I would port forward through your router to a VM or other low end machine running wireguard. Then from that machine running wireguard you can point the 0.0.0.0/0 route to your physical router which is hopefully running a wireguard tunnel to your provider.
Important: you will likely need a route from the VPN provder back into your network for your wireguard subnet on your "user" device.