If I installed a server on a computer behind a router and wanted to allow connection to it from the Internet, I would have to do two things: One, open the firewall on the server machine to allow the incoming connection; and two, set up a port forwarding rule on the router so the connection may go from WAN to LAN (specifically to the server machine).
But what should I do if the server machine in question is the router itself running on OpenWrt?
I can think of two options.
Option A. Treat the router like any other computer in LAN. After installing the server on the router, open the firewall to allow incoming connection from within LAN to the server. (I believe this is done in LuCI > Network > Firewall > Traffic Rules.) Then, set up a port forwarding rule from WAN to LAN (specifically the server). (LuCI > Network > Firewall > Port Forwards.)
Option B. Use LuCI's Traffic Rules tab to open the firewall for connection from WAN directly to the server.
The questions are:
Am I right to think these are the two options I may consider?
What would be the pros and cons on either side?
What is the standard practice?
The server in question may be a VPN server (e.g. Wireguard) or OpenSSH, which I may install in place of Dropbear. But the same question would arise if you installed an A/V stream server on OpenWrt (assuming that's possible). In other words, I want this question to remain a generic one on the two options above rather than be limited to any particular software (Wireguard etc.).
I am new to both OpenWrt and Linux. I didn't know OpenWrt existed until just a few days ago. It is possible that option A is bonkers (something no one ever does) and that my brain only thought it up because it never saw anything like OpenWrt before and can only think in "regular router" terms.
Actually, that makes me think Option A may have this advantage going for it. I have actually done port forwarding before, but Linux firewall is new to me. So I might mass up on Traffic Rules, and it would be better if the mess-up happens only in LAN.
Please advise. Thanks.
ADDENDUM
These are LuCI screenshots illustrating Option A (left) and B (right). The left panel assumes that port 12000 has been opened to LAN (either by default policy or specific traffic rule). 192.168.1.1. is the router's LAN IP address.