On one of my bigger networks I have a dedicated management VLAN. RouterOS is firewalled on every interface except this VLAN, so it only performs routing. I have a Linux box on the management network running wireguard that allows me to remote in, I trust wireguard far more than any of the RouterOS VPN services. All switches, access points, etc all have their main IP on the management network. One other benefit of a dedicated management network is that that I can block all WAN access, this helps prevent devices phoning home when they shouldn't be and any potential exploits from being downloaded or propagated. When I need to update a device, it's only a few clicks to re-allow WAN access for updates etc.
Thanks @R1CH. I too have had frustrations with the built in VPN servers. I will check out wireguard. I wish there was proper OVPN support -
I appreciate the response.