If you run CheckMK, you likely also run some normal CheckMK-agents on Linux-, Windows- or other hosts. CheckMK in recent versions features a onboarding process which employs OpenSSL to authenticate and encrypt the communication between the CheckMK-installation and the agents. However there is no very practical way to do this with ARM-based systems for now as the binary for the initial onboarding process only exists in a x86 precompiled version.

On ARM-based hosts the “old” systemd socket solution works just fine, however, it is unencrypted and unauthenticated by default. Therefore a practical solution is to employ a VPN of your choice to secure the communication between the CheckMK-installation and CheckMK-agents.

In my case I wanted to use WireGuard. Initially all worked fine, I bound the check-mk-agent.socket to the “wg0” interface by using

systemctl edit check-mk-agent.socket

and added

[Socket]
BindToDevice=wg0

This works fine, but only until a reboot. Because the systemd.socket tries to come up before the wg0-interface exists, it will not start properly. And because there is no automatic retry for systemd sockets, you end up with your CheckMK-agent being unavailable.

My better solution was to add this:

[Unit]
After=wg-quick@wg0.service
Requires=wg-quick@wg0.service

[Socket]
BindToDevice=wg0

Which makes wg-quick@wg0.service a requirement for check-mk-agent.socket and ensures that it starts after the wg-quick@wg0.service started.

It requires you to use wg-quick for making the WireGuard-connection. wg-quick can easily be enabled using

systemctl enable wg-quick@wg0.service

Where “wg0” is basically your wg0.conf in /etc/wireguard. Change that according to your configs real name.