Has anyone tested connections using hidden service to avoid Tailscale or https://glkvm.com - (Linux option)?
How does it work?
I wouldn't recommend using Tor for that, Tor is more for hiding the IP address of the Comet but provides no real protection if the .onion hostname leaks.
However, other solutions have been used, including a WireGuard-based solution and CloudFlare ZeroConfig. I use SSH tunnels into a local server to create a SOCKS proxy, but that's a little dated these days.
The big question is "Why not Tailscale?" From there maybe someone has suggestions.
1 Like
Why does it need to be hidden?
For port scanners?
In that case wireguard or a derivate of wireguard like tailscale can work very well.
Wireguard uses udp, and wireguard does not respond if a authentication failure happens or just a probe from a port scanner, since udp also doesn't reply with icmp replies unlike with tcp the port scanner won't pick anything up.
I myself use a wireguard server, and I think with the gl ui its even easier to just allow lan from the tunnel.
In my case I don't use the gl software only OpenWrt, but I use a traffic rule where everything from zone wgserver is allowed to communicate with zone kvmnet on a different vlan network and that works fine.
I could also add more authentication but I think this is fine, but I could host my wireguard server somewhere else on the network with pangolin and just portforward the wgserver port to pangolin 
Wireguard? You control everything point to point and it is fully encrypted. If you don’t trust Tailscale you can try Headscale.
hidden service - to ssh KVM behind NAT/firewall 
Definitely not an appropriate tool for that, it's just using "Big Sky" security to hope nobody stumbles across it. Opening up an IPv6 port is about the same level of security and much easier. Things like Tor are for when you want to share stuff with the world, but don't want the world to know where your server is located. What you want is a secure mechanism for you and only you to access the device.
If you have a server better able to handle public SSH access and a strong IT background you can expose a non-standard port and connect through that, but it's much better to use a Tailscale-like solution which is like setting up a VPN. Is there any issue you're running into with Tailscale?
Dear @jdbower, have you read the first post? Please read it again.
In the meantime, interesting article to broad horizons.
USB150 microrouter →ssh GL-inet router via hidden service
Because Twingate exists. I have professionally evaluated both and I can’t recommend a Wireguard ‘mesh’ network. Their ACL strategy makes rule based access…. not scalable. It’s kind of funny that they call their service TailSCALE when it won’t. Professionally I like Zscaler ZPA myself based on the limited # of ports required compared to Twingate’s requirements for professional deployments but I don’t think that will work for the KVM as they don’t have a ‘homelab’ option and noone here will be paying for remote ZTNA access.
I understand you don't want to use Tailscale, but don't say why and want to use a .onion hostname to punch through a NAT instead. But that's not what Onion services are for - they're explicitly for exposing a service to the world without exposing the service's IP address. Twingate is a great example of a Tailscale alternative for punching through a NAT, does that solve your problem or is there another issue that makes Tailscale a non-starter for you?