In words of one Syllable and written for an idiot, can someone tell me how you get VNC working through SSH? What SSH is best (easiest to use)?

For a Windows SSH client, I'd use PuTTY. I've yet to find anything better.

As for VNC, that's called 'tunnelling'. You configure your SSH client to accept connections to local ports and forward that data to a machine (doesn't have to be the one you make an SSH connection to) on the remote network.

For example, you can configure your SSH client to accept connections to port 5900 (the default for VNC) on your local system, and forward all data to port 5900 on whichever machine you want on the remote network. Once you've done this, you then tell VNC to connect to port 5900 on the local machine (i.e. 'localhost').

In PuTTY, the options are in Connection > SSH > Tunnels.

basically, what im attempting is to be able to connect to machines on my network without the insecurities of VNC ie just open ports 5800 and 5900 on my firewall and hope for the best. (I did this and my webserver got pwnd)

Or am I better off going for a software vpn?

I have SSH ports open to the world (outgoing VPN is blocked from work, but SSH isn't), and I've never been 'pwnd' in three years. I do run a pretty tight config though (try and login to my home server without the right keys and you'll get shown the door without even getting near a password).

Opening unsecured VPN certainly carries a risk of a broken server though, as you found out.