A VPN is an encrypted connection to your entire LAN. SSH is an encrypted connection to your router only. If you use a custom SSH port and key, it is no more likely to be cracked than a VPN. Even if you use the default port, the custom key (with your SSH server restricted to that key only) is very secure. In fact I've seen far more vulnerabilities with various VPN clients than with SSH.
IMO, as with most security-related programs & tools, it usually comes down to our own personal risk aversion, and the particular tools one trusts & prefers to take risks with. I don't think the SSH protocol itself is the real issue here, but the particular implementation of the SSH Server being used on the router may be.
Normally, I wouldn't open Dropbear SSH Server to the WAN, but I definitely would (if I really had a need for it) use OpenSSH Server for WAN access. Why? I trust OpenSSH more than Dropbear SSH implementation because the former has already passed a security audit before, it has gone through much more intensive scrutiny, hardening & testing in various real-world scenarios, and it supports more recent & secure options for host key types, encryption ciphers, key exchange protocols, and HMACs (Hash-based Message Authentication Codes). OTOH, the Dropbear SSH Server implementation is intentionally more lightweight due to its smaller footprint so it's well suited for embedded systems, but this means that it lacks many of the secure options/features available in OpenSSH. Also, I'm not aware if Dropbear SSH has had a security audit.
In any case, regardless of whatever SSH Server implementation you choose, if you're going to open it to the WAN I'd highly recommend at least making sure that it's as secure as you can make it:
1) Double-check that you're using SSH-2 (i.e. SSH version 2). It's always the default now. This is obvious for most of us, but perhaps not for some, so it's worth stating it.
2) Both the Host & Client keys to be used should be at least "
4096-bit RSA" or "
Ed25519 (256 bits)"
For Dropbear SSH Server, you will need to create your own 4096-bit RSA key since the default is only 2048 bits. Use the
dropbearkey tool for this:
Code:
dropbearkey -t rsa -s 4096 -f /jffs/.ssh/dropbear_RSA_4096_host_key
3) From the SSH Client side, make sure to select a good encryption cipher (e.g.
aes-256,
chacha20-poly1305) and avoid the ones already known to be insecure or weak. Also, make sure to set a Host Key exchange algorithm that selects
RSA,
Ed25519, or
Elliptic-curve Diffie–Hellman (ECDH) as the preferred policy.