I’ve set up OpenVPN server with personal keys on a droplet that works.
Now I’ve installed a tor client on the droplet, it set up a SOCKS5 proxy on port 9050 that also works.
curl –socks5 localhost:9050 google.com
returns:
<HTML><HEAD><meta http-equiv=“content-type” content=“text/html;charset=utf-8”>
..blah

The problem is that OpenVPN clients are unable to connect to 9050 port on the server. It seems like I need to unblock the port in firewall.
My task is to allow OpenVPN clients to connect to 9050 port on server without exposing the port to internet.
Iptables make me weep, please help me with the incantation that I can use with ufw or iptables to allow this scenario.
Any help is appreciated, thank you!

/etc/ufw/before.rules contains this:

START OPENVPN RULES

NAT table rules

*nat
:POSTROUTING ACCEPT [0:0]

Allow traffic from OpenVPN client to eth0

-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT

END OPENVPN RULES