Thanks for this conversation. I should be able to update iptables in my Asus routers in various parts of the world to pull in specific IPs via DNS and allow those via NAT. Then everything else will come over OVPN. Hadn't put much thought/effort in that aspect previously.
Not to bore anyone, but luckily my Asus AX-11000 router allows NAT where you specify the incoming IP/CIDR... which is the first I've seen on stock firmware myself. I was able to add the /16 block my work uses for VPN, so now I've got NAT working quite seamlessly. I use ddns URLs for all my services, and I can hit them from work VPN, LAN, and VPN, due to the multiple sets of NAT/firewall rules I set up.
Just because I'm a masochist, I'm still going to write a quickie script on a local VM to SSH into the router and add rules for my various device IPs via godaddy DDNS. This is mostly because I have servers sitting around the world, and linking the various networks is a tad difficult without Merlin firmware.