[iiix]

You could try using Tailscale. It's a wireguard based mesh VPN. Just set it up on your device, your server, and you're good to go. You can just only allow SSH over Tailscale, without worrying about anybody else trying to get in.

Other alternatives include ZeroTier and Nebula afaik, but I've never tried either.

(Still use SSH keys regardless though.)

[Anunayj]

Personally I don't think there is any merit of using tailscale over just public key auth. The way that can go wrong is if there is a vulnerability in sshd, which would be well disastrous.

[vero2]

Zerotier is the easy way around. Also remember to block all ssh access at standard ports.

[the_biot]

That implies running SSH on another, non-standard port makes it safer -- when a simple port scan would reveal it. It's a classic security through obscurity fallacy, IMHO,

[vero2]

I did not say/imply that the user should implement a ONLY non-standard port as security.

Sure " simple port scan would reveal it" - but for those other script kiddes that do not do have it prevents it. And BTW, every bit helps of security helps. zerotier at an alternative port is slightly better than port 22.