[rdo-list] tunneling to Horizon

I have experimented with various configurations, and I have yet to find
a combination that works.

I have a TripleO quickstart install (basic setup) and am trying to
connect to the Horizon dashboard.  My scenario us like this:

Laptop at home connects to HWhost in server lab (can ssh directly
through a VPN to the HWHost, can ping)

Undercloud can be seen from HWhost, not from Laptop (have to ssh to
undercloud from HWHost, after having SSHed to HWHost from Laptop.  Can
ping from HWhost, not from Laptop)

Controller and Compute can ping from undercloud, can ssh from undercloud
directly, can ssh from HWhost by redirecting through undercloud (?)

So with all this, how does one use a web browser to connect to Horizon? 
Does the browser have to be running on HWHost or Undercloud, or can it
be tunnelled for the Laptop?  It would seem I'd have to do multiple
tunnels (if that's even allowed).

