The solution is to add iptables rules below. and dont forget to push dns for client.
Reference: https://bbs.archlinux.org/viewtopic.php?pid=1112882#p1112882
Do you have the possibility to do a packet capture on the external interface of the server to check if there are any related packets leaving (verify if they're getting source natted correctly etc)?
Normally the MASQUERADE should do the job just fine in this case; but just for the sake of it try using a specific source NAT statement:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to <serverpublicip> 
