From the live system:
config zone 'zt'
option name 'zt'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option network 'zt0'
option masq '1'
option mtu_fix '1'
config redirect 'zt_ssh'
option name 'ZT-Allow-ssh'
option target 'DNAT'
option src 'zt'
option dest 'lan'
option proto 'tcp'
option src_dport '22'
option dest_ip '192.168.1.1'
option dest_port '22'
Edit (inspired by @trendy ): the example above is valid if you need to have a NAT between zones. Without NAT you just need to take care about routing between the subnets and if you have a dedicated firewall zone for VPN you will need a simple allow rule for the given port/protocol.