That redesign could include the use of a VPN. The OpenBSD FAQ section on NFS,
FAQ 6.7, recommends as ipsec(4) solution for NFS over an insecure network.
I suppose an admin might prefer net/openvpn, or ssh(1) tunneling to IPSec, but those solutions should be very carefully tested. I believe their higher communications overheads may have significant functional impact: I/O delays or I/O timeouts leading to functional problems with an application; perhaps even application failures.