if you want to be truly paranoid, I use another beagle with a static IP and Nginx web server to reverse proxy OpenSprinkler externally over SSL and then use the same TLS Client certificates I use for Wired/WiFi authentication (EAP-TLS) to authenticate with the web server and allow my home automation interface to load; which includes OpenSprinkler.. now all my devices silently authenticate regardless if there home or away without any extra setup.. no password prompts and no brute forcing; you got to steal my client cert to have a shot.
Might add the above solution is Wife approved since she dont even know whats going on, but she did ask me.. “Our cameras have passwords on them right!?” when she she noticed they loaded without a prompt.
OpenSprinkler (Bone) has a local firewall running that only responds to my Automation Server; without knocking my automation server out and replacing it with a fake, which will throw errors everywhere, there is no way around the cert auth locally.. This is about as secure as you could hope to get OpenSprinkler.. I guess I could run SSL on the open sprinkler and do Client TLS auth on the proxy side too but I am not too worried about physical attack.. if your in my garage I got bigger problems than hacking my sprinklers.. my automation server is in the most secure location in the house and always locked in a cabinet in a locked server room, all switch ports require TLS auth or put you on free wifi network… you wanna start getting paranoid here or what?
but setting up a VPN is much easier; and if you cant trust an open source VPN implementation you might as well unplug your internet and toss your wireless access points in the trash.