[rfc1078](https://www.rfc-editor.org/rfc/rfc1078.txt) is deprecated, but the protocol is too simple to not implement. The implementation should feature an application level firewall, that correspond to the rules added to iptables/nftables to mitigate [security risks](https://en.wikipedia.org/wiki/TCP_Port_Service_Multiplexer#Security_risks). If that's not possible (or additionally), allow access only from within the VPNs. Bonus level: find as many clients that support tcpmux as possible