I can no longer join any realms from my home since 0.15.6

I've been playing on realms for a long time, but after updating MCPE to 0.15.6 I became unable to connect to any realms. My gamertag is TheWorstPHO.

1. I can successfully login to XBL.
2. MCPE can successfully fetch the list of available realms for me.
3. But when I select a realm to join, it shows "This may take a few moments" for approximately 2 minutes and then says "Failed attempting to join realm. Please try again later. Unable to connect to realm."
4. Choosing another realm immediately after that will result in a different error: "Unable to connect to realm."

TL;DR

Here is the network setup in my home:

The Internet
     |
Optical Cable Modem / Router, connected to the Internet via PPPoE
(WAN IP: 121.1.205.212, LAN IP: 192.168.1.1)
     |
WiFi Adapter
(LAN IP: 192.168.1.210; configured as an Ethernet bridge)
     |                                |
iPad                                  PC
(LAN IP: 192.168.1.3)        (LAN IP: 192.168.1.2)

I wanted to know what's really going on so I set up an OpenVPN server on a different network so that I can capture packets being transmitted between MCPE and Mojang. The VPN client installed on iPad is configured so that it redirects each and every packet to the VPN:

My Remote Server
(WAN IP: 219.94.130.139, VPN IP: 10.8.0.1)
     |
The Internet (OpenVPN tunnel on 1194/udp)
     |
Optical Cable Modem / Router, connected to the Internet via PPPoE
(WAN IP: 121.1.205.212, LAN IP: 192.168.1.1)
     |
WiFi Adapter
(LAN IP: 192.168.1.210; configured as an Ethernet bridge)
     |                                    |
iPad with OpenVPN client                  PC
(LAN IP: 192.168.1.3, VPN IP: 10.8.0.3)  (LAN IP: 192.168.1.2)

I started capturing packets going through the TUN interface used by OpenVPN server. To my surprise I could successfully join realms in this setup. Here is my analysis on the captured packets:

1. When MCPE starts up, it first authenticates itself with XBL. This is done on https (443/tcp).
2. When I select the "Realms" tab, it asks pocket.realms.minecraft.net for the list of available realms. This is also done on 443/tcp.
3. As soon as I choose a realm to join, it looks up the A record for ec2-54-210-212-186.compute-1.amazonaws.com and starts sending and receiving UDP packets between that Amazon EC2 server. This is done on 27340/udp, and for some reason both the source port and the destination port is 27340. The EC2 server must be the one where the realm actually resides in.

So I speculated that someone (my router, ISP, or the realms server itself) is preventing me from establishing an UDP session with the server on port 27340. This is certainly not a problem in UDP sessions in general because if that's the case I cannot use the VPN in the first place.
I tried sending a dummy packet to the EC2 server from my home to see what happens. The EC2 server responded with ICMP Port Unreachable then:

My PC  →  UDPv4; src=27340, dst=27340  →  EC2 Server
My PC  ←  ICMP Port Unreachable        ←  EC2 Server

But when I did the same from my OpenVPN server, the EC2 server didn't say anything!

OpenVPN Server  →  UDPv4; src=27340, dst=27340  →  EC2 Server
OpenVPN Server  ←  (Nothing at all)             ←  EC2 Server

To confirm that ICMP packets weren't dropped, I also tried sending a dummy packet with a different source port. This time the EC2 server sent me back an ICMP Port Unreachable:

OpenVPN Server  →  UDPv4; src=11111, dst=27340  →  EC2 Server
OpenVPN Server  ←  ICMP Port Unreachable        ←  EC2 Server

To confirm that it's not my router nor my ISP that is generating the ICMP packet, I tried listening on 27340/udp on my OpenVPN server and sent packets between the VPN server and my PC. The UDP packets were successfully delivered to each other:

My PC  →  UDPv4; src=27340, dst=27340, payload="aaaaa"  →  OpenVPN Server
My PC  ←  UDPv4; src=27340, dst=27340, payload="bbbbb"  ←  OpenVPN Server

So I concluded that someone is acutally blocking me out of the EC2 server by sending ICMP Port Unreachable back to me, and it's very likely that it's the EC2 server that is doing so. Of course I checked the firewall log of my router to see if it was actively blocking 26000-28000/udp but no, it wasn't. I wish I could run an OpenVPN server inside my home LAN to capture packets in the failing case but that would be very difficult to do for reasons.

One of the reamining mysteries is that why MCPE behaves as if there were UDP timeout during the attempt to join the realm. Here is my speculation:

1. MCPE calls recvfrom(2) to receive an UDP packet, and if it fails due to ICMP Port Unreachable, it resends the previous message with sendto(2). And if it doesn't succeed in 2 minutes it gives up and displays an error. This is why it stays 2 minutes in the "This may take a few moments" message.
2. The game immediately shows an error if sendto(2) fails. This is probably the reason why it says "Unable to connect to realm" without any delay on the second attempt. The game somehow didn't call recvfrom(2) on the UDP socket so the ICMP Port Unerachable packet is buffered in the kernel and makes the next sendto(2) fail.