I had some traffic coming from the VPN service and it appears to be traffic that was destined for the previous users of that VPN service. I use connection marking for the VPN so if a connection is not marked I drop that connection on Chain Input in Filters destined for my local VPN address.
Besides the traffic not having listening ports on my side it can’t not be marked for routing because of the missing connection mark. However if it managed to go out trough the public internet connection it would leak my real IP. You have to addapt 172.10.0.0/16 to own VPN setting. Look in /IP ADDRESSES for that bit of information.
/ip firewall filter
add action=drop chain=input comment="VPN intruders" connection-mark=no-mark dst-address=172.10.10.0/24 log=yes log-prefix="VPN intruder"