When I anticipate needing the remote services, I enable them before leaving the house.
Except I'm human. I forget. Often.
I looked for ways I might be able to remotely trigger the router to enable those services. A popular click-through topic is port knocking. I decided against that option. Black magic hocus pocus and not well supported on DD-WRT..
I considered sending myself an email. The email could be discovered by a cron job running every 5 minutes, which could trigger a script to SSH into the router and enable the desired services. Except the mail client might not be running.
I thought about a marker file uploaded to this web site. A cron job running every five minutes could detect the file or state change. Doable but the idea sounded clunky.
Eventually I decided to keep the WAN side SSH port open all the time. I have password logins disabled. My private key is password protected should I lose control of my keys.
While I use the standard port 22 on the LAN side, I am not using that port on the WAN side. Moving the port doesn’t much fool anybody but tends to reduce intrusion attempts.
WAN side pings are disabled.
At least now I no longer worry about forgetting. Should I forget before walking out of the house and I need remote access to the office, I need only SSH into the router and run a script that enables any desired remote services.
I run a daily cron job to check WAN side services. I’ll be reminded upon returning home.
I'm probably safe enough. I hope so.