Skip to main content
This guide provides the practical steps for setting up and managing your secure network fabric using Altostrat’s Managed VPN. The process involves creating a central cloud hub (an Instance) and then connecting your sites and users to it as Peers.

Part 1: Creating Your First VPN Instance

The first step is to provision your cloud hub.
1

1. Navigate to Managed VPN

In the SDX Dashboard, select Connectivity from the main menu, then click on Managed VPN.
2

2. Create a New Instance

Click Create Instance. You will be asked to provide the following details:
  • Name: A descriptive name for your VPN (e.g., “Production Corporate VPN”).
  • Hostname: A unique hostname that will form part of your VPN’s public address (e.g., my-company-vpn). This will be accessible at my-company-vpn.vpn.altostr.at.
  • Region: Select the geographical region closest to the majority of your users and sites.
Choosing the closest region to your peers is the most important factor for minimizing latency and ensuring the best performance.
Click Create to begin the provisioning process. This may take a few minutes as we deploy a dedicated server for your instance.

Part 2: Configuring Instance Settings

Once the instance is active, you can click on it to configure advanced network and DNS settings that will be pushed to all connecting peers.

Network Routes

In the Pushed Routes section, you can define additional IP prefixes that all connected peers should route through the VPN. This is useful for providing access to networks that are not directly advertised by a Site Peer, such as a cloud VPC. By default, this includes standard RFC1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

DNS Settings

The Managed VPN Instance acts as a DNS server for connected peers. You can customize its behavior:
  • Public DNS: The upstream DNS resolvers the instance will use for public queries (defaults to Quad9).
  • Split DNS & Domains: Define specific domains that should be resolved by the instance’s private DNS. All other queries will go to the public resolvers. This is ideal for resolving internal hostnames.
  • Custom DNS Records: Create custom A or CNAME records for your private network (e.g., mapping intranet.corp to 10.1.1.5).

Part 3: Adding Peers

With your instance running, you can now connect your sites and users to it.
Billing: Each peer (whether a Site Peer or Client Peer) consumes one seat. For example, if you connect 2 sites and 3 users, you will be billed for 5 seats total.

Adding a Site Peer (Site-to-Site VPN)

Connect one of your SDX-managed MikroTik routers to the VPN to make its local network accessible.
  1. Navigate to your VPN Instance and open the Peers tab.
  2. Click Add Peer and select the type Site.
  3. From the dropdown, choose the SDX-managed Site you wish to connect.
  4. Select the Protocol for the tunnel (WireGuard or OpenVPN). WireGuard is recommended for higher performance.
  5. Select the Subnets from that site’s local network that you want to make accessible (“advertise”) over the VPN.
  6. Click Add.
Altostrat will automatically orchestrate the creation of the VPN tunnel on your MikroTik device. Within minutes, its status will show as connected, and its advertised subnets will be reachable by other peers.

Adding a Client Peer (Remote User VPN)

Create a secure connection profile for a remote user. This process uses the modern and secure WireGuard protocol.
  1. Navigate to your VPN Instance and open the Peers tab.
  2. Click Add Peer and select the type Client.
  3. From the dropdown, select the User this peer will be assigned to.
  4. Configure the tunneling behavior:

    Split Tunnel (Default)

    Route All Traffic: Disabled
    Only traffic destined for private subnets will go through the VPN. This is best for performance and conserves bandwidth.

    Full Tunnel

    Route All Traffic: Enabled
    All of the user’s internet traffic will be sent through the VPN. This is best for maximum security and traffic inspection.
  5. Click Add. A new client peer will be created.
  6. Click the Get Config button next to the peer to download the WireGuard configuration file (.conf) or display a QR code.
The user can import this file or scan the QR code with their WireGuard client on their laptop or mobile device to connect.

Part 4: Monitoring Your VPN

From the instance overview page, you can monitor the health and activity of your VPN:
  • Peer Status: The Peers tab shows a real-time list of all configured peers, their assigned VPN IP addresses, their public source IP, and their current connection status (online/offline).
  • Bandwidth Usage: The Statistics tab provides graphs of bandwidth usage for the entire instance, helping you monitor traffic patterns and plan for capacity.

Best Practices

Choose the Right Region

Deploy your instance in the region that is geographically closest to the majority of your peers. This is the single most important factor for minimizing latency.

Advertise Specific Subnets

When adding a Site Peer, only advertise the specific subnets that need to be accessible. Avoid advertising your entire LAN unless necessary to prevent route conflicts and keep the routing table clean.

Prefer Split Tunnel for Clients

For most remote user cases, a split tunnel provides the best balance of security and performance, only routing internal traffic through the VPN and letting general internet traffic go direct.