You could add to that a openvpn client process which attempts to bring up a tunnel to your "mother ship" anytime it's on the internet so you always have a conduit back into it for the aforementioned openssh access.