I've got the 3.8.2 VPN client successfully connecting to the VPN server
encrypted traffic going out but nothing coming back.

Client is behind an ADSL router and the VPN server is behind a firewall

By running a ping from the VPN client to the internal network I see this:

1. <client public ip> to <vpn server public ip>
2. <client vpn assigned address> to <internal host>
3. <internal host> replies to <client vpn assigned address>

And that's it! The ping reply doesn't reach the client, I'd expect to see

<vpn server public ip> to <client public ip>

or am I missing something?

The VPN server has 2 NICs and isn't running NAT.