I am trying something very similar: my RPi3 connects to the Internet through eth0 and runs a vpn client. When I enable tethering (WiFi hotspot), I can connect to the pi, but have no internet.
I have:
➜ ~ cat /etc/sysctl.conf | grep net.ipv4.ip_forward
net.ipv4.ip_forward=1
➜ ~ cat /proc/sys/net/ipv4/ip_forward
1
This has not worked for me:
➜ ~ sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
sudo iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
Any help would be much appreciated!