What's wrong with exposing SSH? It has got to be one of the most well tested pieces of network software out there.
Re. fail2ban - nearly all ssh scanning attempts in the wild seem to be from unsophicated attackers using some pieces of obsolete software. I disabled all but a couple of modern ciphers/mac/kex algorithms and hardly ever see any password bruteforce attempts in my logs (not that they have any chance of working - I disable password authentication as well). Mostly a bunch of "no matching key exchange method found" which I regard a minor nuisance.
you can set up a trigger port, that will open an SSH port when triggered properly. some routers come with this functionality, a third party opensource firmware usually does this or allows for a script to implement it.
so you "knock" on port 666 lets say with a majic packet of some sort this opens a secured SSH port, then drops it on command or idle time to live expires
Re. fail2ban - nearly all ssh scanning attempts in the wild seem to be from unsophicated attackers using some pieces of obsolete software. I disabled all but a couple of modern ciphers/mac/kex algorithms and hardly ever see any password bruteforce attempts in my logs (not that they have any chance of working - I disable password authentication as well). Mostly a bunch of "no matching key exchange method found" which I regard a minor nuisance.