‘pong’ remains the correct IP of the opposite asterisk system

I’m a complete dunce on most iptables stuff, and I can’t figure out why that address change is occurring, or where in my firewall tables that would happen. The firewall should NAT everything else, but not making sense to me why it would NAT the tunnel.

Any help appreciated for where to look and how i messed things up. I hate it when things are working great, and then… stop.

thanks