The thing is, Keef, that if you set up a remote access "host" you cannot have it totally stealthy. If it was, you would not be able to connect to it. The host machine will have to be listening on a port or two, and a port sniff will uncover those ports. Whether it will penetrate will depend on the security.
If you have a remote control host behind a NAT router, you have to open up the required port(s) in the router, and forward the packets to the other side.
Draytek routers are good but not that good. For years and probably still, they expose the remote admin port (443) to all and sundry - even if you disable the router's remote admin! So, 443 gets routinely attacked. Our server was being hit from multiple machines, with the dictionary attacks nearly saturating an 8Mbit/sec ADSL line. The work-around is to port forward 443 to an IP on the other side (the internal network) where nothing is going to respond to it.
I would always use a VPN for remote access.