Problems setting up an exclusive VPN connection for my VM

Greetings everyone,
I wanted to do something that I thought should be simple enough, but it seems it isn’t.
Basically I want to run a VM (set up with virt-manager) and pipe its networking exclusively through a VPN connection (OpenVPN in this case).
I got the VPN (tun0) set up on the host through Network Manager, and when the VPN provides the default route, everything works as expected. If I enable “Ignore automatically obtained routes”, then the VPN gets ignored, as it should.
Now with the VM, I have the network set up as follows:

nat

Inside the VM, if the VPN on the host has the default routes, it works just fine.
If the default routes are missing however, networking in the VM stops working… at least partially, it seems:

ping

As you can see in this excerpt, when pinging google, I get an IP address, but the ping doesn’t work because the “destination port is unreachable”. On the other hand, I can ping 10.15.0.1, which to my knowledge is the VPN’s gateway.
So… theoretically, I should be able to reach the internet through that gateway, shouldn’t I? But as you can probably tell, I’m just a GUI using pleb and routing especially confuses the hell out of me. I couldn’t find much about this specific use case on the internet either, so I’m at my wit’s end, and I hoped maybe one of the fine people around here could point me in the right direction.