[rfc1078](https://www.rfc-editor.org/rfc/rfc1078.txt) is deprecated, but the protocol is too simple to not implement.
The implementation should feature an application level firewall, that correspond to the rules added to iptables/nftables to mitigate [security risks](https://en.wikipedia.org/wiki/TCP_Port_Service_Multiplexer#Security_risks). If that's not feasible (or additionally), allow access only from within the VPNs.

Bonus level: find as many clients that support tcpmux as possible