I found the solution. It seems like a bug that was introduced with 21.02 that I didn’t have in 2.5.0 was now pushed out to CE with 2.5.1, at least that’s the way I’m reading it.
The solution was to go into the OpenVPN client config and check this box. 
Now NAT is working properly as the outbound replies are being routed to WAN where they came in instead of getting pushed out the VPN tunnel.
This is the post that helped me of anyone wants the broader context.
Edit: the regression introduced in 2.5.1 is #11805