Running on a non-standard port is about as secure as leaving the key to the front door under the doormat - security through obscurity _just doesn't work_. I can't possibly emphasize this enough.
The brutal attack against Ubiquiti before wasn't brute-force at all - again, they *bypassed* *ALL* authentication methods. It doesn't matter how secure your password is or whether the connection is encrypted or not!
I didn't suggest exposing SSH to the world as an alternative - that's only slightly more secure than opening up the admin interface to the world.
I also didn't intend to suggest you use PPTP. All EdgeRouters offer OpenVPN and IPSec right out of the box - why not use one of those?
That having been said, the web UI listens on all interfaces. NAT your public interface to your primary localnet router IP for port 443 (and open the firewall if you aren't doing hairpin) and you're basically done.
Rodney