Part of the Furniture
-iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE
This rule was still necessary. Without that, the tunnel was established butthe internet on my clients were offline.
I don't see how that's the case. The OpenVPN client GUI already has an option to NAT the tunnel, which generates this same rule.
P.S. It may be due to all your prior mistakes w/ configuring the VPN port forwarding, that you corrupted the NAT table as well, thus making the manual addition of this rule necessary. Just guessing. But when everything is configured correctly, you don't need to do that. NAT'ing the tunnel on the OpenVPN client GUI will take care of this for you.