Enhancing protection of webUI reachable from the internet / untrusted LAN

[jowenn]

I have the requirement to configure my OPNsense instances from on the road.
Another problem ist, my mini-pc for the firewall has too few ports to have a fully trusted physical LAN interface.

a) My first idea was to add client certificates as a second factor to the administration webUI, but I didn't find an option for it

b) My second idea was to configure an additional OpenVPN (one OpenVPN is already used for site2site) on a non standard port, the credentials for this VPN are only known to the network administrator(s). Then I would assign an interface to it, and configure firewall rules to allow access to the firewalls HTTPS port. And forbid the access for the other interfaces.  I guess, if the WebUI is still listening on all interfaces, the automatically generated anti-lockout rule on the first LAN interface would make it impossible to deny the access with a custom rule.

c) This option would be similiar to b) but with configuring the administration interface to only listen on the OpenVPN interface. So I would have to do an OpenVPN connection also for on-site administration

d) Like c) but with an additional listening interface on some VLAN, that is filtered out on the managed switch attached to the firewall, so it is not reachable by default, but could easily be activated for administration purposes, if for some reason VPN is broken.

Do others have similiar requirements, are there better ideas? Right now, since I don't see a way to configure a) I think I would prefere option c), but are there better ways? Am I missing options?

Best Regards