CSF firewall uses it's configuration file to write the iptables rules. But it does not have the ability to do masquarading built in. So they have a call in their program to look for 2 files. csfpre.sh, and csfpost.sh where you can customize rules for the firewall that it cannot do itself. If you read the script, line by line:
ip=$(ip -4 addr | grep inet | grep -vE '127(\.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | sed -n "$ip_number"p)
ip6=$(ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}' | sed -n "$ip6_number"p)
This get's the "Global" Ip's for 6 and 4. It makes sure that they are not the loopback or private ip's
/usr/sbin/iptables -t nat -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip
This line is what allows your VPN ip's access to the internet
/usr/sbin/iptables -I INPUT -p udp --dport $port -j ACCEPT
Actually. Delete this line. It's redundant to opening the port in csf.conf
/usr/sbin/iptables -I FORWARD -s 10.7.0.0/24 -j ACCEPT
/usr/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
These two lines are what allows you to communicate with the server itself, and completely bypass the firewall, giving you full access to all ports.
if [[ -n "$ip6" ]]; then
/usr/sbin/ip6tables -t nat -A POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6
/usr/sbin/ip6tables -I FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT
/usr/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
fi
Similar to the ipv4 block, but makes sure that we have a global ipv6 address. If not, does not execute.