A good strategy for having a publicly accessible server that is still 'private' is to forward a port to the internet from the machine that runs SuperTux server on your firewall/router combo, BUT put it through whitelist based access control (ACL), then whenever your friends want to play they just give you there latest IP address (ifconfig.me) and you update the firewall to allow them. Usually this presents to any remote host as a closed/filtered port that the firewall just drops packets for unless the IP matches.
Although I don't recommend security through obscurity by itself, it would be terrifyingly impressive for an attacker to somehow know the specific whitelisted IP addresses and forge them to even get a return packet. I do the same thing with a bedrock server for switches and other less-then-configurable by network devices and it works very well.
What router/firewall combo do you use, any custom firmware? The only way this could not work is if the router does not support it, if it dosen't you should get a new router regardless, all in ones default software is usually buggy and exploitable as hell.