If the servers have public IPs and you want the minimum possible ports open, just SSH? With passwords disabled and large keys, it’s quite secure.
If that’s still not enough for you or you need a private gateway, then Wireguard. I can strongly recommend Tailscale - It’s really an orchestration layer on top of Wireguard. You can setup your own Derp relays and head scale if you are truly paranoid. But 99.9% you don’t need all that and Tailscale out of the box will work well.
Also Tailscale isn’t a single point of failure the way you’re imagining. It’s certainly possible for Tailscale’s servers to go down, but that won’t drop existing connections.
If the servers have public IPs and you want the minimum possible ports open, just SSH? With passwords disabled and large keys, it’s quite secure.
If that’s still not enough for you or you need a private gateway, then Wireguard. I can strongly recommend Tailscale - It’s really an orchestration layer on top of Wireguard. You can setup your own Derp relays and head scale if you are truly paranoid. But 99.9% you don’t need all that and Tailscale out of the box will work well.
Also Tailscale isn’t a single point of failure the way you’re imagining. It’s certainly possible for Tailscale’s servers to go down, but that won’t drop existing connections.