The default firewall configuration for OpenWrt prevents all unsolicited ingress on WAN. That means that the internet cannot access your router's config interface (ssh and/or LuCI web interface), nor can it access things like AG/AGH or other services on your device.
Therefore, you don't need to do anything special to further secure your router from the wan side unless you have remote access requirements and/or if you have changed the firewall configuration with respect to the traffic accepted on the wan.
you can do this if you want (provided your hardware has the capacity for it). But it is only necessary if need features that are offered by these packages and not via the standard config.
These ports are only open on the lan, by default. It is not recommended to open them to the wan. You can always change the listening ports if needed (but still not recommended to be opened on the wan even when ports have been changed).
No ports are open on wan unless you change the firewall.
I'm not exactly sure what you're asking here... can you be more specific? Accessing that link from the lan and expecting it to direct you to < something?? >, or accessing it from the wan and expecting something?
Fro remote access of your router, VPN is the most secure and recommended method. By this, we're talking about a VPN server/endpoint on your router that would accept connections from your remote devices (phone, computer, etc.)... you don't need a commercial VPN provider (unless you don't have a public IP, in which case you may need a VPS).
ok... so sure. If that's the case, you'll want to disable or change the listening port for the LuCI web interface (uhttpd)... you can put NGINX on port 443 and set it up according to your needs. Then simply create a fireawll rule that accepts traffic with source wan to dest port 443. That will open the port and your NGINX server should be listening there.
I haven't installed NGNIX, so I don't know exactly what happens with the LuCI web interface when you do that... theoretically both NGNIX and uhttpd servers can run at the same time as long as they don't try to use the same port.
Be sure to securre your NGNIX webserver with resepct to exposing it to the web... it's a nasty world out there. The only OpenWrt specific thing is that you'll open the port... but beyond that, it's about configuration of the web server.