Expose a VPN endpoint on non standard port and keep everything else internal if you can.
If you want things to be even nicer create a seperate vlan for your internal services or just firewall rules from your VPN to the needed ports on your services.
If you are even more paranoid send an email notification everytime the VPN server has a new connection or keep a default account/password on your services with 0 permissions and monitor when some dumbass logs in with it.
Little scripting and you can automatically kill the connection when your VPN has been compromised.
You can also disable the exposed VPN whenever you are detected “home”. You can go crazy with the ideas if you have too much free time on your hands!
Expose a VPN endpoint on non standard port and keep everything else internal if you can. If you want things to be even nicer create a seperate vlan for your internal services or just firewall rules from your VPN to the needed ports on your services.
If you are even more paranoid send an email notification everytime the VPN server has a new connection or keep a default account/password on your services with 0 permissions and monitor when some dumbass logs in with it. Little scripting and you can automatically kill the connection when your VPN has been compromised. You can also disable the exposed VPN whenever you are detected “home”. You can go crazy with the ideas if you have too much free time on your hands!