Yeah I think were on the same track, what I can think of is to do this;

-Set up firewall rules on my LAN router (which hosts the Wireguard server), restricting access to the Wireguard client coming in from the VPS.

• Set up firewall rules on the cloud provider to restrict access to anything but my public IP where the Wireguard server is hosted.
• Do the same in the VPS host internal firewall.
• Configure the Wireguard server and client config to only allow access to the IPs relevant for the clustering.
• Set up CrowdSec as part of Pangolin, it’s an integrated feature
• Move the Newt + service containers exposed via Pangolin to their own isolated VLAN in order to further harden the environment around them