Something that looks similar to mosh being UDP and encrypted but that allows proxied traffic would be Tinc Open Source VPN [1] The nicest thing about Tinc is that it does user-space dynamic mesh routing without requiring packet forwarding being enabled. I would call it a middle ground to onion routing if set up right. It has configurable compression. The reason I did not suggest this is that it is not simple to set up and get OpSec right the first time out of the gate unless the people involved are already very experienced with it. That's why I suggested SSH. SSH is relatively simple, well known and will blend in with all the legit SSH traffic and more people have experience with SSH. SSH egress from a datacenter is normal, expected and likely already permitted to AWS without making logged firewall changes.
Agreed on the utility of SSH. I work on a product that offers SSH certificate authorities as a service, among other things, and have read some of the RFCs.
I mainly mentioned the web forward proxy as a response to the "SSH traffic to Iranian datacenters from residential connections is suspicious," comment, but SSH is a great basis to build on. I doubt the SSH egress from the datacenters would draw much attention, but again, I wouldn't use my advice in a life-threatening situation, especially as I have never seen these type of monitoring systems in action.
Something that looks similar to mosh being UDP and encrypted but that allows proxied traffic would be Tinc Open Source VPN [1] The nicest thing about Tinc is that it does user-space dynamic mesh routing without requiring packet forwarding being enabled. I would call it a middle ground to onion routing if set up right. It has configurable compression. The reason I did not suggest this is that it is not simple to set up and get OpSec right the first time out of the gate unless the people involved are already very experienced with it. That's why I suggested SSH. SSH is relatively simple, well known and will blend in with all the legit SSH traffic and more people have experience with SSH. SSH egress from a datacenter is normal, expected and likely already permitted to AWS without making logged firewall changes.
[1] - https://www.tinc-vpn.org/