I read this wiki:
https://help.mikrotik.com/docs/display/ROS/Securing+your+router
but i am still unsure how i can administrate securly. I probably shouldn’t expose winbox to the world or even ssh. So I am thinking to use a vpn behind or an ssh bastion. Is this the right way to do it? Iam interrested by any example of configuration for such purpose.
Remote access to administer a MikroTik should only be possible through VPN (is my opinion).
Correct, the safe/secure way is to use VPN to get to the router
Some people use port knocking but is best as a work around until you get vpn working.
I use IKEv2 with the mikrotik phone APP to access the router when away.
Lots of folks here are adept at helping you setup VPN as well. Its not exactly crystal clear.
may i ask which kind of vpn you are using for?
IKEv2 VPN,already stated LOL
i meant the machine 
Machine?? I am a homeowner, do not have my MT router in an industrial workplace?
If you meant IT equipment LOL
I have used hex, RB450Gx4 and am currently using a CCR1009-7G-1C-1S+PC.