Add option to NAT inbound traffic
Currently traffic coming in by OpenVPN appears on the LAN as coming from 10.8.0.0/24 (by default). The Windows firewall will often reject it as it does not come from its LAN. Each client's firewall can be adjusted individually, but also if there were a switch in the ClearOS webconfig to toggle the rule:
$IPTABLES -t nat -I POSTROUTING -s 10.8.0.0/24 -j MASQUERADE, it would achieve the same with far less effort.
Note this may have a downside and it may block access from the LAN to the OpenVPN clients. This would have to be tested. It is one reason why a switch may be preferable to a permanent rule.