for a test web site you don't want open to the world. This setup would also allow remote access to any services you're running on the LAN from wherever without having to open ports, e.g. SSL vpn is generally run without IP restriction and that's considered safe. SSL vpn would allow you to open just one port (443 is a good idea) and have secure access to all your LAN stuff without forwarding ports to all the hosts (although not entirely necessary, running on port 1194/UDP is perfectly acceptable). Using key-auth only and restricting to only IPs you know mitigates most of the problems, but also makes it unsuitable for road warrior stuff. Unless configured correctly, including restricting access from untrusted networks, it can be insecure and it will definitely invite brute force attacks. Generally speaking if you leave SSH open to the world, you're asking for trouble.
This would allow anyone to attempt, but only those with the matching public key can login.
#Linux ssh keygen allow connection from different subnet password
Use public key authentication for SSH with password auth disabled.Host a VPN server (OpenVPN or Wireguard) and use that to connect back to the RPI, never exposing SSH to the open internet.The two best ways I can think of for doing this (assuming you mean connecting back with SSH, though this generalizes pretty well):