OpenVPN: forward client’s LAN to the VPN

My current setup involves an openVPN server with a single network interface and a client on another network that acts as router for a specific LAN. My goal is to enable forwarding of LAN traffic through the VPN.

The router of the LAN is the one connecting to the openVPN server through its public interface.

• openVPN net: 10.8.1.0/24
• internal network: 192.168.10.0/24

Firewall

*nat
:PREROUTING ACCEPT [2:98]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [5:327]
-A POSTROUTING -s 10.8.1.0/24 -o em1 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [186:19694]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 1195 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -s 10.8.1.0/24 -o em1 -j ACCEPT
-A FORWARD -i tun+ -o em1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i em1 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

OpenVPN server

port 1195 # 1194 is used by another OpenVPN 
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/suzume.crt
key /etc/openvpn/suzume.key
server 10.8.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
client-config-dir ccd
route 192.168.10.0 255.255.255.0
tls-auth /etc/openvpn/ta.key 0

OpenVPN client

client
dev tun
remote MY_SERVER_IP
proto udp
nobind
resolv-retry infinite
persist-key
persist-tun
ca ca.crt
cert myhostname.crt
key myhostname.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
mtu-test

Right now I'm not pushing yet the default gateway: I'm doing tests adding single IPs to the routing table. On the client:

route add 69.192.17.215 gw 10.8.1.5 tun1

(again, the client is actually a router for a LAN)

If I am on the client itself, I can see with traceroute that packets go through the VPN. However if I try to access the same IP from the clients, nothing goes through. a tcpdump on the VPN interface on the server shows:

# tcpdump -n -i tun0
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
  00:25:13.267823 IP MY_INTERNAL_IP > 69.192.17.215: ICMP echo request, id 3607, seq 11, length 64

And nothing goes through.

Compare this when I do stuff directly on the client:

00:28:10.277901 IP OPENVPN_CLIENT_IP > 69.192.17.215: ICMP echo request, id 5243, seq 1, length 64
00:28:10.365054 IP 69.192.17.215 > OPENVPN_CLIENT_IP: ICMP echo reply, id 5243, seq 1, length 64

I also have set iroute 192.168.10.0 255.255.255.0 in my ccd dir for the client. However I can't route traffic from the LAN through the VPN, presumably because the server doesn't know how to send data back to them.

What am I missing to perform this? I have full access on the server and on the client/router. The server runs CentOS 6.5 and the client/router Debian Squeeze.