Sigh. I used angle brackets. Command is:

ssh -D 9999 username@server

You can change that 9999 to whatever you like, it's the port number of your local proxy.

Further, if you throw in a "-N", making it ssh -ND 9999 username@server, you can obviate the need to actually open a terminal session on the remote server. This is useful if you're going to be rolling up some scripts or whatever and you don't want hanging term sessions.

Great tips guys. I *finally* got around to doing this. Details and screenshots of browser settings here:
http://lifehacker.com/software/ssh/geek-to-live--encrypt-your-web-browsing-session-with-an-ssh-socks-proxy-237227.php

You want the -L command:

ssh -L (port-on-client):host:(remoteport) example.org

or in the case of VNC running on example.org port 5900

ssh -L 5900:localhost:5900 example.org

What that says is "connect to example.org and redirect port 5900 on localhost(example.org) to the ssh client's localhost on port 5900".

Then on the client machine just VNC to localhost and everything will magically flow across the ssh tunnel.

Don't forget to close port 5900 from the outside once you have done that - because you'll be tunneling directly in you won't need that port open.

For further security you can change the default listening port of ssh to something not obvious to attackers. The default port is 22, so you could use 2222 and when someone tries to ssh to your server on the default port they'll just hit a wall.

To do that edit your ssh_config file using your Terminal:
1) sudo vi /etc/sshd_config
1a) To enter insert mode press "i"
2) Look for this line: "#Port 22"
3) Change it to be like this "Port 2222"
4) Save your changes and close vi.
4a) To exit insert mode press ESC
4b) To save type "!wq" and hit ENTER
5) Restart sshd using preferences and BLAM!

For future connections you'll have to add "-p 2222" to tell your ssh client to connect using port 2222.

Ps, I accept no responsibility if you screw something up. But if you have questions post them here, I or someone else will answer them.

To address what Aron said above, you won't have to firewall local port 5900 unless you use the -g flag to ssh. This flag allows hosts other than your own to connect to your port. So your tunnels are inherently safe from other machines if you don't use this flag.

When I tried this I ran into some issues, but figured out the solutions. (I had a vnc server running on the client box too, so it was saying "bind: Address already in use" which i fixed by just turning off vnc on the client, but I know i could've changed the client port to something else and just connected vnc to localhost:5909 or whatever i chose.)
Thanks for the directions, I'm gonna make this into a script so I can do this fast.
And Aron, Thanks for the instructions on how to change my ssh port, I'm gonna have to do that too, partly for this but also because I have a internet facing IP and I always get a lot of failed attempts to log in to root on my machine.
Thanks for all the help!

Justin, I think that he meant firewalling off 5900 on the server side. Along with switching the port for ssh, which should help with the sshd hang that i've been experiencing.

Interarchy is another excellent GUI SSH client for OSX:

http://nolobe.com/interarchy/

Your app looks really solid form the posts I read. I'd love to be added to the beta group. The application triggers are most intriguing.

Your app looks really solid form the posts I read. I'd love to be added to the beta group. The application triggers are most intriguing.

I would really be interested in trying this application out. It looks like crazy fun! (In fact one of your use case posts is exactly something that I've wanted to do but hadn't figured out how!)
I can't wait till you release it! It sounds like it's perfect for my uses!