You might also consider an IP whitelist. The firewall is still probably the best place to stop any unwanted connection attempt. Also gives you good protection against zero days. Have a central location for what IPs are allowed to connect (like aws s3) and the server downloading it every 5min, and applying it to the firewall if it changed.
But don't you keep the same IP as you roam by train? All you need is a way to whitelist your new IP easily (I created a website that has just a button for that), and wait less than 5 minutes that the server picks up the new list.
I've just checked before replying above, IP changes on every reconnect while being in the same room. It would be really bad usability with a whitelist. In my setup only 2FA cannot be saved in a browser, and login session is valid for a long time, so I do not have to re-login on every reconnect.
