Benefits of running VPN rather that VPN + SSH or even just SSH:
- VPN only has only one 'hole' in the firewall.
- Providing VPN ingress through or to your firewall is a different security model to hosting a ssh server on your firewall.
- Accessing an internal host using SSH from an internal machine is yet another security model.
- A SSH server exposed to public will have less ability to detect and counter serious probes compared to a VPN server
If you go for the arrangement I use, you need have only one security mechanism for all internal ssh servers and that mechanism will also defend in the event the firewall is breached.
Then in isolation you can develop a security strategy for your public facing VPN ports as well as firewall configuration to mitigate any breach.
Regarding certificates, I issue VPN certificates to be installed on each remote device. I don't use public key.
For ssh use I issue secret keys to each user and maintain matching public keys in LDAP servers. SSHD servers can get the public keys in real time by using the AuthorizedKeysCommand. If a secret key is compromised I simply remove the matching public key.
[users are locked out from uploading their public key using
ssh-copy-id]