Seriously "let's just put every single person thru one server unencrypted" is IDEAL place to attack.
At least in case of VPN you only tunnel then-encrypted (in most cases) traffic to servers - so at worst case you at least have protection of ssh/https
Every "jump host" I've seen in the past 25+ years has used SSH externally.