Allow connections to a device under a router-wide WireGuard VPN interface

Once I've managed to get Wireguard VPN functioning on my Archer C6U, I've lost the ability to, for example, ssh into the router or any other device, or to connect via Moonlight to a Sunshine host under the router's network. If anyone could point me to the right direction I'd be very grateful.
Attached are various files and outputs:

wg show

interface: wg0
  public key: <key1>
  private key: (hidden)
  listening port: 46507

peer: <key2>
  endpoint: <ip:port>
  allowed ips: 0.0.0.0/0, ::/128
  latest handshake: 46 seconds ago
  transfer: 140.46 GiB received, 5.97 GiB sent

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'ec
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src_dport '22'
        option dest_ip '192.168.1.181'
        option dest_port '22'
        option name 'SSH PC'
        option src 'wan'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Parsec'
        list proto 'udp'
        option src 'wan'
        option dest_ip '192.168.1.181'
        option src_dport '8000-8010'
        option dest_port '8000-8010'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'MAM'
        option src 'wan'
        option dest_ip '192.168.1.181'
        option src_dport '40000-60000'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Wake on Wan'
        list proto 'udp'
        option src 'wan'
        option src_dport '9'
        option dest_ip '192.168.1.181'
        option dest_port '9'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'SSH ROUTER'
        option src_dport '23'
        option dest_port '22'
        option dest_ip '192.168.1.1'
        option src 'wan'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'NixOS WSL SSH'
        option src 'wan'
        option src_dport '1337'
        option dest_ip '192.168.1.181'
        option dest_port '1337'
        list proto 'tcp'
        list proto 'udp'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Force DNS'
        option src_dport '53'
        option dest_port '53'
        option src 'lan'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '<ip>'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        list network 'wg0'
        option masq '1'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'vpn'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option strictorder '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option leasetime '24000h'
        option force '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'zhukopc'
        option dns '1'
        option mac '<mac1>'
        option ip '192.168.1.181'
        option duid '<duid1>'
        option leasetime 'infinite'

config host
        option name 'Zhukophone'
        option ip '192.168.1.201'
        option mac '<mac2>'

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix '<ipv6cidr>'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '192.168.1.1/24'
        list ipaddr '192.168.69.1/24'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '<ip>'
        option metric '20'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'

config interface 'wg0'
        option proto 'wireguard'
        option peerdns '0'
        list dns '<ip>'
        option metric '10'
        option private_key '<pKey1>'
        list addresses '<ipv4cidr>'
        list addresses '<ipv6cidr>'

config wireguard_wg0
        option description 'fi-hel-wg-002'
        option public_key '<key2>'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0'
        option route_allowed_ips '1'
        option endpoint_host '<ip>'
        option endpoint_port '<port>'

wg showconf wg0

[Interface]
ListenPort = <port>
PrivateKey = <pKey>

[Peer]
PublicKey = <key2>
AllowedIPs = 0.0.0.0/0, ::/128
Endpoint = <ip:port>

Both help & critique are very welcome.

You did not show ip route show, but I assume that default routing is via the WG interface.

In that case traffic coming in via the WAN interface (the port forwards) will be routed out via the WG interface which is a no go.

You have to use Policy Based Routing (pbr).
Either remove default routing of the WG interface and use PBR to route clients, interfaces, ports etc via the WG interface
or
use pbr to route the clients, ports etc out via the WAN which are entering via the WAN

See:
https://openwrt.org/docs/guide-user/network/routing/pbr

Just wanted to compliment on the config dump, great work

Half expected to see a route out through WAN so the VPN software can reach the VPN gateway.

Probably don't see it because it's via DHCP and not in the config?

Perhaps also include a dump of live routes, fx.

# ip -4 r

both

and

yield

default dev wg0 scope link  metric 10
default via <wanGateway> dev wan  src <wanAddress>  metric 20
<wgAddress> dev wg0 scope link  metric 10
<wanCidr> dev wan scope link  metric 20
<wgEndpoint> via <wanGateway> dev wan  metric 20
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.69.0/24 dev br-lan scope link  src 192.168.69.1

Thank you both for the swift replies. To be honest, I have shamefully little clue as to how my VPN setup works, as well as what you now suggest I do. Will get back to researching the linked resource in the morning.

Thank you! I took inspiration from other threads, not knowing what to provide, as I operate mainly via LuCi. Willing to learn the router's cli, though.

I see I have not specified a crucial detail, so just in case: I'm trying to connect from another network. Connecting when under the router's VPN'd Wi-Fi works.
Anyhow,

option 2 sounds more like what I need(routing select connections out through WAN, rather than routing select connections out through WG).

literally says that it allows to Implement port forwarding on the WAN interface when traffic is routed to VPN by default., but I struggle to figure as to how.
Tried both adding a policy to route destination port 22 through WAN, and adding a policy to route source port 23 through WAN(as per the current port forward to the router's LAN address), but that didn't give the desired effect(or any, at all).
Specifically, I tried:

uci add pbr policy
uci set pbr.@policy[-1].src_addr="192.168.1.1" # Router's LAN IP
uci set pbr.@policy[-1].src_port="23"
uci set pbr.@policy[-1].proto="tcp"
uci set pbr.@policy[-1].interface="wan"
uci reorder pbr.@policy[-1]="1"
uci commit pbr
service pbr restart

My SSH config entry is as follows:

Host ROUTER
  User root
  Port 23
  HostName <wanIpv4>

If you are trying to reach the router it should be set on the output chain and not the prerouting chain( which is for FORWARD)

However that still might not work as there seems a problem with using sport/dport and fwmark in nftables not sure what it is.
In that case use an include file for PBR to make an ip rule.

I have made a script which you can use as include file, the instructions are inline:

Note why not use WireGuard to connect to your router, it is more safe and the sport rules are created automatically for the WireGuard server according to my script

Sure. AND THEN I assume I would SSH into its LAN ipv4(192.168.1.1), or a multiplayer session may be organised like a LAN session virtually, with the use of WG connections for each player to my router? My understanding is yet limited, but if that is the case, I'd love that. If not, I would appreciate some more clarification/resources.
Currently, however, with your guidance and my silly mistake fixes, specifically:

/etc/config/pbr:

config policy
        option src_addr '192.168.1.1'
        option proto 'tcp'
        option interface 'wan'
        option chain 'output' # Thanks to egc
        option name 'SSH-ROUTER'
        option src_port '22' # Accounting for port forwarding

along with

/etc/config/firewall

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'SSH ROUTER'
        option src_dport '23'
        option dest_port '22'
        option dest_ip '192.168.1.1'
        option src 'wan'

I am able to SSH into my router(and, with similar changes, I suspect, make any connection I desire) from another network!!!

That is possible but the clients need to get a config with a key from you, so if those clients are known and trusted and there are a limited number than that surely can work.

Good to know! Might fallback to this method if I give up on the other way.

What I wrote in my previous reply does not seem to be the case, actually, as I am unable to configure pbr in a similar manner to, say, SSH into the PC.

If I change port configuration in any way(add 23 to Remote ports, switch their places, or only leave Remote ports filled, set same value into Local & Remote ports) it ceases to work and I am unable to connect to the router via SSH.

A similar(except the Local addresses field is set to 192.168.1.181 as per the port forwards) policy for the PC has no effect, I am yet to connect to it using such a method.