The only port you need to open up from the outside in to do remote management is your SSH port. Once you set up your SSH tunnel you can set up a SOCKS5 proxy through it and browse on your remote machine as if you were on the local network. This way all of your traffic will be AES256 encrypted end to end. You don't need VNC or RDP. Outside access will be closed unless the tunnel is up. https will always leave access to your box open and your logon screen open to the world.
ssh username@host -P (port#) -D 1090
Open up proxy settings in browser set socks proxy for 127.0.0.1:1090
make 127.0.0.1 address is not exempt from proxy
put 127.0.0.1 in the address bar of your browser and you'll be in your DCE router in an encrypted tunnel
The same can be done with putty in Windows.
just expand connection
click on tunnels
put 1090 under source port
click the "dynamic" radio button
and set up the proxy settings in your browser as previously described.