Any way to securely monitor remotely?

Jarhead

@nguser6947 VPN

NGUSER6947

@jarhead yeah but I don't want to administer it remotely. Plus my phone is always on a commercial VPN and I don't want to disconnect and then connect to my home VPN for this purpose.

michmoor

@nguser6947 what i do...
spin up a cloud instance in Linode or whaterver of Ubuntu. Install Zabbix. Hasve a WireGuard tunnel back to my pfsense.
Install Zabbix agent on pfsense [ its in the package manager]

Monitoring successful.

Or...If you have an unused PC at home then install Zabbix there.

NGUSER6947

@michmoor Thanks! I am not familiar with Zabbix but will check it out!

michmoor

@nguser6947

Here's a snippit of my dashboard.

NGUSER6947

@michmoor What does the wireguard tunnel entail? Different from a VPN and can I run it and a VPN on my phone concurrently?

Monitoring from my phone is the main use case.

michmoor

@nguser6947 Wireguard is another cryptographic protocol used to provide remote connectivity. In other words, its a VPN.
Much like OpenVPN, it can be installed on a mobile device or server.
It comes with pfSense so you cant go wrong.
There are other options that can be used on pfsense and vary in degree of difficulty to set up but ultimately you will need to find one you are most comfortable with. I prefer Wireguard for my work flow but others really enjoy TailScale.

NGUSER6947

@michmoor Can it coexist on my phone while my commercial VPN is active? Do I use a Zabbix Android app to view the data, or a browser?

I realize I'm probably way off base with these questions since this is a new topic for me.

michmoor

@nguser6947 said in Any way to securely monitor remotely?:

Monitoring from my phone is the main use case.

So for mobile alerts i do have email set up in conjunction with my monitoring system.
You will need to do some things on your side to set this up namely getting a domain name. From there signing up with an email service like Zoho for example. Setting up Zabbix[or monitoring solution of your choice] to send email alerts for you to your inbox.

If you have never done any of this before theres quite a bit of research you can find online or youtube forums.

keyser

@nguser6947 The Zabbix Server has a web Interface you connect to for visuals. You can also have zabbix send you emails on various alerts.
I too have a Zabbix server monitoring my pfSenses on various locations.

My server runs of a Raspberry Pi 4 2Gb model. Excellent performance and WAY more than needed for Zabbix Server - it’s completely idling even when being used a lot. I’ll bet it could run on a RPI3 or likely even a RPI2.

NGUSER6947

@keyser I have a mostly unused PC that just runs an Emby server for photos and music. I could install the Zabbix server on that and maybe do a port forward to access it remotely?

I'm still unclear on how I connect it to my pfSense device. Install the package in pfSense, then does the Zabbix server just tie to it?

keyser

@nguser6947 If you want access to the web interface remotely a portforward will work, but i would recommend using VPN instead.
But then you might as well just connect to pfSense with VPN and log into the interface.
The zabbix server idea is mostly for monitoring and alerting if the pfSense is down/has no internet.

But that requires the Zabbix server to have another Internet connection than what the pfSense provides.
You can then set up Zabbix to do email alerting.

The Zabbix server monitors pfSense either by polling using SNMP or installing a Zabbix Agent on pfSense and connect it to the server (passive/polling or activeagent). This requires som config of the agent on pfSense, and both requires network access between them. SNMP best be inside a VPN tunnel - the Zabbix agent can be configured for SSL encryption and you could then open a port for the specific IP address from which the servers comes.

NGUSER6947

@keyser yeah I don't want or need remote administration. Frankly a periodic snapshot of the vitals would be fine.

Billy_C

Other options here might be simpler but Home Assistant cloud is pretty cheap and since there is an pfsense integration that makes all the stats accessible from anywhere without “exposing” direct access to pfsense to the internet. There are other security risks involved with this approach. Just wanted to throw in some other options.