Here is a solid example of a starter configuration I use when setting up openvpn. It can be done, but my preference is to just say no. The issue is that every "extra" service you add to your edge device reduces the overall security of your edge device.
I know that the untangle box supports openvpn, but my preference is to run the openvpn server inside your network and to do port forwarding from your edge device to the openvpn box. I do have to say I don't like mixing edge devices (perimeter firewall) with access devices (vpn server). But as long as the ISP has you setup to get the required port to your box then you should be good to go. Having the ability to create, as an example, a firewall rule to block all outgoing traffic for site A,D and E, then we can push this one specific rule to site A, D and Es firewall. By using a global policy you have no choice but to push the same config to all appliances. The 2900 is indeed a router, but in this case they must have it licensed for firewalling too. Very often sites require different rules depending on what is required. The setting is dependent on how the ISP has the router setup. Yes there is a difference between port pass through and port forwarding. Is ditching the ISP firewall and using untangle direct an option? it might save you some hassle although untangle still works well in bridged mode but you cant use the firewall part effectively. As said above, if you were using untangle directly connected to the internet you wouldn't have to do anything because when you configure VPN everything else that is needed gets configured automatically. Yes you will need to get your ISP to setup the port forward. Even when configured totally open a firewall wont pass data through unless it has a port forward or a NAT route in the case of going from inside out and back. If the port was just open the firewall/router wouldn't know where to deliver the data packets. We are talking about port forwarding here and not port opening. If this is the case then it will work straight away and all you need to do is setup your untangle box. Are they specifically blocking ports? They may have the 2900 setup as just a router where all ports are passed straight through.