Route SSH to internal virtual network via centos7 vm router

Trying to route ssh traffic to vm servers in isolated network on a centos7 KVM host. Can ping from either side but ssh times out.

I'm connected to my home router from work via vpn.

i have a static route to the external interface on centos7 vm router (functioning correctly with ip forwarding etc).

Internal vm, anohter centos7 server can update from internet and ping lan clients and vice versa

When i try to ssh to the internal vm from work pc it times out. firewalld on both vm router(internal and external interfaces) and internal server has ssh enabled in services

Setup:
home route
10.0.1.2 - vpn client
10.0.0.20 - ext if vm router
10.0.10.2 - int, если виртуальный маршрутизатор
10.0.10.10 - внутренний сервер centos7

Конфигурация VPN:
push "route 10.0.1.0 255.255.255.0"
нажмите "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"

i will be adding more servers to this internal network so i don't want to just forward port 22 to 10.0.10.10 i need it forwarded to 10.0.10.* while also still retaining the ability to manage the vm router via ssh on the external ip.

I can ssh to the server (10.0.10.10) from 10.0.0.0 and 10.0.10.0 networks

Hope this makes sense. This is a home test lab.

iptables output