openvpn

OpenVPN: how to redirect traffic from one client to another?

There is an OpenVPN (on Ubuntu 14.04) server and a number of clients (on Windows, Linux, Android).
The task seems to be simple: to direct traffic from all clients through another client.
That is, let's say the server is 10.15.1.1, the clients are 10.15.1.0/24. Forward requests to 8.8.8.8 through 10.15.1.10.
On the Linux client using the OS, I add the route: route add -host 8.8.8.8 gw 10.15.1.10 (I know that it is possible to shove a route from the server side to the client - now the question is not how the route appears on the client). Requests come to 10.15.1.10 only if it is a tap interface. Everything would be fine, but the Android client does not support tap, only tun (Android is not rooted, applications: "OpenVPN" and "OpenVPN Connect").
If you use tun (dev-type tun) on clients and the server, no requests are received on 10.15.1.10. Through tcpdump I see them on 10.15.1.1.
Those. here's what happens. The client pings 8.8.8.8 and in response receives a message from the server:

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 10.15.1.1: icmp_seq=2 Redirect Host(New nexthop: 10.15.1.10)
From 10.15.1.1: icmp_seq=3 Redirect Host(New nexthop: 10.15.1.10)

While on the server:

14:21:56.417458 IP 10.15.1.1 > 10.15.1.12: ICMP redirect 8.8.8.8 to host 10.15.1.10, length 92
14:21:56.417460 IP 10.15.1.12 > 8.8.8.8: ICMP echo request, id 13221, seq 6221 , length 64

Those. the message eventually arrives at the server, the server tells the client to send requests to 10.15.1.10, he himself does not send them there.
Then I tried to create routing for client packets on the server:

ip route add default via 10.15.1.10 table 9999
ip rule add from 10.15.1.0/24 table 9999 priority 2

Again, the same picture: Redirect Host(New nexthop: 10.15.1.10) arrives to the client , and the server itself does not want to redirect packets from the client to 10.15.1.10.
At the same time, no packets are visible on the 10.15.1.10 side (empty in tcpdump). Though a ping between clients and 10.15.1.10 pass remarkably. As soon as I change to the tap mode everywhere (which does not suit me) - everything works.
At first, the picture in my head was like this: in tap mode, the Redirect Host (New nexthop: 10.15.1.10) arrives to the client , it makes an ARP resolution 10.15.1.10, receives its MAC and sends data to it. There is no ARP in tun mode. And client receiving Redirect Host(New nexthop: 10.15.1.10), cannot route directly to 10.15.1.10 and must do so via the server. But when pings successfully go between clients, they are not visible on the server via tcpdump.
Additionally, it is not clear why the server, having received a packet from the client, sends it Redirect Host(New nexthop: 10.15.1.10) , and does not forward it on its own to 10.15.1.10.
I tried to delete the default route through 10.15.1.1 - it does not help (this is the route that the server reports to clients).
Done on the server:

sysctl -w net.ipv4.ip_forward=1
iptables -P FORWARD ACCEPT

Maybe some settings in sysctl are still needed?
Server config:

port 1194
proto udp
dev tun0
user openvpn
group openvpn
cd /etc/openvpn
persist-key
persist-tun
tls-server
tls-timeout 120
dh /etc/openvpn/dh.pem
ca /etc/openvpn/ca.crt
cert /etc/ openvpn/myopenvpnserver.crt
key /etc/openvpn/myopenvpnserver.key
crl-verify /etc/openvpn/crl.pem
tls-auth /etc/openvpn/ta.key 0
server 10.15.1.0 255.255.255.0
client-config-dir / etc/openvpn/ccd
client-to-client
topology subnet
push "dhcp-option DNS 8.8.4.4"
route 10.15.1.0 255.255.255.0
comp-lzo
keepalive 10 120
status /etc/openvpn/log/openvpn-status.log 1
status-version 3
log-append /etc/openvpn/log/openvpn-server.log
verb 3
mute 20
push "redirect-gateway def1"
ifconfig-pool-persist / etc/openvpn/ipp.txt
management localhost 8000

Client config:

dev tun1
proto udp
nobind
remote 1.1.1.1 1194
client
tls-client
resolv-retry infinite
remote-cert-tls server
persist-key
persist-tun
comp-lzo
verb 3
tun-mtu 1280
status-version 3
script-security 2
key-direction one