Yes that right. I think the best way to draw it is:
Code:
(Work PC)===>{Internet}===>(Home Linux)--->(Home Windows)
= is an entrypted connection
- is not an encrypted connection
So, from the Work PC you create a secure tunnel to your Home Linux box. From there the Home Linux box connects to the Home Windows machine.
In the example of running this at work:
ssh -L 5900:192.168.0.50:5900 -l root -N public.ip.of.linux
-L 5900 Open a port (5900) on the local machine (the Work PC is local as it is initiating the connection)
192.168.0.50:5900 The host and port on the other side of the tunnel (the other side must be remote in this case since the created port is local)
-l root The username is root
-N Don't run a command when you login (good if you are leaveing the connected machine unattended as you don't leave a shell open)
public.ip.of.linux The remote machine to connect to (in this case Home Linux)
The above would let you access the VNC server of the machine "192.168.0.50" in your home lan from the Work PC by getting the vnc client on the Work PC to connect to the work PC itself.
In the example of running this at work:
ssh -R 5900:127.0.0.1:5900 -l root -N public.ip.of.linux
-R 5900 Open a port (5900) on the remote machine (the Home Linux box is remote as the Work PC is initiating the connection)
127.0.0.1:5900 The host and port on the other side of the tunnel (the other side must be local in this case since the created port is remote)
-l root The username is root
-N Don't run a command when you login (good if you are leaveing the connected machine unattended as you don't leave a shell open)
public.ip.of.linux The remote machine to connect to (in this case Home Linux)
The above in this case would let you access the VNC server of the Work PC "127.0.0.1" (this could be any ip on your work network - I just wanted to show that it could be done with a loopback address) By VNCing to the Home Linux box.
When mapping remote ports you may only be able to vnc from Home Linux to Home Linux. This is because sshd server only lets you bind ports to the loopback address by default. You can change this behaviour by adding "GatewayPorts YES" in sshd_config and restarting sshd (firewalls may also be an issue in this instance)
If there is anythign that I haven't made clear then let me know and I'll see if I can reword it a bit more