Wireguard, tailscale, etc instead, THEN use ssh keys (with password on them mind you, then you have 2fa - something you have, and something you know).