VPN

How to forward ports for RDP through an external L2TP/IPsec VPN server or directly?

Good afternoon comrades, I ask for help.
At the moment there is the following Mikrotik configuration:

The network looks like this:
Internet with a static (white) IP address from the provider: 1.1.1.10 (gateway 1.1.1.1)
Mikrotik IP address: 192.168.1.1;
Local network: 192.168.1.0/24;
L2TP / IPsec-VPN is up, Mikrotik connects as a client and receives the address: 192.168.12.10, gateway 192.168.12.1;
The VPN settings say Add Default Route.
It is configured in such a way that users from the local network access the Internet only through VPN. If the VPN connection is broken for some reason, then users do not go online at all. The following rules are responsible for this implementation:

add action=drop chain=forward comment="Deny access to internet without VPN" out-interface=wan1 src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow access to internet over VPN" out-interface=l2tp-vpn src-address=192.168.1.0/24

add action=masquerade chain=srcnat comment="Send packets through VPN to internet" out-interface=l2tp-vpn

There is a need to forward ports for external access to several PCs from the local network to connect via RDP. I fought for 4 hours, nothing happens, I'm weak in the networks, sorry.
At first I wanted to make it so that all users from the local network accessed the Internet ONLY through VPN, but at the same time it was possible to connect via RDP through the provider's static address (1.1.1.10). It didn’t work, I don’t know if it’s possible to do this at all in such a situation. Went the other way.
I decided to forward traffic from the server where the VPN is installed to computers from the local network. That is, by specifying the static IP address of the VPN server in the connection settings, you can get to the machine via RDP. Did not work out.
Of course, I would like to forward directly through IP from the provider, but I have no idea how to organize the rules of the firewall / nat'a / mangle.
If you connect through a VPN server, then the packet path looks like this:
| vpn server external ip (ens16 interface, 2.2.2.2) | --> | l2tp gateway (ppp0, 192.168.12.1) | --> | ip mikrotik from vpn (192.168.12.10) | --> and then further either through the Mikrotik itself (192.168.1.1), or directly to the machine with RDP (192.168.1.43).
Also, on the VPN server I tried to add a route to see machines directly from the local network:

ip route add 192.168.1.0/24 via 192.168.12.1 dev ppp0

and another rule for setting up NAT on Mikrotik for icmp masquerading (for testing) - pings went, tried to forward ports in a different/similar way - it didn't work.
As a young specialist, I beg your help, what rules should be specified and how to organize?