You need to connect to a VM behind NAT? Than use a Tunnel! But wait!? What if your friends needs also access? Create a User for only Tunnel!
adduser <username>
and after that, make sure he cant use the shell
usermod -s /bin/true <username>
and done!
bye 🙂