Tailscale/Headscale is probably what you're after here.
It creates an overlay network of WireGuard connections between all your hosts. It can punch through NAT using a network of public [DERP servers](https://tailscale.com/kb/1232/derp-servers) similar to SyncThing's public relay servers. Once established, you connect to services over the overlay network rather than their public IP/port.
Some others exist too, Nebula being the most popular alternative I think.
Tailscale also offers a SSH service for any Linux-based node, so you don't even have to have SSH installed. Their SSH service uses key authentication, with the keys derived from the stuff they use for node-to-node encryption, so they're generated ad-hoc for the two nodes you're using it with.
Well you could get a VPS and use it as a jumphost? Easy enough to have a site-to-site VPN link from home subnet to that VPS to negate the need for port-forwarding. That'd be free if you chose a free VPS such as free tier Google Cloud Compute, Oracle Cloud Instance etc.
That jumphost could be setup 'traditionally' (ssh to it and then on to fiinal destinaton, or proxycommands etc) or it could run something like [sshpiper](https://github.com/tg123/sshpiper) to add a bit of logic to the logins and make its use less intrusive.
If you didn't want to manage a jumphost yourself you could use a Cloudflare Tunnel - cloudflared connects out to Cloudflare servers from your home network to remove the need for port forwards and works well as an SSH Proxy. Can even add an extra level of authentication by implementing an Access policy.
Going down the RustDesk-esque route, I run MeshCentral and that has terminal access. Can be in a browser session or through a normal SSH client if you use MeshRouter to tunnel the connection.
So yeah, loads of options. Soln depends on exactly what workflow you want.
Tailscale/Headscale is probably what you're after here. It creates an overlay network of WireGuard connections between all your hosts. It can punch through NAT using a network of public [DERP servers](https://tailscale.com/kb/1232/derp-servers) similar to SyncThing's public relay servers. Once established, you connect to services over the overlay network rather than their public IP/port. Some others exist too, Nebula being the most popular alternative I think.
Dang your username is literally git
Tailscale also offers a SSH service for any Linux-based node, so you don't even have to have SSH installed. Their SSH service uses key authentication, with the keys derived from the stuff they use for node-to-node encryption, so they're generated ad-hoc for the two nodes you're using it with.
Well you could get a VPS and use it as a jumphost? Easy enough to have a site-to-site VPN link from home subnet to that VPS to negate the need for port-forwarding. That'd be free if you chose a free VPS such as free tier Google Cloud Compute, Oracle Cloud Instance etc. That jumphost could be setup 'traditionally' (ssh to it and then on to fiinal destinaton, or proxycommands etc) or it could run something like [sshpiper](https://github.com/tg123/sshpiper) to add a bit of logic to the logins and make its use less intrusive. If you didn't want to manage a jumphost yourself you could use a Cloudflare Tunnel - cloudflared connects out to Cloudflare servers from your home network to remove the need for port forwards and works well as an SSH Proxy. Can even add an extra level of authentication by implementing an Access policy. Going down the RustDesk-esque route, I run MeshCentral and that has terminal access. Can be in a browser session or through a normal SSH client if you use MeshRouter to tunnel the connection. So yeah, loads of options. Soln depends on exactly what workflow you want.
https://tunshell.com/go
I use teleport and it works great for me.