Will certainly be a bummer if they do go under, I really appreciated their serviceability. Have several in the immediate family that have been going for over 7 years at this point though all kinds of calamities. Each time can I just pop out all the components clean/replace as necessary and get it back in service, good as new.

I set the VPN tunnel from the VPS to deny everything to the internal network by default, then put the services that need to be accessed on the allow list in the firewall. So the VPN endpoint from the VPS can only hit the very specific IPs/ports/protocols that were explicitly allowed. There is still the possibility of a compromise chain of VPS->service->container/VM->hypervisor->internal network access, but I feel comfortable with those layers.

You could also setup an IDS such as Snort to pick up on that exploit traffic between the services and internal VPN endpoint if extra security is necessary on top of fail2ban and log alerts on the VPS.

Trace Route. The *NIX equivalent command is traceroute, Windows shortened it to tracert.