We are an MSP and utilizing the MSP version of CheckMK for distributed monitoring of our customer sites, and using the virtual appliance (virt1) for both the main site and customer sites.
However we are not exactly fond of our current solution, which is IPsec Site2Site connections between our primary monitoring site, and customer sites (which has their own local CheckMK appliance/site).
Is there any possibility of using other solutions like Wireguard, Tailscale etc, in order to provide a secure tunnel between our site and the customer sites, and if so, does anyone have any experience with that kinda setup?
I would expect any VPN (in the traditional sense) would work. There’s only a single a port, so you could use SSL (e.g. stunnel) or ssh.
Since Check_mk 1.6 you can choose a TLS encrpted connection via the web interface. In this scenario Check_MK generates its own certificates which are treated in a similar manner to ssh keys.
Note that I believe this is the same mechanism as used for encrypted connections from a Check_MK host to a target - I had issues there after changing the “monitored by” attribute of a host when it didn’t know the certificate for the new monitoring host.
If you aim to preserve the site-to-site approach and just want to change the VPN product, I believe any will do. You just have to take care of the MTU setting. Every VPN solution decreases the usable MTU, but the concrete amount differs.
But you mentioned Tailscale, and Tailscale is a host-to-host VPN solution. You need to install the Tailscale agent on every Checkmk server. Although I consider it possible to run the Tailscale DEB package on the Checkmk appliance (which is Debian Linux under the hood), it will most probably void the support by tribe29.
Moreover, Tailscale is a managed VPN solution. Although I consider it’s protocol secure and the company trustworthy today, solutions like Tailscale can always be subject to changes, takeover by other companies, or infiltration by, say, other interest groups.
Wireguard can also be run in host-to-site or host-to-host configurations. On the Checkmk appliance (1.6 and older), the kernel is too old for in-kernel Wireguard, The user space implementation wireguard-go will most probably run, but could also void the support. So, both for Tailscale and Wireguard host-to-host, I recommend to switch from the appliance to a supported “real” Linux distribution like Debian or Ubuntu Linux.
Yes we are really looking for a supported configuration that would solve this issue, and we prefer to use the appliance as that is one less thing to manage.
I`m curious how other companies are dealing with this “issue” as it seems to have no obvious solution, at least from my PoV.