Duckdns/wireguard remote access help please!

Hi everyone,
I'm new to the openwrt and have searched the forums but can't seem to find a clear solution. I have just recently set up 19.07 on a R7800 connected to modem direct to ISP. I installed wireguard using this guide and all my traffic is passing through which I'm happy about.
I have an unraid (linux) server which is running a Nextcloud docker on a specific port (e.g. 192.168.1.24/888) and I would like to have remote access to it from outside the network (e.g. phone, laptop). I'm aware duckdns.org domain can be set up which would make access much easier.
Now I'm stuck as to what changes I need to make to my wireguard configuration. Do I need to follow one of these two:

Implement plain routing between server side LAN and client side LAN assuming that:

• 192.168.1.0/24 - server side LAN*
• 192.168.2.0/24 - client side LAN*
• 192.168.9.0/24 - VPN network*

Add route to client side LAN on VPN server.

uci set network.wgclient.route_allowed_ips="1"
uci -q delete network.wgclient.allowed_ips
uci add_list network.wgclient.allowed_ips="192.168.2.0/24"
uci add_list network.wgclient.allowed_ips="192.168.9.0/24"
uci commit network
/etc/init.d/network restart

Add route to server side LAN on VPN client.

uci set network.wgserver.route_allowed_ips="1"
uci -q delete network.wgserver.allowed_ips
uci add_list network.wgserver.allowed_ips="192.168.1.0/24"
uci add_list network.wgserver.allowed_ips="192.168.9.0/24"
uci commit network
/etc/init.d/network restart

I would much appreciate any advice and other suggestions. I'm happy to post logs if that helps. Thank you.

Will Mulvad provide a port forward from a public IP to your OpenWrt?

Yes they do!

Then add a redirect on the firewall to forward the port from the vpn interface to the internal server.
https://openwrt.org/docs/guide-user/firewall/firewall_configuration?s[]=redirect#redirects

Thank you, can i do that in Luci?

Sure, Network/Firewall/Port Forwards.

Okay I've forwarded a random port to the port of the nextcloud docker and it's showing as reachable on mullvad's site. By the way are we assuming that I've installed duckdns as above?

I don't think duckdns needs to be installed. If you need to use a duckdns name just assign it to the public IP that Mulvad will give you.

Ah okay thanks, so what would the server address be to reach from outside?

The public IP that Mulvad will give you.

I've typed the public IP into the nextcloud android app but it fails to connect! Any ideas??

Are there hits on the port forward rule?
iptables-save -c | grep 888 where 888 the NC port.

Seems ok. Does the NC need more open ports?

Hmm I don't see why. The docker container only has "Host Port 1".
So just to clarify with the above steps I should be able to access the VPN's public address using my phone's browser connected via 4G?

Yes, you should.
Is there anything abnormal in tcpdump?
tcpdump -i wg0 -vn tcp port 4951 or tcp port 444 or host 192.168.1.153

Thank you. By entering the VPN IP address (whatsmyip.org) into my phone browser what would i expect to see? Apologies for my ignorance I'm new to all of this.

Running the tcpdump command brings up:

listening on WGINTERFACE, link-type RAW (Raw IP), capture size 262144 bytes

But it just stops there!

The same IP as the one that Mulvad told you to use. It could work with a different one, but it would be quite complicated then.

You are trying to connect from your phone when tcpdump is running, right?

This is from their website. I've tried connecting to both 1 and 2 while tcpdump is running but neither work!

The first IP will never work, it is private.
The second is the endpoint that you connect, I don't know if it is the same as you are routed to the internet.

Thank you. These are the only addresses they provide and the second is what shows up as my public ip address!