I set the VPN tunnel from the VPS to deny everything to the internal network by default, then put the services that need to be accessed on the allow list in the firewall. So the VPN endpoint from the VPS can only hit the very specific IPs/ports/protocols that were explicitly allowed. There is still the possibility of a compromise chain of VPS->service->container/VM->hypervisor->internal network access, but I feel comfortable with those layers.

You could also setup an IDS such as Snort to pick up on that exploit traffic between the services and internal VPN endpoint if extra security is necessary on top of fail2ban and log alerts on the VPS.

Trace Route. The *NIX equivalent command is traceroute, Windows shortened it to tracert.

Any chance you are using a Thunderbolt device such as a network adapter or external drives? I had the issue on a NUC 10 where it would randomly drop the TB devices every few weeks and occasionally appear to be frozen. The latest firmware update finally took care of it.