I think it is fair to note that if this were a thread about a project I'm not working on, my first thought would be, "Come on, we can't make a frickin wireless router that's as good as a $30 TP-Link? How hard can it be?"
Hard. But what's worse is I still don't really understand why. It's not like TP-Link is doing anything extraordinary. And no, loading openwrt doesn't just fix it.
ssh+2FA to all your machines, anywhere, without opening firewall ports.