First, deliberately create a suspicious situation:

To deliberately create an open port on your computer (to see if your testing catches it),
on Linux run "netcat -4 -k -l -v PORTNUM" (IPv4 TCP)
or "netcat -6 -k -l -u -v PORTNUM" (IPv6 UDP)
or similar. Use port number 22 (SSH) or 80 (HTTP) if it should be closed
in your system; that open port should be caught by any tester.
You could log into the administration page of your router and
temporarily enable something bad, such as PnP. Just don't forget to
turn it off again later.
Testing network (mainly router) from WAN side:

Usually you run a browser on your machine, access one of these web sites, and then
the site server tries to get into your home network using your IP address.
Turn off your VPN to use these.
Also, you could set up a machine somewhere on the public internet
to test your network (mainly, router) from the WAN side.
From
StackExchange's "Best way to test my home network from the outside":

If you decide to perform a scan from the Internet you may want to give your ISP a heads-up to avoid any trouble.
I run scans on my home IP from a Linode account [virtual Linux box on a cloud service].
Any VPS that doesn't filter your outbound traffic should
work (just make sure it doesn't violate your TOS).
First run a full scan against your home IP address. Expect to find only the ports you know you have explicitly opened open.
Expect everything else to be "filtered".
Then verify that it is your home router that is performing the filtering and not your ISP.
To do this, open a port on your router and rerun the scan. Expect that the port you have opened is
detected as open by your scanner. If you find that you still see this port as filtered, then your ISP may
be blocking that port. If so, this isn't necessarily a problem, but it means that the previous test
didn't test your router, it tested the network connection to your router. Don't forget to disable the port when you're done.
If you want to test your router in isolation, and your router isn't built in to the modem, then you can test it as follows:
- Disconnect the router from your modem. (Where "modem" is whatever device connects from your LAN to your ISP's network.)
- Connect a second computer to the WAN port on the router. Configure this computer with a static IP address that
is independent of the LAN addresses used by your router.
- You may need to turn on a DHCP server on the second computer so that the router's WAN interface gets an IP address as usual.
- Perform the scans described above from the second computer.
Testing router from inside (LAN side):

You run a browser or other app on your machine, and try to
access ports on the LAN side of your router, from across the LAN.
Assuming router's LAN IP address is 192.168.0.1:
These should give 404 or nothing or "unable to connect" or login page:
192.168.0.1/HNAP1
192.168.0.1/cgi-in/config.exp
192.168.0.1/cgi-bin/export_debug_msg.exp
192.168.0.1/cgi/ cgi_status.js
192.168.0.1/ BRS_netgear_success.html
192.168.0.1/ /cgi-bin/;echo$IFS'Vulnerable'
192.168.0.1:32764 (backdoor on some routers)
192.168.0.1:19541
192.168.0.1:8080
192.168.0.1:8443
192.168.0.1:7547 (TR-069 or CPE WAN Management Protocol (CWMP))
192.168.0.1:23 (Telnet)
192.168.0.1:2323 (Telnet)
192.168.0.1:80 (HTTP)
192.168.0.1:443 (HTTP)
192.168.0.1:443 (HTTPS)
If you have nmap:
nmap -F 192.168.0.1
# increase verbosity level, aggressive scan, no ping / skip discovery,
# open ports, show reason it's open, probe for service version info,
# use default script, do all ports, address 192.168.0.1
nmap -v -A -Pn --open --reason -sV -sC -p 1-65535 192.168.0.1
# increase verbosity level, no ping / skip discovery,
# open ports, UDP scan, max delay 50ms between probes,
# no retries, do all ports, address 192.168.0.1
sudo nmap -v -Pn --open -sU --max-scan-delay 50ms --max-retries 0 -p 1-65535 192.168.0.1
If TCP port 139 (netbios-ssn) is open outbound,
that is to allow "NetBIOS services on MS hosts".
Probably best to turn it off, unless you're sure you need it.
If TCP port 445 (microsoft-ds) is open outbound,
that is to allow "direct TCP/IP MS Networking access without the need for a NetBIOS layer".
Probably best to turn it off, unless you're sure you need it.
Port 1900 is PnP; that should not be open.
Android app: "UPnP Tool" by TJ App.
If TCP port 5060 (SIP) is open outbound, probably that is to allow VoIP or video-conferencing, such as Zoom.
Probably okay in the outbound direction ?
For other open ports, do internet searches to find out what they're used for.
Depending on open ports, you could try:
ftp -v 192.168.0.1
ssh -v admin@192.168.0.1
ssh -v root@192.168.0.1
ssh -v Root@192.168.0.1
telnet 192.168.0.1
If test from LAN side gives suspicious results, go to previous
section and investigate from WAN side.
Testing IPv6 from LAN side

Your PC's IPv6 localhost address:
[::1]
Same address written fully:
[0000:0000:0000:0000:0000:0000:0000:0001]
Real IPv6 address on public internet:
[2600::] (Sprint)
There is no standard IPv6 LAN address for the router, equivalent to 192.168.0.1 in IPv4.
IPv6 addresses on your LAN are used on the WAN too, so your
router's IPv6 address has to be assigned by your ISP.
IPv6 addresses starting with FC00 or FD00 are LAN-only.
Depending on your /etc/hosts file, IPv6 names may include: ip6-localhost, ip6-loopback, ip6-allnodes,
ip6-allrouters, or similar starting with "ipv6-" instead of "ip6-".
Try "ping6" to them.
If you have nmap:
# not sure these are right, I have IPv6 disabled so I can't test them !
# IPv6, increase verbosity level, aggressive scan, no ping / skip discovery,
# open ports, show reason it's open, no DNS resolution, probe for service version info,
# use default script, do all ports, address ::1
nmap -6 -v -A -Pn --open --reason -n -sV -sC -p 1-65535 ::1
# IPv6, increase verbosity level, no ping / skip discovery,
# open ports, UDP scan, max delay 50ms between probes,
# no retries, no DNS resolution, do all ports, address ::1
sudo nmap -6 -v -Pn --open -sU --max-scan-delay 50ms --max-retries 0 -n -p 1-65535 ::1
Android apps to test network (clients and router) from LAN side:

You run one of these apps on your smartphone, and use it to scan your LAN for
vulnerable machines or open ports.
PC applications to test network (clients and router) from LAN side:

You run one of these apps on your PC, and use it to scan your LAN for
vulnerable machines or open ports.
PC applications to beat on a single device (client or router):

You run one of these apps on your PC, and give it the LAN IP address of
a single machine you want to attack.
Browser to test a single device:
Testing webcam / security camera from inside (LAN side)
Testing networked printer from inside (LAN side)

Assuming printer's LAN IP address is 192.168.0.100:
192.168.0.100:23 (Telnet)
192.168.0.100:2323 (Telnet)
192.168.0.100
Probably ports 9100, 631, 515 will be open on the LAN side; this is normal. But
they shouldn't be exposed on the WAN side.
If test from LAN side gives suspicious results, investigate from WAN side.
Lee Munson's "Penetration testing for the home computer user"
TechIncidents' "Penetration Testing Checklist with Android, windows, Apple & Blackberry Phones"
Online Tech Tips' "How to Scan Your Network for Devices and Open Ports"
SpiceWork's thread "How can I pen test my own network?" (more about business networks)
Router Security's "Test Your Router" (also cameras, printers, etc)
Paul Wagenseil's "Your Router's Security Stinks: Here's How to Fix It"