[thespoonbends]

OP's solution sound good enough for their needs.

Solutions can always be improved, but it's not always worth doing that.

[iamd3vil]

OP has literally written in the gist about exploring a way to map entire port range and avoiding doing this, so the non hacky way of doing this is setting up something like a wireguard tunnel. That's the reason I suggested doing this instead of a tunnel which has other disadvantages like doing TCP on TCP.

[sneak]

SSH tunnels do not run TCP inside of them, just the bytes of the connection data itself.

The only TCP in use is the TCP connection of the SSH connection between hosts.

[iamd3vil]

Ohh TIL but my other point still stands.

[xorcist]

It used to be common (at least not unhead of) to run ppp over ssh, which has this problem.