I use S7 300 PLC and Step 7 pro for this, but I think the basics are the same.
You have a static IP adress for you PLC on the local side of your network.
You have a static IP adress for your installation on the "internet side" of your network, WAN.
Inbetween you have a router which forwards traffic from WAN to LAN and vice versa. The port used by my Step 7 is 102. So all incoming traffic on port 102 from your internet side is forwarded to your PLC.
When you are programming locally, you use the local adress. But when you are programming remote, you have to change your HW settings, so the internet adress is used there. DO NOT DOWNLOAD THIS HARDWARE! Just save it, and try to go online.
Works like a charm for me, but I believe it is a unsafe solution. I would install a VPN switch so the connection is secure.
Hope I helped!