In essence CMK can monitor any host as long as you allow the way in which you want to monitor it available ( like in port etc.)
CMK can (besides the usage of port 6556/xinetd) be made to do the same over SSH/key-authentication.
As long as you set up the key-trust, and limit the usage of the user logging in via this method (on Linux systems) with a customised entry in authorized_keys to only allow the check-command you should be safe (vpn or not).
In this way the SSH’ing of the monitoring host will not be able to execute more then just this one command :
#check_mk
command="/usr/bin/check_mk_agent" ssh-ed25519 <your trusted key here>
- glowsome