first check the basics. SSH into your router:
edit the /etc/config/zerotier
add your ZT network ID into the option id 'network id' line
edit option enabled '1' and save the config file
type service zerotier restart
type ip a
check your ZT network adapter has an IP address. If it does then all is working correctly. If not login to your ZT central and check you have authorized your router to connect to ZT.
Me stupid 
I didn’t use the ZT IP for accessing my router. Now using the ZT IP I can connect and the router’s logon screen pops up.
So far so good but how to access e.g. my immich router, or any other device in my network?
Your comment:
While chnat is not very saturated you can do what zerotier does
Need to come back to that comment from you.
I am not that specialist but that sounds cool.
I do have DDNS up and running and using NGINX via that DDNS.
When using Zerotier I am not able to use this functionality, so that sounds interesting.
Is that a possibility to overcome my CGNAT issue still able to access via DDNS?
Could you support me here?
Will not work on low ports.
In CGNAT the ISP will block incoming connections to "your" public IP address (which is actually shared with other customers). You have no control of their router that is doing the NAT.
To access your server through Zerotier, set up a redirect in the firewall (called a "port forward" in the GUI). The external port should be one that is not used by an existing service such as Luci. The internal IP and port are the ones that the server on the LAN responds to.
Then on the phone use <router's Zerotier IP>:<external port>
Note that redirects require the zerotier interface and the lan to be in different zones, and Masquerade enabled on the external (Zerotier) zone.
You can open a port with natpmpc
I see replies to your post recommending ports on the WAN side be open. Let me be clear once again…..ZEROTIER does not require ports on the router to be open. DO NOT OPEN any ports or zones on the WAN side for ZEROTIER. You already have an established and fully reachable externally pingingable IP address without the need for opening ports on the WAN side.
To deal with your next question about accessing services on other devices. There are a few ways you can do this however the easiest way would be to install ZT client on each of those devices in your network for which you want to access services from your mobile phone.
But these are devices like some air conditions or an immich photo database, there I cannot install ZT. I just would like to be able to reach these via there local IP address - isn’t that possible with zerotier?
Currently the only thing I can reach is the OWRT router.
When entering the ZT IP for the router I am landing on the LUCI logon screen.
So far so good but how to reach now the local IP addresses?
Not only possible, but easy if Zerotier is configured to push routes to the phone when it connects. Then you can enter a LAN IP and port on the phone and it will be routed through the tunnel and forwarded by your home router to the device.
But Zerotier now charges for that feature. In order to use the free version you will need to work around. Without any custom managed routes, the only tunneled route a phone has is to Zerotier tunnel IPs. So every device on the LAN will need to be reached with the home router's Zerotier IP, but a different port. These port numbers are how several LAN devices can share one IP on Zerotier. For example an air conditioner's web page at the standard http port 80 may be configured to translate from port 8080. When these connections come in, the OpenWrt firewall will change the destination address to one on the LAN, change the port number from the unique one to a common one (e.g. 8080 to 80) then forward the packet to the device on the LAN, and of course handle the device's reply in reverse.
Maybe time to look at another solution?
Of course in due time those will probably also start charging for "advanced" features 
But in the mean time perhaps NetBird or Tailscale?
Boy am I glad with my full dual stack
as one of the posters described you need to either setup a tunnel or configure port forwarding or reverse proxying. You have just revealed this is for your IoT devices and this is too much for me to support you on. Maybe someone else can help. Good luck.
Just a note: I can turn on my home A/C remotely from my mobile using Tuya. I am also sure home assistant is capable of doing the same. Why don’t you use one of these apps instead?
I think I tried that netbird already was it not with proton IPv4 - I wasn’t successful
But full dual stack - you mean provided by your ISP or what are you using?
In the meanwhile I also was searching for alternatives and came to the idea using a VPS somehow offering the possibility to overcome this CGNAT sh.. IONOS offers a simple VPS for 1 EUR/month.
The only problem is my poor knowledge
What about Tailscale is that different comparing Zerotier, is it free for private usage?
And what about this NATPMPC is this maybe a possibility to connect my DDNS or is it unsecure?
(Before CGNAT) I do have NGINX up and running using DDNS, and so I am able to connect without any additional VPN to my Immich and Seafile servers at home, that I would like to have again.
What is your recommendation for a stable and maybe easy to setup solution?
Yes IPv6 and IPv4 both with public IP addresses but ISP's nowadays do not often provide that
I have free Oracle Cloud VPS, free as in free beer if you do not have a large amount of traffic.
I have installed an OpenVPN server, a WireGuard server and it is a NetBird node not because I need it but because I can
But you need Linux skills, know firewall rules and do not forget to allow forwarding in the kernel (had me scratching my head for a while).
So maybe an easeir solution is what you want.
Tailscale is not much different from NetBird but is just like NetBird a viable solution to overcome CGNAT but to work with it you also need a tailscale node on the client side.
If you want something to connect without setting things up on the client side then research Cloudflared but I do not think that it is free as you need a Cloudflare domain but I have never used it.
I see you are bit further, that all sounds too complex for me.
I do have Debian running here and try to run as much as everything in docker containers but I am far away form saying I know Linux.
Nevertheless I think I understand that a VPS is maybe the stable solution I would need to get an public IPv4 (will I get a public IPv4 with a VPS?) what makes me independent from ISPs.
The stupid thing I don’t know yet how This IONOS is without traffic limit and for 1 Euro it is worth a try.
I use Linode / Akami. Their USD $5.00 service has full IPv6 support (/56 on request) and allows bringing your own OS including OpenWrt.