Openvpn en aws no puede conectar subred

He configurado el servidor openvpn en ubuntu 16.04 en AWS. Puedo conectarlo desde mi máquina localhost. Entonces puedo acceder al servidor openvpn por su ip privada. Pero no puedo conectar otros ec2 en la subred.

Aquí está mi configuración

server.conf

local ip-10-253-254-87
port 1194
proto udp
dev tun
ca ca.crt
cert myvpn.crt
key myvpn.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.253.0.0 255.255.0.0"
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

keepalive 60 3600
comp-lzo
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 3

$ ruta -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.253.254.1    0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.253.254.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0

$ sysctl -p

net.ipv4.ip_forward = 1

Registro de conexión del cliente

Thu Oct 12 02:02:57 2017 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
Thu Oct 12 02:02:57 2017 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Thu Oct 12 02:02:57 2017 WARNING: file 'rahul.key' is group or others accessible
Thu Oct 12 02:02:57 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Oct 12 02:02:57 2017 UDPv4 link local: [undef]
Thu Oct 12 02:02:57 2017 UDPv4 link remote: [AF_INET]52.221.18.132:1194
Thu Oct 12 02:02:57 2017 TLS: Initial packet from [AF_INET]52.221.18.132:1194, sid=93a5928a db252cae
Thu Oct 12 02:02:58 2017 VERIFY OK: depth=1, C=SG, ST=SG, L=Singapore, O=XXXXXX, OU=XXXXXXDataEng, CN=XXXXXX CA, name=XXXXXXStatsVpn, [email protected]
Thu Oct 12 02:02:58 2017 Validating certificate key usage
Thu Oct 12 02:02:58 2017 ++ Certificate has key usage  00a0, expects 00a0
Thu Oct 12 02:02:58 2017 VERIFY KU OK
Thu Oct 12 02:02:58 2017 Validating certificate extended key usage
Thu Oct 12 02:02:58 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Oct 12 02:02:58 2017 VERIFY EKU OK
Thu Oct 12 02:02:58 2017 VERIFY OK: depth=0, C=SG, ST=SG, L=Singapore, O=XXXXXX, OU=XXXXXXDataEng, CN=XXXXXXstatsvpn, name=XXXXXXStatsVpn, [email protected]
Thu Oct 12 02:02:58 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Oct 12 02:02:58 2017 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
Thu Oct 12 02:02:58 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Oct 12 02:02:58 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Oct 12 02:02:58 2017 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
Thu Oct 12 02:02:58 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Oct 12 02:02:58 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Oct 12 02:02:58 2017 [XXXXXXstatsvpn] Peer Connection Initiated with [AF_INET]52.221.18.132:1194
Thu Oct 12 02:03:00 2017 SENT CONTROL [XXXXXXstatsvpn]: 'PUSH_REQUEST' (status=1)
Thu Oct 12 02:03:00 2017 PUSH: Received control message: 'PUSH_REPLY,route 10.253.0.0 255.255.0.0,route 10.8.0.1,topology net30,ping 60,ping-restart 3600,ifconfig 10.8.0.6 10.8.0.5'
Thu Oct 12 02:03:00 2017 OPTIONS IMPORT: timers and/or timeouts modified
Thu Oct 12 02:03:00 2017 OPTIONS IMPORT: --ifconfig/up options modified
Thu Oct 12 02:03:00 2017 OPTIONS IMPORT: route options modified
Thu Oct 12 02:03:00 2017 ROUTE_GATEWAY 192.168.31.1/255.255.255.0 IFACE=wlp3s0 HWADDR=b4:6d:83:ce:88:12
Thu Oct 12 02:03:00 2017 TUN/TAP device tun0 opened
Thu Oct 12 02:03:00 2017 TUN/TAP TX queue length set to 100
Thu Oct 12 02:03:00 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Oct 12 02:03:00 2017 /sbin/ip link set dev tun0 up mtu 1500
Thu Oct 12 02:03:00 2017 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Thu Oct 12 02:03:00 2017 /sbin/ip route add 10.253.0.0/16 via 10.8.0.5
Thu Oct 12 02:03:00 2017 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Thu Oct 12 02:03:00 2017 Initialization Sequence Completed

Tabla de ruta del cliente

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.31.1    0.0.0.0         UG    600    0        0 wlp3s0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.253.0.0      10.8.0.5        255.255.0.0     UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 docker0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.31.0    0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0

Ping exitoso al servidor openvpn por su ip privada

$ ping 10.253.254.87
PING 10.253.254.87 (10.253.254.87) 56(84) bytes of data.
64 bytes from 10.253.254.87: icmp_seq=1 ttl=64 time=70.3 ms
64 bytes from 10.253.254.87: icmp_seq=2 ttl=64 time=70.4 ms

Problema: no se puede hacer ping a ninguna otra máquina en la subred

$ ping 10.253.2.139
PING 10.253.2.139 (10.253.2.139) 56(84) bytes of data. 

Configuración de ruta en la tabla de ruta (aws)

10.8.0.0/24     eni-47050xxx / i-0ec7207caba88xxx     Active     No

Debería intentar deshabilitar la "Verificación de origen / destino" para su instancia de Openvpn en consecuencia por amazon docs