Mikrotik, third-party openvpn, not pings going between the network openvpn and LAN. How to configure firewall?

Please help with setting up firewall in Mikrotik. Network configuration is the following:
Mikrotik LAN IP is Is a gateway for the local network.
There is a separate OpenVPN server on Ubuntu (with routing enabled), the url

OpenVPN is configured in L3 mode, the subnet Also, Microtime prescribed route in the network via (so LAN clients can access the OpenVPN clients). On the OpenVPN server as the gateway is
Yet, on Mikrotik made DST-NAT, to the Internet clients can access the OpenVPN server and through it to get to the main LAN.
When configuring the firewall rules drop invalid connections in the forward chain, clients can't reach local LAN resources, pings don't go c OpenVPN clients . However, from LAN, pings reach OpenVPN clients. If you disable the rule with the invalid, then OpenVPN clinent start to ping LAN resources. Please help or at least to indicate in which direction to go to establish proper two-way communication between OpenVPN clients and LAN. Also, it is not clear why the traffic is invalid.
June 7th 19 at 14:26
2 answers
June 7th 19 at 14:28
Show yse of pravila firewall filter
June 7th 19 at 14:30
Here are the current rules:

add action=drop chain=input comment="Drop echo request" icmp-options=8:0 in-interface-list=WAN protocol=icmp
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow remote WinBox access from WAN" dst-port=8291 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=drop chain=input comment="Drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="Accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all from WAN not DSTNATed"connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Find more questions by tags MikrotikOpenVPNPingFirewall