Re: Simple way to securely access remote machine that's behind a NAT?

[Greg Troxel <gdt%lexort.com@localhost>]

Two suggestions (but these can be additional - it's good to have
multiple ways to win for remote devices):

1) Set up a tor hidden service.  Install tor from pkgsrc, nad in the
config file find the hidden service section, and set up (if it's running
NetBSD; you just have to find the hidden service directory)

hiddenservicedir /var/chroot/tor/hidden_service/
HiddenServicePort 22 127.0.0.1:22

Then (restart tor) in that dir you can find "hostname", and you can
connect to it via installing netcat-openbsd from pkgsrc and setting up
ssh:

Host *.onion
    ProxyCommand nc -xlocalhost:9050 -X5 %h %p

Host foo.onion
    Hostname aaaaaaaaaaaaaaaa.onion

But your onion address will of course not be as uniform as that example.

This is pretty robust, be beware that tor needs dns to boot and dns may
not work if the time is wrong, so make sure ntpd doesn't need dns.  Or
get the battery-backed clock that the pi doesn't come with, or both.

2) Get an ipv6 tunnel and have the device deal with tunnel registration.
he.net's tunnels work well and you can do a web fetch with a password
that will update the tunnel endpoint to the address the fetch came from.
But, this requires configuration of the internet-facing NAT device to
send proto IP6 to the remote box.  There is a tunnel mechanism ayiya
that works in UDP, that sixxs (no longer operating) supported, and I'm
not sure about other providers, or if there's enough working Free code
to set that up yourself easily.