OpenVPN how to route Internet traffic through a client

My use case: I want to route all Internet traffic from machine B through machine A. However, I cannot simply install OpenVPN server on machine A as machine A is behind layers of NATs/firewalls I don't control. My current solution is to install OpenVPN server on machine C, and have both machines A and B connect to C as clients. I'm trying to set up proper routes so that all traffic from B can be routed through A. The setup on each machine and the steps I have attempted are detailed below and my remaining problem is in the second to last paragraph.

Now, machine C runs Linux and OpenVPN server in a Docker container (https://github.com/kylemanna/docker-openvpn). With redirect-gateway def1, both client machines can connect and route traffic through the server (https://ipleak.net confirms the server IP). For the following tests though, redirect-gateway def1 is removed, while topology subnet and client-to-client are added. The server has subnet IP 192.168.255.1 and public IP AAA.BBB.CCC.DDD.

machine A runs Windows and has IPEnabledRouter=1 set in HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\, Service Routing and Remote Access set to Automatic and running, and the network adapter with Internet access set to allow sharing from the OpenVPN TAP adapter. It is assigned 192.168.255.2.

machine B runs Windows and is behind a router with IP 192.168.1.100. It is assigned OpenVPN subnet IP 192.168.255.3. The following routes are added in addition to what OpenVPN sets up automatically:

Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0        128.0.0.0    192.168.255.2    192.168.255.3    259
        128.0.0.0        128.0.0.0    192.168.255.2    192.168.255.3    259
  AAA.BBB.CCC.DDD  255.255.255.255      192.168.1.1    192.168.1.100    291

From machine B, I can ping machine A at 192.168.255.2, but Internet traffic is still routed through the OpenVPN server (ipleak shows AAA.BBB.CCC.DDD). I tried adding a route: route add default gw 192.168.255.2 tun0, but this makes the clients unable to access Internet. The server route table typically looks like:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.19.0.1      0.0.0.0         UG    0      0        0 eth0
172.19.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0
192.168.254.0   192.168.255.2   255.255.255.0   UG    0      0        0 tun0
192.168.255.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0

How can I make this work?

[EDIT] A little more context on the use case: I need to set up VPN for a division so that their users' home computers machine B can access third-party resources that restrict access based on IP address. The access to machine A is not blocked, but there are at least two layers of NAT/firewalls up the organization, whose admins do not want to change their setup to help with incoming connections. We therefore want to devise a working solution using machine C that may be a VPS as the VPN server. There is an official VPN service but since it is open to certain outside members, the third-party vendor does not wish to allow its IP access.