Is port forwarding dangerous?
I had an argument with a person a few months ago when I proposed we forward port 12xyz to an internal SSH server.
The target server was tied down in a manner similar to the one recommended by @stribika at https://stribika.github.io/2015/01/04/secure-secure-shell.html. Specifically, no root access, public key authentication only, non-standard ssh port, high-quality ciphers, kex, and, macs.
I was arguing that the forwarded port was not inherently dangerous in itself, and that the safety was dependent on the service at the target port. I maintained my method was a perfectly safe way to gain remote access. He vehemently argued that it was not, stating that a VPN tunnel is the only safe way to achieve remote access.
Who was right?
The answer to - Is port forwarding dangerous is that it is NOT inherently dangerous in itself and YES the safety is dependent on the service at the target port. But safety also depends on how good your router's firewall is and how well it is protected, both internally and externally.
For remote access, both SSH and VPN work as well as each other. Neither is more secure than the other when similar levels of encryption are used. But since SSH works at application level, supports only TCP and provides remote access to a single computer only I would prefer VPN tunneling which in fact works at the transport layer, supports both UDP and TCP and allows secure access to multiple resources.
VPN tunnel is NOT the only safe way to achieve remote access, but definitely the preferred way due to the above reasons. Not to mention SSH is really difficult to implement properly in case of multiple resources, can cause DNS leaks and has to be configured separately for each application.