Settting up a VPN would also be more trouble that this is worth. I did do with with normal VNC thru a SSH tunnel as you described, but found it was more of pain that it was worth and switched to TeamViewer. Personally I feel that two layers of encryption is better than one, and an SSH tunnel removes requirements for port forwarding so increases security there too. (tip: if doing this limit your vnc server application to only accept connections from localhost, or at least disable port forwarding for port 5900 on your router)
Once the SSH connection is established you then connect your viewer to localhost, presto, SSH tunnel encrypted connection. If encryption is an issue then you can always add an extra layer by enabling SSH on your machine, port forwarding it, and then connect in with the extra parameter '-L 5900:localhost:5900'. If you have SSH to the mac enabled them some versions will support encryption by transparently creating an SSH tunnel for some of the traffic. ARD uses the same technology as VNC for the heavy lifting.
