This question reads rather strangely.
Added SSL
TLS is enabled by default on Proxmox. If you needed to "add" something then something was broken to begin with.
There's no point in provisioning SSH tunneling unless you also block non-local access to the Proxmox port - and when you do that, there's no benefit from changing the port Proxmox is listening on.
is tunneling required when I have two-factor authentication?
You are comparing apples and oranges.
You should start with a security model - who needs access, what are you trying to defend against - and then align your design with that. If you require remote access, nobody else does and ssh key pairs are appropriate for your use-case / will be used then there's not much to be gained from MFA in Proxmox.
Security is about confidentiality. availability and integrity. If you apply every possible access restriction to the target then you increase the risk of compromising the availability.
For a homelab type installation, assuming physical access is not a significant risk factor I would suggest that a more appropriate set of controls would be:
- limit access to port 8006 on the Proxmox host to the loopback address
- use a complex passwords for the Unix accounts
- use ssh forwarding
- do not allow password logins or root logins via ssh (i.e. keypairs only)
- optionally consider following for ssh access:
- fail2ban
- MFA
- non-standard port
- port knocking
