If your hard-to-reach server can connect to the internet (via a bunch of NATs and whatnot), you can just make it access your box of choice by e.g. Wireguard, or plain SSH with port-forwaring, or attach it as a node to your ZeroTier private network.
You only need a bunch of jump hosts if your target server has no Internet connectivity, and should not, in which case all these levels of bastions do make sense.
ZeroTier, Tailscale and such are OSS and have been independently security & crypto audited. I don't know if tailscale has been audited, but since they are a more popular tool I bet they probably are too. They're actually really good tools and would probably be more reliable than tor tbh, I would recommend looking into them.
> ZeroTier, Tailscale and such are OSS and have been independently security & crypto audited.
Both rely on their centralized coordinator servers which can mess with your routes (and thus your traffic) however they please.
ZeroTier has a published (but not OSS) coordinator, but their documentation pushes you towards their SaaS. Tailscale's coordinator is SaaS-only, unless something has changed very recently.
Their client node software is audited though, and the contents of your packets are not accessible to the router. This is why the amount of the possible meddling is limited to a DoS, AFAICT.
Who audits the Tor nodes that do onion routing is anyone's guess; I suppose ZeroTier is no worse than them.
> Their client node software is audited though, and the contents of your packets are not accessible to the router. This is why the amount of the possible meddling is limited to a DoS, AFAICT.
Normally the coordinator just forwards the keys from your peers, and so doesn't see the contents (the traffic doesn't pass through it, and even if it did it didn't have the key).
However, that assumes that the coordinator is being truthful with the network topology that it sends you. It could send you any topology that it wants to! This means that it could start MITMing whenever it wants to by telling you that $SERVER_IP's peer is now actually $COORDINATOR_KEY at $COORDINATOR_IP.
Theoretically you could defend against this by, say, running a cronjob that validates that the Wireguard keys are unchanged. But at that point you're not really gaining much compared to just using wg-quick.
Tor is different, because the .onion domain name inherently encodes the public key of the site you're connecting to. There is no way to change the key without also changing the URLs that people connect to!
Ad-hoc networks don't seem particularly useful here. From their documentation:
> Keep in mind that these networks are public and anyone in the entire world can join them. Care must be taken to avoid exposing vulnerable services or sharing unwanted files or other resources.
You only need a bunch of jump hosts if your target server has no Internet connectivity, and should not, in which case all these levels of bastions do make sense.