[detaro]

Just to make sure I understand your reasoning right: VPN + SSH is better than just an SSH jump host because if someone finds a critical bug in OpenSSH, they still have to break the VPN, and vice-versa, someone breaking into your VPN still needs to also break SSH?

[walrus01]

That, and the usage of unique per device public/private X.509 PKI key pairs per client, for connection to the VPN. A typical person might have 3 sets of keys:

a) laptop

b) home office desktop

c) android or ios device (phone/tablet)

then, of course, once connected to the vpn, to authenticate to ssh the person will probably be using their per person ssh public/private key pair from their workstation.

So we have the ability to revoke an individual client device's vpn keys separately. In event of total compromise we can revoke both vpn keys for device(s) and the person's ssh key.

[detaro]

Don't people normally have per-device SSH keys as well? I basically never copy them between devices... But I guess that could be harder to manage if you have tons of devices you might SSH into, especially if they are not all centrally managed servers.