Using proxmox special agent without having access to port 8006

Hi all

I’ve got a proxmox machine which I’d like to monitor with a checkmk installation which is outside of this network. Checkmk uses ssh to access the proxmox machine. The proxmox web interface over port 8006 is not accessible from outside. But as it seems the proxmox special agent would need access to it? Is there any posibility to use the proxmox special agent without providing access to 8006 to the outside world? Somehow over ssh tunnels? Something else?

Would be cool if somebody could help me there…

Yes, or OpenVPN or Wireguard.

Can I teach check-mk to open a tunnel when doing the normal agent check, and to use the tunnel with the special agent, or will the ssh connection for the normal agent already be closed by then? Or would I need a static ssh-tunnel (or openVpn/Wireguard connection)?
If i assume the proxmox server is a.example.com then, as far as I understood, the special agent would try to connect to a.example.com. How can I convince it to connect to localhost to use the ssh-tunnel?

You would need a static tunnel. The ssh connection when querying the normal agent will be closed after a few seconds.

I was afraid that would be the answer ;-).
As far as I understand it, I can’t let the normal agent connect to a.example.com and the proxmox agent to localhost. Both use the same domain name, right?
So I would need two static tunnels and both connecting at localhost, so it would be something like:
localhost:2222 => a.example.com:22 (ssh) (normal agent)
localhost:8006 => a-example-com:8006 (proxmox agent)
I’ve only got one Proxmox Server standing around, so I can handle that. But that seems overly complicated for companies which monitor a lot.

Usually the monitoring server can access the Proxmox systems directly. In your case I would establish a VPN and be able to speak to the Proxmox IP.

Thanks a lot for your help.
I’ll try out to establish a wireguard VPN. I Wanted to try it out since a long time anyway :-).