And both these things you never do in production because it takes little effort to establish there must be a port open, whereas the cumulative time you'll spend tracking down whether its a network issue or bad/wrong keys is just not worth it.
Not to mention: nobody's going to be brute-forcing properly generated keys remotely. And if they're not properly generated, you have much bigger problems.
openvpn, which is just ssl, was vulnerable to heartbleed.
Like the GP said - you're trading VPN bugs for SSH bugs - and experience shows that betting on SSH is generally wiser.
If you only need TCP/DNS and not a full-blown VPN, a program called sshuttle uses ssh+python to provide excellent seamless poor man's VPN. It's not perfect - e.g., you lose the ip src address on the forwarded connections - but it works amazingly well, much better than e.g. openvpn and most other vpn products I've used.
openssh always responds (unless I've missed a recent feature) thus exposing which port its listening on and that you sent a bad key.
The silent failure is preferable for this application.
Port knocking gives you a roughly equivalent layer.