RouterOS can’t know which config is added by you, which added by rogue user, so either you check the config by hand or clear all of it. RouterOS can remove tools and scripts and such
/user set admin allowed-addresses=address_list instead of IPs, for example I have an address list that already contains same IPs that are in allowed addresses.example please.
If something is on the Wiki it doesn't mean it's the word of God and no one can say that there are better ways.Not sure about proxy-arp, a MK Trainer said to me during MTCNA course to not use it with VPNs, so I found another way.
It is recommended on the wiki, however.