* Your VPN computer can open a VPN connection over its WAN interface (192.168.3.222) to a remote endpoint and can send its own traffic down the tunnel.
Yes.
* Other devices are configured to use the VPN computer's LAN interface (192.168.2.212) as their default gateway, but are unable to send traffic further.
Yes, but they can ping 192.168.3.222.
This might be a really dumb question (and apologies if it is), but are you positive that IPv4 forwarding is enabled in sysctl.conf on the VPN computer?
Yes. See:-
sudo sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.ens160.stable_secret"
sysctl: reading key "net.ipv6.conf.ens224.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
sysctl: reading key "net.ipv6.conf.tun0.stable_secret"
Also, on the VPN computer, is your iptables filter table completely empty, or does it have rules to permit established/related traffic (in other words, the return traffic triggered by the outbound traffic)?
Yes, completely empty. See:-
sudo iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
sudo iptables --list -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination