Bypassing NAT

It is possible to access your device over the Internet even if you are behind NAT device (e.g. Wi-Fi router or on mobile network). There are some ways to achieve this, but will require installing additional software and a bit of configuration.

Tor
Accessing device via Tor is the most secure and effective method - offers strong end-to-end encryption (onion services don't use 'exit' node), virtual ports (e.g. 80 port without root), your service won't be visible on plain Internet.

However, this method requires setting up a Tor Onion Service.

Installing needed packages
The main package is tor. Install it by running this command: pkg install tor

You may want to install a `torsocks` for accessing the Tor Network: pkg install torsocks

Setting up Onion Service
You will have to modify the default configuration file of tor. Here is an example of configuring SSH Onion Service, overwrite the torrc file with this content: SOCKSPort 127.0.0.1:9050
 * 1) Enable TOR SOCKS proxy

HiddenServiceDir /data/data/com.termux/files/home/.tor/hidden_ssh HiddenServicePort 22 127.0.0.1:8022
 * 1) Hidden Service: SSH

Then you need to make a directory where information about Hidden Service will be stored: mkdir -p ~/.tor/hidden_ssh

Now you can execute in console. If start was successfull, you can get your onion service hostname: cat ~/.tor/hidden_ssh/hostname Output should be like this:

Accessing your service
First of all make sure that on client device `tor` is running and you have all necessary software for accessing Tor Network (in this case package `torsocks`).

To access the onion service created in previous step, run this: torsocks ssh g3yv3tvqrbow7koz.onion

If everything is ok, the output should be like this: The authenticity of host 'g3yv3tvqrbow7koz.onion (127.42.42.0)' can't be established. ED25519 key fingerprint is SHA256:WGualHEq7SJdvVeXgy8a+btPQCd7uxTeXjlWdHHLwLc. Are you sure you want to continue connecting (yes/no)?

Remember, `tor` should be running on both (client/server) sides, otherwise you will get connection errors. You can configure other servers (e.g. Nginx) in the same way as shown in above example for SSH.

Learn more about Onion Services
Better explanation about Onion Services and other Tor-related things you can found at torproject.org.

Ngrok
Homepage: https://ngrok.com/

Terms of service: https://ngrok.com/tos

Restrictions: for up-to-date info check https://ngrok.com/pricing.

Termux developers are not responsible about availability, reliability and safety of this service !

Installation
Go to the Ngrok downloads page, and choose a binary with architecture correct for your device. You can follow instructions available on the downloads page, but for better experience you can follow these instructions that will install binary to the Termux environment.

In these instructions will be assumed, that yours architecture is AArch64 (i.e. arm64).

1. Unzip downloaded archive:

unzip ngrok-stable-linux-arm64.zip

2. Move binary to the right place:

mv ngrok $PREFIX/bin/

3. Set executable permissions:

chmod +x $PREFIX/bin/ngrok

4. You need to authorize your ngrok installation. Here will be assumed that you registered an account on https://ngrok.com/signup so you can proceed with:

ngrok authtoken {your auth token}

Note that authentication token should be retrieved from your account's page. The token is similar to this string:.

Usage example
In this example will be shown how to forward SSH port via Ngrok. Before proceed, make sure that Ngrok is installed and authenticated, otherwise you will get errors.

Type in your console this:

ngrok tcp 8022

You should see an output similar to this:

ngrok by @inconshreveable                                      (Ctrl+C to quit) Session Status               online Account                      XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (Plan: Free) Version                      2.2.8 Region                       United States (us) Web Interface                http://127.0.0.1:4040 Forwarding                   tcp://0.tcp.ngrok.io:13766 -> localhost:8022 Connections                  ttl     opn     rt1     rt5     p50     p90 0      0       0.00    0.00    0.00    0.00

Here, a string  represents an URL of your service (in this case SSH) available on the Internet.

You can verify if it works by doing:

ssh -p 13766 0.tcp.ngrok.io

SSH tunnels
Here are shown some public free services which will allow to expose your local Termux services to the Internet. Remember that these services are able to intercept, analyze and manipulate your traffic since SSH connection is decrypted on server side.

'''These services are provided for fair use only. Using these services for botnet C&C, phishing and other malicious activity may result in service permanent shutdown, blacklisting of your IP or even legal action.'''

Termux developers are not responsible about availability, reliability and safety of these services !

serveo.net
Homepage: https://serveo.net/

Restrictions:
 * Port 80 and 443 can be used only for web traffic.
 * Web browser may warn about phishing attempts.
 * Plain TCP connections can be forwarded only to ports >=1024.

Hosting local web site:

ssh -R 80:localhost:${LOCAL_PORT} serveo.net

Hosting local web site with specified Serveo subdomain:

ssh -R ${SUBDOMAIN}:80:localhost:${LOCAL_PORT} serveo.net

Forwarding SSH port:

ssh -R ${REMOTE_PORT}:localhost:8022 serveo.net

Where
 * is a port on which web server is listening in Termux.
 * is a Serveo port >=1024 redirected to your local service in Termux.
 * is unique serveo.net subdomain on which your site will be hosted.

When setting custom port or subdomain, ensure they are unique. Otherwise you may experience failures.

localhost.run
Homepage: https://localhost.run/

Restrictions: only for HTTP traffic.

Usage:

ssh -R 80:localhost:${LOCAL_PORT} ${YOUR_ID}@ssh.localhost.run

Where
 * is a port of service running in Termux
 * is an unique ID on which subdomain will be based.

If tunnel was successfully estabilished, you will receive message like this one Connect to http://testproject-588f5df1.localhost.run or https://testproject-588f5df1.localhost.run

Tmate
Tmate is utility for sharing terminals. It is very easy to use, though it will destroy connection once client disconnected.

Utility can be installed with.

Usage example
1. Make sure that all your devices have SSH key in  directory. If not, on each device do:

pkg install openssh mkdir ~/.ssh ssh-keygen -t rsa -f ~/.ssh/id_rsa

2. Execute the following command within Termux:

tmate

3. Once you done previous step, you should see a colored line at the screen bottom with link. Save it, because it is your connection token. It looks like

Bff5fhJquRpO105c3OL62Icfp@fk2.tmate.io

4. On another device from which you want to connect to Termux, run

ssh Bff5fhJquRpO105c3OL62Icfp@fk2.tmate.io

Important note: link shown above is just example and should not be copy-pasted !