probably silly question "yourip" = server.ip? Because the VPN dial-in address will be dynamic.
The panel port would then be server.ip:vpnport? And it would be the same port for the root user and the end user?
tcp ports 2030,2031,2082,2083,2086,2087,2095,2096 can then be safely removed from the CSF without impeding the usability of CWP?