Hello all, i know this router has really small space to install anything else (like vpn) but I need to have access to it remotely from internet with port fowarding on the main router. I have at least tried to make it as secure as possible without additional installation such as :
using different port for ssh >10000, disable "allow ssh password authentication", disabled "allow the root user to login with password" and enable "allow remote hosts to connect to local ssh forwarded ports" (so I can connect remotely) and also, I am only using private/public key to connect via ssh.
If you want to put a device on the open net (and that actually includes mere wireless networks as well), you need to secure the device. First of all that requires running a current -security supported- firmware version, which is going to be a challenge^wimpossible on a 4/32 device, which all revisions but the mt7628n based rev v4 of the TL-WR840N are - and that's before even thinking about any additional packages (VPN).
If the backdoor is made out of cardboard (~EOLed versions without ongoing security support), there's little point to put a deadbolt on the front door. Hit up your local second markets, you'd be surprised what you can find for the equivalent of a small- to medium plate of chicken nuggets from your nearby burger joint. OpenWrt compatible 8/128 devices (and much better) aren't that scarce, it just needs a little patience and persistence to find a good deal (I would recommend >= 16/256 though, but even that doesn't require magic).