On the wireguard server I set to allow access from vpn ip's to the lan, but I need to deny a specific vpn ip to access the router lan, i add it on the firewall rule, like ip source forward 172.22.0.5 deny to any host (also set wireguard area or without wireguard area as single ip's) but doesn't work.
How I can modify the wireguard server to deny the specific vpn client to deny access to the lan?
Hmm in luci under traffic rules inside the firewall this is possible.
You need to configurate it like this:
source zone: wgserver
source ip: 172.22.0.5
destination zone: lan
target: reject
If that doesn't work look if gl ui maybe had generated a rule on top of yours then just drag your rule above theirs.
thnak you, already tried and the rules placed as first the chain without results...
How do you verify the access to lan?
Very complex command, ping to other remote Lan device from the VPN client outside the Lan obviously.. or samba mount request or namp scan 
Can you try by setting the protocol to any and see if that helps?