Kubernetes uses cri-o nowadays. If you’re using kubernetes with the intent of exposing your docker sockets to your workloads, that’s just asking for all sorts of fun, hard to debug trouble. It’s best to not tie yourself to your k8s clusters underlying implementation, you just get a lot more portability since most cloud providers won’t even let you do that if you’re managed.
If you want something more akin to how kubernetes does it, there’s always nerdctl on top of the containerd interface. However nerdctl isn’t really intended to be used as anything other than a debug tool for the containerd maintainers.
Not to mention podman can just launch kubernetes workloads locally a.la. docker compose now.
One of the biggest downsides of a VPN; you share an exit node with lots of other people, only takes one bad actor to get your exit node ip banned