VPN traffic confusion~

Hello everyone,

To ask the question first, I am wondering is it possible for outbound traffic to go through the VPN (tun0) interface and yet incoming traffic be received through the WAN interface?

To describe my network situation I am using VPN Bypass to exclude certain ports and IP range on my network from using the VPN as I only need it for certain devices/computers. This seems to have been successful as I can check via sites such as ipleak.net and ipx.ac that the devices that aren't excluded have a different IP etc to those that are. I also have tested with a traceroute from one of the VPN devices and can see it going through the VPN tunnel at least with outbound traffic. Though I am not sure how to test the reverse.

I also have my router registered with a DDNS service and allow external access to it from a single IP address, which is updated with the WAN address, not the VPN address. However the confusion is that in theory I shouldn't be able to access my router or any device that is behind (regardless of firewall rules?) due to the VPN connection? Ideally this is not what I want as I would still like devices like my NAS and Plex to be accessible by bypassing the firewall, but as it is I am not sure it is as secure as it should be.

Is it possible for traffic to be received by a different IP address than what requested it? I mean my understanding is that traffic leaving through the VPN would be returned back through the same address? I can also clearly see Tx and Rx traffic on both the tun0 and wan interfaces, although the amount of it is different.

LuCi screenshots below if that helps make anything clearer:

When you request a web page, that is an outbound connection. The web server's answer is part of that connection, it is not a separate "inbound" piece of traffic. Similarly if you have a NAS server, someone on the Internet requesting a file would be an inbound connection, and the server's response is part of that connection. The request and the response are always between the same two IP addresses.

VPN services are only for outbound connections. The same server IP is used by many subscribers. It does not accept inbound connections to your VPN tunnel. Inbound connections must go directly to your WAN IP. These users will not be aware at all that another process on the router is using a VPN.

Running a VPN client on your router, an outbound connection flows like this:
PC on the LAN --> br-lan --> NAT and forward to --> tun0 --> OpenVPN process in user space --> regular TCP or UDP request to the kernel --> NAT and forward to --> WAN --> VPN server on the Internet --> web server

So you will see traffic on all the interfaces. The byte count on the WAN is larger because OpenVPN wraps up the data packets with important metadata such as the final destination IP.

Thank you for the good explanation @mk24, it does at least make things clearer.
Sorry to sound a bit newb then but would that make Rx on the interface be the outbound connection from the LAN? Just as that is the one I would expect to be the highest even though Tx = Transmitted?

One last query, is how I have the zone forwarding set up correct for a VPN? Just as it seems to vary, as I could only allow forwarding from LAN > VPN but then devices excluded from the VPN wouldn't have access to the WAN. Do I even need forwarding from VPN > LAN if like you say inbound connections only go from WAN > LAN, or is it needed as part of the outbound connection from LAN > VPN?