So does 192.168.1.0/24 (LAN) requires one or two way to 192.168.9.0/24? As it's the guest subnet I assume one way so guest client devices don't have access to your LAN proper.
If you jump into LuCI (GL GUI -> System -> Advanced Settings) & go to its Network -> Firewall you should see a 'zone' where you can define the flow. 'Allow forward from source zones: LAN' should do the trick for one-way traffic from LAN. You'll probably need Masquerading & MSS Clamping too due to the different subnets. DROP, ACCEPT, DROP is more secure than REJECT, ACCEPT, REJECT but the latter is faster to notify downstream clients they can't connect.
Yeah, you've got a mess to contend with; the v4.8.x series introduced new VPN routing features & apart of that underlying ability is related to the DHCP daemon dnsmasq. Any previous configurations aren't backwards compatible. You're going to have to rebuild your setup from scratch.
Here's a script to help you quickly save 'snapshot' backups while you get it all sorted: