How are you assigning IP Address to the VPN Client. That is, how is your vpn pool of ip addresses configured. One quick way to deny telnet access is to configure an ACL only for your internal network to access the router via telnet.
If 192.168.1.0/24 is your internal network, then:
access-list 1 permit 192.168.1.0 0.0.0.255
line vty 0 4
access-class 1 in
This will allow only users from 192.168.1.x/24 to access the router via line vty 0 4.
The above is also a best practice because it is an additional layer of security of which network had access to the router.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...