Okay I figured it out already and from home too - fortunately I was able to use ssh to one of my Linux hosts and create a port 3389 tunnel into my Windows Home Server box, this let me connect to that system using Remote Desktop to localhost. In case someone needs to use that trick here is the incantation:
ssh -CNL 3390:windows-remote-lan-address:3389 linux-remote-host-address
obviously you need to replace windows-remote-lan-address appropriately - for me it is something like 192.168.0.x. In general your remote Linux box may not understand Windows host names hence the IP address. Ditto for linux-remote-host-address. Then you should be able to use remote desktop to connect to localhost:3390 and get connected to the remote windows box. There are some issues with connecting to localhost on XP, but later Windows versions, Linux and Mac RD implementations should work fine. See here for help: www.bitvise.com/remote-desktop.
Okay so here is the Windows part of it - you need to reconfigure the Windows firewall settings to allow access to RDP over networks other than the local LAN. If you have the firewall off completely that shouldn't be an issue but if you take a stock Windows machine the firewall should be on - when you enable Remote Desktop access it will add a firewall exception but that is only for the local subnet and as I mentioned in my first post OpenVPN uses a tunneled connection by default (not sure how easy it is to change that to bridged or if it is worth it) so it will look like you're accessing the Windows machine from 10.8.0.something.
To broaden the firewall exception do the following:
Login to your PC with a user that has Administrator rights. Go to the Windows Control Panel and find the Windows Firewall settings dialog (it varies from Windows version to version, I won't try enumerating them). Then click on the exceptions tab and scroll down for Remote Desktop which should have been added by Windows when you enabled remote desktop access. Select Edit and at the bottom select change scope. You can blow it wide open to Any Computer or just add your local subnet and the OpenVPN subnet used by ClearOS. For mine I entered:
apply those changes and you should be done.
If you still can't access your machine then you must have some other problem.
Note that this is somewhat painful because you will have to enable it for each and every PC that you'll be accessing (unless you're on a Windows domain and figure out a domain wide policy to apply this rule - something I know nothing about).
Good luck and let us know if this helps!