Skip to main content

Documentation Index

Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt

Use this file to discover all available pages before exploring further.

This guide walks you through building a managed VPN fabric in SDX. You create an instance first, then attach site peers or client peers depending on who needs access.

Prerequisites

Before you begin, make sure you have:
  • Permission to manage VPN instances and peers.
  • A region selected for the instance.
  • For site peers, an adopted SDX site and the subnets you want to advertise.
  • For client peers, the user account that should receive VPN access.
  • A clear decision on split-tunnel versus route-all behavior for client access.

Create An Instance

1

Open VPN

In the portal, go to VPN, then open Instances.
2

Create the instance

Click Create Instance and enter:
  • Name: a short operator-friendly label.
  • Hostname: a unique DNS-safe hostname between 3 and 20 characters.
  • Region: the deployment region closest to your expected peers.
3

Wait for provisioning

After you create the instance, wait for it to become available before adding production peers. The portal notes that provisioning can take approximately 10 minutes.
Do not use reserved or generic hostnames such as www, api, vpn, mail, cdn, assets, site, ns, rsync, or shell. Use a name that clearly belongs to the workspace or environment.

Add A Site Peer

Use a site peer when a managed MikroTik site should advertise one or more local subnets to the VPN instance.
1

Open the instance

Open the VPN instance, then go to Peers.
2

Add a site peer

Create a peer with type Site.
3

Select the site and protocol

Choose the SDX-managed site and select the protocol. The supported peer protocols are OpenVPN and WireGuard.
4

Choose advertised subnets

Select only the subnets that should be reachable by other peers. Prefer specific prefixes over broad LAN-wide routing when possible.
5

Save and verify

Save the peer, then monitor its status from the instance. If the peer does not connect, check the site’s online state, subnet selection, and management connectivity.

Add A Client Peer

Use a client peer when a user needs remote access from a laptop or mobile device.
1

Create a client peer

In the instance Peers tab, add a peer with type Client.
2

Assign the user

Select the user who should own the peer. Treat the peer profile as user-specific access material.
3

Choose routing behavior

Leave Route all traffic disabled for split-tunnel access, or enable it when all user traffic should pass through the VPN instance.
4

Distribute the profile

Download or display the generated client configuration and give it to the assigned user through your approved access process.

Operational Checks

After peers are created:
  • Confirm the instance status is healthy.
  • Confirm each peer shows the expected connection state.
  • Verify advertised subnets from another peer before telling users the VPN is ready.
  • Review route-all client peers periodically because they carry more traffic through the instance.
  • Remove stale client peers when a user no longer needs access.

Troubleshooting

SymptomWhat to check
Site peer stays offlineConfirm the site is online in SDX, then check management connectivity and whether the selected interface can reach the VPN service.
Client can connect but cannot reach a subnetConfirm the subnet is advertised by a site peer and does not overlap with the client’s local network.
Client traffic is slower than expectedCheck whether route-all is enabled and whether the instance region is far from the user.
Hostname is rejectedUse a 3 to 20 character DNS-safe hostname and avoid reserved names.

Secure remote access

Use transient access when an operator needs short-lived management access to a site.

Regional servers

Review the management endpoint model for SDX-connected sites.