[dvdkon]

How about making ssh as secure as (or more secure than) the VPN you'd put it behind? Considering the amount of vulnerabilities in corporate VPNs, I'd even put my money on OpenSSH today.

It's not like this is SSH's fault anyway, a supply chain attack could just as well backdoor some Fortinet appliance.

[versteegen]

Defence in depth. Which of your layers is "more secure" isn't important if none are "perfectly secure", so having an extra (independent) layer such as a VPN is a very good idea.

[dvdkon]

You have to decide when to stop stacking, otherwise you'd end up gating access behind multiple VPNs (and actually increasing your susceptibility to hypothetical supply-chain attacks that directly include a RAT).

I'd stop at SSH, since I don't see a conceptual difference to how a VPN handles security (unless you also need to internally expose other ports).

[formerly_proven]

Honestly the only VPN I'd rank above ssh in terms of internet-worthiness is WireGuard.