Correct permissions for firewall with WireGuard, LAN and WAN zones

Hi, I've got a OpenWrt box thats has a LAN attached (172.16.20.0/24) which it provides internet to and its also connected to a small WAN (192.168.1.0/24), just itself and an ADSL router on that network. It also has WireGuard providing a VPN server to mobile hosts out on the internet. Obviously the internet connection is the ADSL router. The ADSL router also has a port forward to the OpenWrt box for VPN connections.

It all works fine, but my firewall is currently wide open.

I just locked myself out of it trying to figure out what rules I should have in the firewall, and had to wait 2 days and then get someone else to log in and fix it while on the phone to me (its a couple of hundred miles away). For some reason the auto rollback of Luci did not work for me (I assume NAT connections were established before I set the wrong rules, and bypassed the new incorrect rules after I set them up, then a subsequent reboot flushed these and my changes had prevented setting new connections up). So I wonder if anyone can advise what rules I need to implement to stop me locking it up again.

Whats required is:
Hosts on the LAN need to be able to initiate requests to the internet (say, PCs need to browse the internet).
Hosts on the internet (mobile phones on cellular data networks) need to be able to use the VPN to access hosts on the LAN.

Additionally I would like to be able to configure the OpenWrt box via the VPN while I am accessing it from a remote location (so I am out on the internet).

Where's the best place to learn about how these rules work too? I don't understand the details (like when are the rules applied during a packets traversal through one interface, the CPU, another interface, how do rules apply to packets that are reply packets for NAT, stuff like that)