In general, firewall should be independent from the VPN. In Debian it could be managed (saved and restored) using netfilter-persistent and iptables-persistent packages (both of them are required).
However, it is possible to run any commands when OpenVPN server starts up or shuts down, for which it has a scripting interface. In this case, don't use netfilter-persistent & iptables-persistent otherwise your firewall may bloat (consider the following scenario: script added a rule, then firewall is saved, then script removes the rule, reboot — firewall loaded saved state with the rule, then script runs and adds another rule; after some repeats you see several same rules in the firewall).
First, add to OpenVPN config:
script-security 2
up /etc/openvpn/add-rule.sh
down sudo /etc/openvpn/remove-rule.sh
script-security is needed for it to run scripts at all.
It is very likely you have non-root user and/or group in the server config (which is good!) so your down script will execute with that user/group privileges. Therefore you need to gain privileges again to be able to remove the rule. Create a file /etc/sudoers.d/openvpn-remove-rule that contains the following line which will enable this user to run the said command:
<user> ALL=(ALL) NOPASSWD: /etc/openvpn/remove-rule.sh
(replace <user> with whatever user is set in the OpenVPN config, probably nobody). Then chmod 0400 /etc/sudoers.d/openvpn-remove-rule otherwise sudo will refuse to load it.
Explanation why we need a script and not just put an iptables command call via sudo directly into OpenVPN config. In short: security.
On the contrary, up command runs before dropping root privileges, but for consistency I suggest to use script for it too.
Contents of those scripts are obvious, just put your iptables commands that need to be run on server startup and shutdown. (In principle, you can use any commands there, not just iptables.) Make both scripts executable.
Read man openvpn for reference of its scripting interface.
