Increase the attack surface compared to what? If you don't allow/enable any access to services inside your network from outside, then by definition you have fewer attack surfaces than if you add a VPN to that empty list.
So trivially the answer is "yes, it adds an attack surface".
But what are the alternatives? If you directly expose each individual service on a dedicated port, for example, then you'd add many more (and usually less well hardened) attack surfaces instead.
So if the comparison is "expose 5 web-based services directly" vs. "expose one VPN like wireguard", then the second option is almost always the clear winner when it comes to security (and frequently also when it comes to ease of setup as well as comfort).