How restrict forwarding rule, only from LAN and OpenVPN?

Firewall: how restrict forwarding rule, only from LAN and OpenVPN?

I have domoticz running on host behind openWRT.
Now I have a port forward rule to allow forward "FROM any host, in any zone to domoticz-host, domoticz-portnumber in lan'.
This enables me to access domoticz in my lan and when I am connected via openVPN.

I configured openVPN as follows:

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
compress lzo
dev tun0
#listen to this interface only; not all interfaces; otherwise it interferes with Luci which listens to
dh /etc/openvpn/dh2048.pem
ifconfig-pool-persist /tmp/ipp.txt
keepalive 10 120
key /etc/openvpn/server.key
port 443
proto tcp
#push setting to client; to route all traffic through VPN tunnel
push "redirect-gateway def1"
#Enable packet forwarding on vpn host
#By default in most distributions the packet forwarding is disabled, hence packets from the tunnel interface never make it to the public interface. 
#You must enable forwarding with:
# sysctl net.ipv4.ip_forward=1
status /tmp/openvpn-status.log
user nobody
verb 3

I can access domoticz when I am connected from public internet via OpenVPN, only when the above mentioned firewall forward rule accepts input from ANY ZONE, but that is probably to wide.

How can I only allow access to my domoticz from LAN or when I am connected via OpenVPN without accepting input from ANY ZONE?