Using VPN to access internal loadbalancers

[Glorf]

Hello, I have a problem to properly configure Azure Redhat Openshift 3.11 to route my LoadBalancer services through peer VNET and then allow me to connect to these services via VPN.
My idea is as follows: I create the new VNET named "ingress". Then I create Virtual Network Gateway connected to this VNET with the OpenVPN gateway. Finally, I deploy ARO 3.11 with peerVnetId setup correctly to the "ingress" VNET id. The cluster sets up and the peerings are created correctly.
The problem is as follows: the ARO cluster is 10.1.0.0/16, the ingress net is 10.2.0.0/16, and the gateway addresses are 10.3.0.0/16. When I try to access the services via VPN, the ingress net (10.2.x.x) is forwardable, but there is no way to connect to ARO net (10.1.x.x), where the loadbalancers are deployed.

I noticed that in peerings "Allow forwarded traffic" and "Configure gateway transit settings" options are disabled, but I'm not allowed to enable them since the 10.1.0.0/16 VNET is part of the managed Azure application.

How should I configure the networking for ARO to achieve this setup (to have internal LBs accessible via openvpn-like gateway)? Maybe there is another way to achieve it?