In client config file, you have to add:
In order for the client to prompt for username/password (using local linux users)
The root account cannot login through the client by default. I would suggest keeping it this way.
The client config exported by the current webmin OpenVPN module does NOT add the ^M characters at the end of the lines of the client config file all the time. Windows Clients NEED this.
In iptables using Webmin allow FORWARD and INPUT chains to tun0 (or tun1 or whatever) without restriction.