IMO, your logic here is a bit flawed...
You got hacked, so your solution is to use a VPN that has been deprecated due to its completely inadequate security features. That's like saying that someone broke your regular door lock and burglarized your home, so instead of installing a proper deadbolt, you decide to secure your home with a screen door.
Two possible answers here...
- you, as an individual person, were targeted for because you were a valuable/worthwhile target for some reason (maybe someone holding a grudge, maybe where you work, or what you have in your home, etc.)
or (more likely...)
- you, as some random person on the internet, were an easy or fun target (but the hacker doesn't know or care who you are as a person).
I'm still not entirely convinced that a hacker would have been able to (or felt it was worth) bricking your router at a hardware level. What are the symptoms? Have you tried failsafe mode?
Why was ssh open to the WAN if you had a VPN available? Once connected to the VPN, you can access the router directly if you desire (based on your firewall settings), so there's no need to have ssh open to the internet.
The more open ports that you have, the more attack surfaces you provide. And with PPTP, that is only magnified because it is so easy to crack. WireGuard is actually really cool in that it appears to be closed unless the cryptographic keys all match... it just doesn't respond to any attempts that are invalid.
Aside from exposing ssh to the internet, an 8 character password means that it was probably really easy to do a brute force attack (and the user 'root' means they didn't even have to try brute force on the user itself). Seems like this was a bad mistake.
It is about as effective as a screen door as a submarine hatch.
I think you've drawn a false equivalency here... I personally have a Ubiquiti Unifi Security Gateway as my main router...it has some VPN features, but IIRC PPTP was one of them, and OpenVPN is painful to use on this device. Behind that I have an old Ubiquiti RouterStation Pro that is my VPN endpoint. It is pretty fast even though it is old. You could easily pick up a used device that can support OpenWrt + WireGuard for <$25 US. Even a Raspberry Pi 3b (or maybe even a 2b in a pinch) could work quite well for this purpose.
Sure, but that's not likely to happen in a timeframe that works for your current needs. You got a wifi 6 router, which means it is pretty new. If they're a) still including PPTP, and b) not including WireGuard, think about how long it will take them to make those changes and provide firmware for users. Chances are that they will not release WG ever on your device... they may eventually do it for say wifi 7 or wifi 8... but in the meantime, you are putting yourself at considerable risk.
PPTP is not secure and will be a liability. To quote from the wikipedia article I linked earlier (emphasis added):
Most networks that use PPTP have to apply additional security measures or be deemed completely inappropriate for the modern internet environment.
Anyway, you have been warned.