I needed to create a secure tunnel to remotely administer a system located behind a firewall. Simplest solution I found was to use Bitvise Tunnelier S2C (server-to-client) mapping feature, which works nicely together with the Bitvise Winsshd server.
The idea is for the remote machine to open a tunnel to the server. Depending on the context, this can be done manually by a person with access to the machine, or Tunnelier can be configured to run as a service, using Microsoft's srvany so that things fire up at boot time.
By mapping port 3389 (remote desktop) to a port on the server (say 5555) using the S2C mapping, remote administration becomes easy. As soon as the client connects, the server opens port 5555. Using remote desktop to connect to 5555 (by giving localhost:5555 as the address on the server) opens a connection to the remote desktop at the other end of the tunnel.
Bitvise Winsshd is hard to beat, for the price, and much much simpler to administer than the Cygwin versions. For home use, freesshd is ok, but lacks the features like automatic S2C that make Winsshd stand out.