I'm surprised your ISP allows incoming connections to the VPN. Most want their customers to be consumers only, not producers. Often you need to buy an added package that gets you a static IP address and they set their routers to allow incoming connections to it. If they're allowing it now they may not once they notice it or remodel their network. I'd also be surprised that an ISP is using public routable addresses for their customers.... every ISP and corporate network I have seen in the last 15 years uses unrouteable IP addrs internally.
Attackers (or rather their bots) regularly scan ISP's network spaces for open ports used by common remote access software. Then the bots try password after password until they get in. I've done forensics on a number of successful attacks done this way. A password that you can remember isn't good enough. A short random password isn't either.