Ubuntu 16.04 router VPN and rdp

Question

I have been running my own home-brew router for a number of years. My ISP provided equipment running in bridge mode so my own router just connects to their gateway using a public static IP. I also use a VPN service. Everything works fine, but I'm trying to add something new where I have a windows machine on the LAN through another router. The LAN is the typical 192.168.0.0/24 network address. I can easily rdp to it from any machine on this network. What I want to do which is new, is I want to rdp in remotely from the internet using the static ip of my router, lets say it is 24.109.2.1 for argument's sake. Even though the VPN is still up and running when I do this, it doesn't seem to be interfering because tcpdump shows this when I attempt a connection:

10:48:47.655403 IP REMOTE_IP.56432 > 24.109.2.1.3389: Flags [S], seq 4099036643, win 8192, options [mss 1380,nop,nop,sackOK], length 0

I've spent a few days scouring the internet for solutions, but nothing I've tried works so it seems there is no point in regurgitating all these failed attempts. Rather, I'll provide my current iptables and just ask what rule(s) need to be added to get this working. my interfaces area as follows:

tun0 is the VPN tunnel enp1s0 is the ethernet interface to the WAN and it's ip number is 24.109.2.1 enp2s0 is the ethernet interface to the LAN and it's ip number is 192.168.0.1

The tcpdump command I used to show the arrival of my rdp attempt was:

tcpdump -N -i any "port 3389"

Here is the iptables contents:

*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i enp1s0 -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -o enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp1s0 -o enp2s0 -j REJECT --reject-with icmp-port-unreachable
*mangle
*nat
-A POSTROUTING -s 192.168.0.0/24 -o tun0 -j MASQUERADE

When the VPN is turned off (which I can't really do anymore since there is live equipment running 24/7 that needs to run anonymously) the tun0 rule is replaced with this rule:

-A POSTROUTING -o enp1s0 -j MASQUERADE

but this rule is absent when the VPN is running.

I am told that when this is sorted out, tcpdump will not only show the incoming rdp attempt, but will also show the modified packet rewritten for the destination machine, 192.168.0.130 ... I have not seen anything other than the incoming rdp attempt with ANYTHING that I've tried.

NOTE: I have flushed all my attempts out of iptables and shown above only the working table that I am starting with since nothing came close to working so far. It is best not to bias the answers to my question by including attempts that did not work - I want to start fresh.

Note also that I've removed the REAL remote ip above and replaced it with REMOTE_IP and have altered the real last two octets of the static ip to just .2.1 for security.

Can someone give me something to try and I'll do it and report back with the results? Thanks in advance.

-gt-