Some quick notes to document this somewhat tedious process.
To broadcast my terminal to the world:
If necessary, generate a self-signed TLS cert for gotty.
openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout ~/.gotty.key -out ~/.gotty.crt
This was ripped straight from gotty's README.
Run gotty on localhost:8080, serving a shared <foo> session (or omit <foo> to just spawn a shell).
gotty --tls --port 8080 --credential username:password tmux new -A -s gotty-session <foo>
Optionally, pass --permit-write to allow clients to write to the session.
tmux is necessary here because gotty spawns a new process for all clients. So, have the first client create a tmux session, and all clients afterwards attach to it.
username/password are for HTTP basic auth.
ssh into a box on the public internet with port 443 open. Reverse tunnel connections to remote port 9001 on interface localhost (implicit below) to the local host's 8080 (the gotty server), and forward 443 connections to 9001:
ssh -t -R 9001:localhost:8080 my-box.com sudo socat tcp-listen:443,reuseaddr,fork tcp:localhost:9001
Optionally, add ,bind=<interface> to forward only connections to the specified interface.
Alternatively, skip the port forwarding and just connect to port 9001 manually.
Clients connect to the public IP address of the server you ssh'd into over HTTPS, using the basic auth credentials passed to gotty.