Remote Freepbx local office configuration

What is the most secure way to configure this static arrangement of devices.

I have a Freepbx server running on a vps in a local data center. It has a public IP and is not behind a firewall.
I have 15 office phones at our location on their own lan which accesses the public internet via PfSense (freebsd based firewall / router)

My questions are vague and ill-informed as I’ve never had a setup like this before. So…
Do I set up each phone extension with really strong passwords on their own ports? ext. 1 = port 9001, ext. 2 9002 and so on.
What do I do about NAT in this case?

Do I run openvpn on the freepbx server and setup a tunnel from my PfSense system to it?

Is there a known MOST secure way to configure this setup? I’m really not sure which direction to go here.
Any assistance would be greatly appreciated.

I’d say a VPN is the most secure. That way you only have to expose the required ports for the VPN, and only to the IPs you’ll be connecting from.

Another benefit is that you don’t have to worry about NAT issues.

Next preferable is using a firewall (or IPTables) to expose the required ports to the IPs you’ll be connecting from.

Least preferable is relying on passwords, but exposing the system to the entire internet.

I’ve tried pfSense to OpenVPN running on a FreePBX server - described here -