Locking down a hosted box

Need some advice on locking down a hosted FreePBX VPS.

Background: I have a lot of experience with on-site FreePBX installs but this is my first cloud hosted install. VPS is up and running with FreePBX Distro 10.13.66 64Bit. Both FreePBX and Asterisk are version 13. There is no hardware firewall, running the firewall that came with distro.

I can SSH into the VPS and I can access the FreePBX admin console via web. Obviously I want to disable web access from the public internet. I really wanted to install OpenVPN on the box so that my GXP2170s can securely, remotely connect to the PBX. I encountered issue after issue with the config of OpenVPN so I am going to table that idea until I can try again and test on a test box locally.

I’m thinking that I will block all HTTP traffic to and use SSH tunneling to access the admin console remotely.

What’s the best method for allowing my phones to connect to PJSIP without sending the SIP credentials over the open internet?

Thanks everyone!