Hi, I am having a server in a corporate data centre who's sys admin is me. There are some virtual machines running on it.The main server is accessible from internet via SSH. There are some people who within the lan access the virtual machines whose IPs on LAN are

192.168.1.1  
192.168.1.2  
192.168.1.3
192.168.1.4

the main machine which is a bastion host for internet has IP 192.168.1.50 and only I have access to it. I have to give people on internet the access to the internal machines whose IP I mentioned above.I know tunnel is a good way but the people are fairly non technical and do not want to get into a tunnel etc jargons.So I came across a solution as explained on this link On the gateway machine which is 192.168.1.50 in the .ssh/config file I add following

Host securehost.example.com     
ProxyCommand ssh [email protected] nc %h %p

Now my question is do I need to create separate accounts on the bastion host (gateway) to those users who can SSH to the inside machines and in each of the users .ssh/config I need to make the above entry or where exactly I put the .ssh/config on the gateway.

Also ssh [email protected]

where user1 exists only on inside machine 192.168.1.1 and not on the gateway is that right syntax? Because the internal machines are accessilbe to outside world as

site1.example.com
site2.example.com
site3.example.com
site4.example.com

But SSH is only for example.com and only one user.So How should I go for .ssh/config
1) What is the correct syntax for ProxyCommand on gateway's .ssh/config should I use
ProxyCommand ssh [email protected] nc %h %p or I should use

ProxyCommand    ssh [email protected] in nc %h %p

2) Should I create new user accounts on gateway or adding them in AllowedUsers on ssh_config is sufficient?