This is my current hardened sshd configuration.

ssh/sshd_config: https://pastebin.com/7tH36TdJ

• Public key authentication and 2fa using oathtool are used to authenticate.
• Logging in is only possible for members of the ‘ssh-user’ group.
• “root” login is disabled through “PermitRootLogin”, “DenyGroups”, and “DenyUsers”.
• “restricted” has the ability to log in from any host.
• “user” is limited to using the internal network to log in.
• ‘admin’ can only log in when connected via WireGuard.
• “sftp” may login, but only uses the sftp server. There is no shell available.

pam.d/sshd: https://pastebin.com/eqkisf4F

• All successful pre-2FA logins will trigger the ‘ssh-login-alert’, which sends an NTFY alert containing the time, date, user, and host IP.
• The use of /etc/users.deny prevents root login.
• The use of /etc/users.allowed permits login by “restricted”, “user”, “admin” and “sftp”.
• 2FA and ssh-login-alert trigger do not apply to “sftp”

To help with identifying issues within your SSHd configuration, I recommend using ssh-audit: https://github.com/jtesta/ssh-audit

If anonymity is your concern, then consider Monero (XMR) instead of BTC.

For the time being, their recent additions to wireguard-go have increased its performance by nearly double when compared to the kernel version.

From what I’ve read, the patches are currently under revision by zx2c4 for the kernel version.