This app was mentioned in 4 comments, with an average of 1.25 upvotes
They have apps for it
https://play.google.com/store/apps/details?id=com.xargsgrep.portknocker&hl=en_US
https://itunes.apple.com/us/app/portknock/id358353536?mt=8
There are more, these are the first ones that poped up on search.
Other then that reverse proxy with a htpassword file and fail2ban, or as another user suggested stunnel or socks with certificate authentication
First, simply using another port might me a quick workaround. For something better, I use white-list with port knocking:
;;; Port knocking chain=input action=add-src-to-address-list protocol=tcp address-list=knock address-list-timeout=10s dst-port=5678 log=yes log-prefix="knock" chain=input action=add-src-to-address-list protocol=tcp src-address-list=knock address-list=knock-knock address-list-timeout=10s dst-port=1234 log=yes log-prefix="knock-knock" chain=input action=add-src-to-address-list protocol=tcp src-address-list=knock-knock address-list=white-list address-list-timeout=15m dst-port=54321 log=yes log-prefix="knock-knock-whos-there"
Notice ports 5678, 1234 and 54321, you need to knock them in this order, and you have 10 seconds time between knocks. You want to go with high, low, high ports (add another low for extra security), to avoid accidental knock using port scanning by the possible attacker (nmap...). Port knocking then adds your current IP to the white-list for 15 minutes.
Then I only allow connections to VPN from white-list:
;;; VPN chain=input action=accept protocol=tcp src-address-list=white-list dst-port=1723 log=yes log-prefix="VPN accept"
And finally drop all input that doesn't come from white-list:
chain=input action=drop src-address-list=!white-list log=yes log-prefix="drop input from non-white list"
Of course to just drop all input from non white-listed addresses, you have to add your LAN subnet to the white list or you may lock yourself out of the router (well there's always connecting to MAC but be careful), and white-list any static IPs that you use frequently for easier access (like work).
Then I use port knocking app on my phone to quickly knock the ports and then connect to VPN (or SSH to a server behind NAT for example)
Edit: port knocking app for android: https://play.google.com/store/apps/details?id=com.xargsgrep.portknocker
And if you don't have any apps available, you can simply use
nc ip port1 nc ip port2 nc ip port3
or
telnet ip port1 ...
or just internet browser
http://ip:port1 ...
then quickly cancel the request and repeat for each necessary port.
https://play.google.com/store/apps/details?id=com.xargsgrep.portknocker
Very straight forward, it even allows you to run an app after knocking.
This is a job for port knocking:
;;; Port knocking chain=input action=add-src-to-address-list protocol=tcp address-list=knock address-list-timeout=10s dst-port=5678 log=yes log-prefix="knock" chain=input action=add-src-to-address-list protocol=tcp src-address-list=knock address-list=knock-knock address-list-timeout=10s dst-port=1234 log=yes log-prefix="knock-knock" chain=input action=add-src-to-address-list protocol=tcp src-address-list=knock-knock address-list=white-list address-list-timeout=15m dst-port=54321 log=yes log-prefix="knock-knock-whos-there"
Notice ports 5678, 1234 and 54321, you need to knock them in this order, and you have 10 seconds time between knocks. You want to go with high, low, high ports (add another low for extra security), to avoid accidental knock using port scanning by the possible attacker (nmap...). Port knocking then adds your current IP to the white-list for 15 minutes.
Then I only allow connections to VPN (or winbox, change port in the rule to winbox port) from white-list:
;;; VPN chain=input action=accept protocol=tcp src-address-list=white-list dst-port=1723 log=yes log-prefix="VPN accept"
And finally drop all input that doesn't come from white-list:
chain=input action=drop src-address-list=!white-list log=yes log-prefix="drop input from non-white list"
Of course to just drop all input from non white-listed addresses, you have to add your LAN subnet to the white list or you may lock yourself out of the router (well there's always connecting to MAC but be careful), and white-list any static IPs that you use frequently for easier access (like work).
Then I use port knocking app on my phone to quickly knock the ports and then connect to VPN (or SSH to a server behind NAT for example)
Edit: port knocking app for android: https://play.google.com/store/apps/details?id=com.xargsgrep.portknocker
And if you don't have any apps available, you can simply use
nc ip port1 nc ip port2 nc ip port3
or
telnet ip port1 ...
or just internet browser
http://ip:port1 ...
then quickly cancel the request and repeat for each necessary port.