Do I need to open any incoming ports in the firewall?

For the devices to set up an end-to-end encrypted tunnel with the gateway, ensure that UDP port 51820 (or the port your gateway is actually using) is open to incoming traffic from the internet on your firewall.