You could use Wireguard wg-easy as VPN solution for the VPS.
To restrict access to cluster admin, check out How do I prevent the administration page from being accessible from the Internet? - #2 by davidep. You may need to add the VPN network to the MyTrustedNetworks
You could use crowdsec to protect your server and get notifications on attacks.