The relatively benign legacy kernel level pointer-bug CVE chosen is hardly the worst thing from WireGuard or strongSwan over the years. However, it makes the point a priority reliable network side-channel administrative login is more robust under some use-cases.

Adding layers of complexity rarely improves security, and doesn't usually address the underlying issue of accountability. And I often ponder if a bastion host is even still meaningful in modern clouds. =3