and I'm trying to do somewhat censor proof tunnel, but it must not use 443 or 80 ports because (reasons)
Why do people still use MD5?
For checking integrity against random bitrot, sure. For verifying whether the package has been tampered with in transit, not so much.
Oh, what you want is to have a rendezvous outside of the network. Like a STUN server or whatnot - you can reuse whatever anti-NAT tech you prefer. Then establish the connection out and listen on the remote for connections so you don't have to deal with firewalls/IDS blocking incoming.
The VPN service I built for my company uses EC2 boxes for this (I have them connect their branch offices via cellular which are a shitshow for incoming), but be aware that IPs on cloud services are heavily abused and you'll have to deal with being blocked by many websites.