The exception here would be ESP32 devices. These have been some of the most reliable devices in my home and the most versatile, no Internet access required. Zigbee works well, but runs in the same frequency space as wifi and Bluetooth. Matter and thread are the new hotness and run in that space too. They all work well together, but something to consider. Z Wave is in a separate frequency space, but is a less open protocol. I have at least a few of all of these and they all play nice. Consider your priorities and choose what’s best for your application.

Thanks, I’ll give that a look.

A layered defense is always best. Nothing is 100%, but knowing your threat model will help define how far you have to go and how many layers you want in the way. Defending against State level actors looks different than swatting the constant low effort bot traffic. You’re right, if a bad actor gets root on your machine, all security is forfeit. The goal is to minimize that possibility by keeping applications and packages updated and only allowing necessary connections to the machine. You mentioned wireguard or tail scale. Set that up first. Then set up the host firewall to only allow outbound traffic onto the VPN to the required ports and endpoints on the LAN. If the VPS isn’t hosting any public facing services, disable all traffic except the VPN connection from and to the public Internet both on the cloud provider’s firewall and the host firewall. If it is hosting publicly accessible services then use tools like fail2ban and crowdsec to identify and block problem IPs.

Firewall rules on outbound traffic from the VPS to the LAN would do it. Allow traffic to the hosts and ports that the VPS needs to reach and block everything else.