/ip firewall nat add action=dst-nat chain=dstnat dst-port=1080 in-interface=WAN protocol=tcp to-addresses=192.168.20.10 to-ports=1080
Then it all depends on whether your server needs to know ip addresses from which it connects or not, if not, then you need to masquerade traffic that is directed to the address 192.168.20.10 and port 1080
/ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.20.10 dst-port= 1080 protocol=tcp src-address=!192.168.10.0/24
Then packets to the web server will arrive with the interface address R-01, which looks towards R-02.
If you need to save the source address, then you don’t need to masquerade the traffic, and on R-02 you need to mark the traffic that came from the interface of the viewer to the vpn tunnel, heading to 192.168.20.10 and then return it not through the default gateway, but to the tunnel.