linux

How to write a correct NAT rule in iptables in this configuration?

Hello,
There is such a scheme:

Windows 10 Ent - Hyper-V host with two physical ethernets. Eth0 is host, eth1 is hyper-v. Those. the hyper-v virtual switch
is configured on eth1.
Router Mikrotik 2011, for Hyper-V a separate Ethernet is not in the bridge with anyone - it has 10 VLANs.
There is a static address on the micro, but the most necessary ports are already occupied (443, 25, 110, 143) and cannot be used (for 443, sslh is also used to the eyeballs, i.e. without options). Virtual machines require a separate IP address (for various experiments).
For this, a VPS was bought (for 70 rubles per month), on which an OpenVPN (TCP) server and a microtic client were raised.
With the Mangle rule, all traffic from 10.10.0.0/16 is routed through the tunnel. iptables is configured on the VPS - I had enough knowledge and googling to configure it as I need it on the correct virtual machine.
Everything works as it should, for me, except for one. Next, pay attention to the green and red arrows.
When I connect from the host, for example, to XXXX by telnet to port 25, then all requests go from YYYY to XXXX:25 and virtual machines see the host YYYY trying to connect with it (Green arrows), but everything is terminated on Mikrotik (Red arrow), because . this address belongs to him, and nothing flies into the tunnel. (And a separate machine is required somewhere outside the network of my router, of course I have them, but this is not very convenient for work and debugging)
I have one question - how to write an iptables rule on a VPS so that if all of a sudden requests come from YYYY, they are somehow hidden by the rule and masked, for example, by the XXXX address, i.e. the main thing is that routing would work through the tunnel. Surely for someone a trifling matter, but something I can not figure out. (Or maybe it's not possible?).
Thank you.