Allright, that’s a bit more to work on.
I wouldn’t go with the permanently-open SSH-connection, since you can’t guarantee (I think) that that connection is always going to be stable. So the tunnel would be broken, which means you’d need something on the remote sites to babysit the connection and re-establish it whenever it goes down. Doesn’t sound like fun to me.
If poking holes in the firewall really is an issue, then you could look into ngrok. You could use that for either the web interfaces I mentioned - heck, you could use it to access the Rockstor interface - or an SSH daemon. You’d run ngrok on each of the remote systems, but since that’s a simple process, that’s a bit easier to keep running through systemd. There’s a free option that has some limitations, or a paid option that gives you more breathing room.
Before you start rolling out solutions like this, though, make sure you are aware of the fact that you’re opening up a server to the internet at large, and that you should make sure the services you open up are sufficiently secure!