Hold up. natpmpc is available in the OWRT 23.05.x feeds. I don't see why it would be in the default GL.iNet ones. if you can opkg update && opkg install natpmpc that should give you enough to script that while loop required to keep the port open.
If it is not in the GL.iNet we'd have to ping, oh, say, @bruce (Hi, Bruce!) of GL support to ask them to compile version 20230423-xxx (or newer) & add it to their repo.opkg feed,
FOLLOWUP: It's v20150609-3 in the default OWRT v23.05.x feeds. Can GL.iNet backport v20230423-xxx to theirs? v20230423-r1 is available in the default OWRT feeds for SNAPSHOT so it's probably available in OWRT v24.10.
Here, this is a modification of Proton VPN's example to make it more appropriate to run on your device (ie: POSIX-compliant, logging):
#!/bin/sh
# requires natpmpc 20230423-xxx or newer
# 'logread -e proton-vpn' will show any logged errors
# https://protonvpn.com/support/port-forwarding-manual-setup
while true; do
natpmpc -a 1 0 udp 60 -g 10.2.0.1
natpmpc -a 1 0 tcp 60 -g 10.2.0.1 || { logger -p notice -t proton-vpn 'error with port forwarding (via natpmpc)' ; break ; }
sleep 45s
done
exit 0
logread -e proton-vpn will show any logged errors.