linux

How to forward a port through an ssh tunnel so that the server can't connect to the client's shell?

There is a VPS with an external ip ($EXT_VPS_IP) and my home server without an external ip.
Both servers have openssh server and client.
I want to connect from the Internet to both servers via ssh:
$EXT_VPS_IP:22 - vps ssh server, $EXT_VPS_IP:2222 - home server ssh server.
I execute on the home server ssh -f -N -R 2222:localhost:22 [email protected]$EXT_VPS_IP
Now the tunnel has been created and everything works for me. But the question is whether an attacker (if the VPS is hacked) can somehow use this tunnel and connect to the shell of my home server (or in some other way), provided that the vps does not store login data to the home server, key, etc. and the attacker does not uses brute force, mitm (however, mitm is not terrible for ssh), etc. Ie, does the -N switch protect me?