Skip to main content

Documentation Index

Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt

Use this file to discover all available pages before exploring further.

Managed VPN gives you a cloud-hosted private connectivity hub. You create a VPN instance in a region, then connect SDX-managed sites and individual users as peers. Use it when you need branch-to-branch connectivity, controlled access for remote users, or a simpler operational model than manually maintaining per-router VPN meshes.

Core Concepts

Instance

A VPN instance is the cloud hub. It has a name, hostname, region, routing settings, DNS settings, and a set of connected peers.

Peer

A peer is a site or user that connects to the instance. Site peers advertise site subnets. Client peers give a user a downloadable VPN profile.

Peer Types

Peer typeUse it forRequired choices
Site peerConnecting an SDX-managed site to the VPN hubSite, protocol, and subnets to advertise
Client peerGiving one user a remote-access profileUser, protocol, and whether to route all traffic
Site peers can use OpenVPN or WireGuard where available. Client peers are designed around per-user access and can be configured for split-tunnel or full-tunnel behavior.

Region And Hostname

When you create an instance, choose a region close to the majority of peers. Region choice affects latency for both site-to-site and user access. The hostname becomes part of the public address for the instance. Hostnames must be unique, short, and DNS-safe. Avoid generic or reserved labels such as www, api, vpn, mail, cdn, and ns.
New VPN instances are provisioned asynchronously. The portal indicates that a new instance can take approximately 10 minutes before it is available.

Routing Choices

For site peers, advertise only the subnets that should be reachable over the VPN. Avoid broad routes unless you intentionally want the instance to carry that traffic. For client peers, choose between:
  • Split tunnel: route only private or advertised networks through the VPN.
  • Route all traffic: send the user’s general internet traffic through the VPN as well.
Split tunnel is usually easier to operate and uses less bandwidth. Route-all is better when you need centralized egress, inspection, or a stricter access posture.

Next Step

Configure instances and peers

Create a VPN instance, connect site peers, and issue client profiles.