> ## Documentation Index
> Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# VPN Instances and Peers

> Create a managed VPN instance, add site and client peers, and make practical routing decisions.

This guide walks you through building a managed VPN fabric in SDX. You create an instance first, then attach site peers or client peers depending on who needs access.

## Prerequisites

Before you begin, make sure you have:

* Permission to manage VPN instances and peers.
* A region selected for the instance.
* For site peers, an adopted SDX site and the subnets you want to advertise.
* For client peers, the user account that should receive VPN access.
* A clear decision on split-tunnel versus route-all behavior for client access.

## Create An Instance

<Steps>
  <Step title="Open VPN">
    In the portal, go to **VPN**, then open **Instances**.
  </Step>

  <Step title="Create the instance">
    Click **Create Instance** and enter:

    * **Name:** a short operator-friendly label.
    * **Hostname:** a unique DNS-safe hostname between 3 and 20 characters.
    * **Region:** the deployment region closest to your expected peers.
  </Step>

  <Step title="Wait for provisioning">
    After you create the instance, wait for it to become available before adding production peers. The portal notes that provisioning can take approximately 10 minutes.
  </Step>
</Steps>

<Warning>
  Do not use reserved or generic hostnames such as `www`, `api`, `vpn`, `mail`, `cdn`, `assets`, `site`, `ns`, `rsync`, or `shell`. Use a name that clearly belongs to the workspace or environment.
</Warning>

## Add A Site Peer

Use a site peer when a managed MikroTik site should advertise one or more local subnets to the VPN instance.

<Steps>
  <Step title="Open the instance">
    Open the VPN instance, then go to **Peers**.
  </Step>

  <Step title="Add a site peer">
    Create a peer with type **Site**.
  </Step>

  <Step title="Select the site and protocol">
    Choose the SDX-managed site and select the protocol. The supported peer protocols are OpenVPN and WireGuard.
  </Step>

  <Step title="Choose advertised subnets">
    Select only the subnets that should be reachable by other peers. Prefer specific prefixes over broad LAN-wide routing when possible.
  </Step>

  <Step title="Save and verify">
    Save the peer, then monitor its status from the instance. If the peer does not connect, check the site's online state, subnet selection, and management connectivity.
  </Step>
</Steps>

## Add A Client Peer

Use a client peer when a user needs remote access from a laptop or mobile device.

<Steps>
  <Step title="Create a client peer">
    In the instance **Peers** tab, add a peer with type **Client**.
  </Step>

  <Step title="Assign the user">
    Select the user who should own the peer. Treat the peer profile as user-specific access material.
  </Step>

  <Step title="Choose routing behavior">
    Leave **Route all traffic** disabled for split-tunnel access, or enable it when all user traffic should pass through the VPN instance.
  </Step>

  <Step title="Distribute the profile">
    Download or display the generated client configuration and give it to the assigned user through your approved access process.
  </Step>
</Steps>

## Operational Checks

After peers are created:

* Confirm the instance status is healthy.
* Confirm each peer shows the expected connection state.
* Verify advertised subnets from another peer before telling users the VPN is ready.
* Review route-all client peers periodically because they carry more traffic through the instance.
* Remove stale client peers when a user no longer needs access.

## Troubleshooting

| Symptom                                      | What to check                                                                                                                       |
| -------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| Site peer stays offline                      | Confirm the site is online in SDX, then check management connectivity and whether the selected interface can reach the VPN service. |
| Client can connect but cannot reach a subnet | Confirm the subnet is advertised by a site peer and does not overlap with the client's local network.                               |
| Client traffic is slower than expected       | Check whether route-all is enabled and whether the instance region is far from the user.                                            |
| Hostname is rejected                         | Use a 3 to 20 character DNS-safe hostname and avoid reserved names.                                                                 |

## Related Pages

<CardGroup cols={2}>
  <Card title="Secure remote access" icon="key-round" href="../../fleet/secure-remote-access" arrow="true">
    Use transient access when an operator needs short-lived management access to a site.
  </Card>

  <Card title="Regional servers" icon="server" href="../../resources/regional-servers" arrow="true">
    Review the management endpoint model for SDX-connected sites.
  </Card>
</CardGroup>