When I'm on the road, I use tinc from the server in my home office out to a bastion server I have in the cloud. Separate keys and passphrases, no ssh-agent to keep the passphrases around for anyone who gets their hands on my laptop. Super simple to set up, and hasn't failed me once in several years. I guess you could argue that tinc isn't the most secure option, but I'm not too concerned about somebody managing to be in the middle of that path. The bastion's the thing that has to be most hardened against attack.