I want to be able to remote manage my routers, so I want them connect to a VPN so I can access luci and ssh when I am also connected to that server. I don't want to pass internet traffic for clients through this VPN. I only want the router itself connected for management purposes. How would I achieve this?
Once you have the VPN configured, simply assign it to a unique firewall zone. That firewall zone will have input = accept and output = accept. If the zone has no forward allowances (no other zones forwarding to the VPN zone, no other zones accepting forwarding from the vpn zone), the traffic will not be able to traverse any other networks, but it will be able to reach the router.
I'd also suggest to consider preferring wireguard for this task.