add chain=forward action=accept protocol=tcp dst-port 3389 in-interface=VPN comment="Allow RDP via VPN"
If you don't mind a suggestion... take some time to review the basic firewall documentation in the wiki. Also search for various firewall scripts out there.
IMO, firewalls are typically used to protect a LAN from the WAN while treading lightly on user-originated activities. From your posts, it would appear that you're wanting to place some severe restrictions on what users can do, which is fine, but is often much more difficult to implement.
A closed firewall (default drop), looks something like this:
1) drop invalid connections
2) allow established connections
3) allow related connections
4) drop undesirable connections (that might otherwise be allowed in #5)
5) allow the good stuff (tcp/53, udp/53, http/80, https/443, pop3/110, smtp/25, etc...)
6) drop everything else (final rule)
When you want to allow certain traffic, but only from certain sources, use the source:
add chain=forward action=accept protocol=tcp dst-port=3389 in-interface=VPN
add chain=forward action=accept protocol=tcp dst-port=3389 src-address=go.od.add.res/32
So, your prototype firewall to restrict users as much as possible, might look like this:
/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept comment="allow already established connections"
add chain=forward connection-state=related action=accept comment="allow related connections"
add chain=forward action=accept protocol=tcp dst-port=53 in-interface=LAN comment "allow DNS"
add chain=forward action=accept protocol=udp dst-port=53 in-interface=LAN comment "allow DNS"
add chain=forward action=accept protocol=tcp dst-port=80 in-interface=LAN comment "allow HTTP"
add chain=forward action=accept protocol=tcp dst-port=443 in-interface=LAN comment "allow HTTPS"
add chain=forward action=accept protocol=tcp dst-port=3389 in-interface=VPN comment "allow RDP via VPN"
add chain=forward action=drop
Please review the wiki firewall article, it explains a lot. If you're impatient (like me), use this code as a start and move on from there, but don't expect too much help beyond the absolute basics.