WG remote host communicate with LAN host with no default route set?

I have a host on a LAN that has no default route set, or its set to something incorrect (I'm not sure, its a CCTV box that I can't get into and is several hundred miles away). The LAN (172.16.20.0/24) is connected to an OpenWrt router which also has an interface on a WAN (192.168.1.0/24) and it gets access to the internet via this WAN.

The OpenWrt router also hosts Wireguard so that remote clients (me at the moment) can connect to it, its net is 192.168.9.0/24.

So although I can connect to everything else on the LAN, I can't connect to the CCTV box because it does not have ssh etc (if it had ssh I could ssh from the openwrt box and reconfigure it). The only way its been working previously with OpenVPN is via an app (only for viewing the cctv though, not logging in etc). Now I have changed to Wireguard the app won't connect.

I assume previously, when I was connecting remotely using OpenVPN, it was NATing my packets to a LAN source address and vice versa, so making me appear as a host on the LAN.

So I am wondering if its possible to do this (and does it even make sense, or perhaps some other mechanism was allowing it to work previously, IDK).

Essentially it seems to be I want to rewrite my source address on packets going from vpn zone to lan zone with a lan source ip address, and the other way round too once a connection is set up. But clicking masq on my WireGuard zone in Luci is not working.

Any pointers would be much appreciated.

You should enable masquerading on the lan zone, but better create a SNAT rule.

uci add firewall nat
uci set firewall.@nat[-1].name='SNAT-to-CCTV'
uci set firewall.@nat[-1].src='lan'
uci set firewall.@nat[-1].target='SNAT'
uci set firewall.@nat[-1].snat_ip='172.16.20.1' #Router LAN IP address here
uci set firewall.@nat[-1].dest_ip='172.16.20.151' #CCTV IP address here
uci set firewall.@nat[-1].proto='all'

Fantastic! Works first time. Thanks, appreciate it very much.

BTW I did this through Luci in the end because I am remote and I wanted the auto rollback feature to 'protect' me, but would auto rollback (after 90s) have worked via the CLI too? Or is that a Luci / web only thing?