port forward only for vpn clients on draytek vpn router

I have a VPN server set up on a vigor 2865. I now want to allow one external ip address, or anyone connected to this vpn, access to a website on an internal server. This website uses a public dns name to resolve to my public ip address. e.g. mysite.mycompany.com

If I port forward 80/443 to the internal server then anyone can access the site. This works fine.

If I add a firewall rule to only allow access to the external ip address then this also works fine.

I thought I could just change the firewall rule to allow the public ip of the vpn/router to give access to vpn clients but this does not work. If I go to https://www.whatismyip.com/, my ip does change when connected to the vpn but the firewall does not let this ip address through despite being configured to do so.

If I set the firewall to use my home ip address then it works but I do not want to configure the private ip addresses of all employees to grant access.

How do I configure the firewall / port forwarding to allow vpn clients only?