This is something I need to look into more. Thanks for pointing that out.
Yes, I am very well aware of such tricks. But this is too "overdressed" for me.
I mean, even my little Seafile server on the RaspberryPi and my "german Fritz Box" and already many websites (like the one of this forum!) offer a 2FA with an authenticator.
I'm sure someday a developer will build that directly into OpenWrt as an installable add-on. Want to bet?
My wireguard servers are of course only accessible through my VPN. So they are not "free on the internet". And it is a purely private and non-commercial VPN. The friends who run the servers at their place only use a FritzBox or another home router. Only mine uses an OPNsense.
I know I'm always exaggerating a bit about IT security. After all, this was my job for many years ... .
Many greetings! Peter
Translated with www.DeepL.com/Translator (free version)
The hint from @mikma seems to be the solution for my "problem". Sounds very good and I will deal with it intensively.
Thanks to all who have answered me!