pfSense on a VPS to protect other VPSs
I am running 3 small VPS servers, each with it's own public IP. Each of it does it's own job: one webserver, a mailserver, and one for other small tasks. They are basically protected by some restrictive iptables rules and fail2ban. Now I thought about hiding them all behind a fourth VPS with pfSense running, so that I don't need to fiddle around with iptables on each server, and can control things in one place. Kind of a "cloud firewall" I think.
I'm just not sure, if that is generally a good idea, and if yes, what's the best way to achieve this. I need to close the VPSs so they are not accessible over their public IP anymore, only over the pfSense VPS. So I need at least a small iptables setup for each server, but it would be the same for every server, and shouldn't need any maintenance.
The only solution I found, would be a VPN, where pfSense acts as OpenVPN server, and the other VPSs connect as clients. iptables on the VPSs only would allow VPN traffic from and to the pfSense VPS. And pfSense distributes traffic by portforwarding, as each VPS runs different services (at least on different ports), this would be possible.
Is anybody running a setup like this? Does anybody see downsides? Is it just plain crazy or pointless for some reason I don't see currently? Does anybody have other ideas to create such a setup?