Currently I have a bastion host running a hardened distro, which establishes a reverse proxy tunnel to its ssh port via my $4/mo VPS using rathole, an excellent reverse proxy utility I switched to from frp.
I also maintain a Tor hidden service pointed at the bastion host’s ssh port and another on a different internal host. These are so that I can still get in if the bastion host, my VPS, or certain aspects of networking are down for some reason.
Eventually I will implement port knocking / single packet authorization by deploying fwknop on some or all of these services to further enhance security.