> ## Documentation Index
> Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Managed VPN

> Understand VPN instances, peers, protocols, and routing choices in Altostrat SDX.

Managed VPN gives you a cloud-hosted private connectivity hub. You create a VPN instance in a region, then connect SDX-managed sites and individual users as peers.

Use it when you need branch-to-branch connectivity, controlled access for remote users, or a simpler operational model than manually maintaining per-router VPN meshes.

## Core Concepts

<CardGroup cols={2}>
  <Card title="Instance" icon="server">
    A VPN instance is the cloud hub. It has a name, hostname, region, routing settings, DNS settings, and a set of connected peers.
  </Card>

  <Card title="Peer" icon="users">
    A peer is a site or user that connects to the instance. Site peers advertise site subnets. Client peers give a user a downloadable VPN profile.
  </Card>
</CardGroup>

```mermaid theme={null}
flowchart TD
  Instance["VPN instance"] --> SitePeer["Site peer<br />Managed MikroTik site"]
  Instance --> ClientPeer["Client peer<br />Assigned user"]
  SitePeer --> Subnets["Advertised subnets"]
  ClientPeer --> Access["Split tunnel or route all traffic"]
```

## Peer Types

| Peer type   | Use it for                                    | Required choices                                 |
| ----------- | --------------------------------------------- | ------------------------------------------------ |
| Site peer   | Connecting an SDX-managed site to the VPN hub | Site, protocol, and subnets to advertise         |
| Client peer | Giving one user a remote-access profile       | User, protocol, and whether to route all traffic |

Site peers can use OpenVPN or WireGuard where available. Client peers are designed around per-user access and can be configured for split-tunnel or full-tunnel behavior.

## Region And Hostname

When you create an instance, choose a region close to the majority of peers. Region choice affects latency for both site-to-site and user access.

The hostname becomes part of the public address for the instance. Hostnames must be unique, short, and DNS-safe. Avoid generic or reserved labels such as `www`, `api`, `vpn`, `mail`, `cdn`, and `ns`.

<Note>
  New VPN instances are provisioned asynchronously. The portal indicates that a new instance can take approximately 10 minutes before it is available.
</Note>

## Routing Choices

For site peers, advertise only the subnets that should be reachable over the VPN. Avoid broad routes unless you intentionally want the instance to carry that traffic.

For client peers, choose between:

* **Split tunnel:** route only private or advertised networks through the VPN.
* **Route all traffic:** send the user's general internet traffic through the VPN as well.

Split tunnel is usually easier to operate and uses less bandwidth. Route-all is better when you need centralized egress, inspection, or a stricter access posture.

## Next Step

<Card title="Configure instances and peers" icon="sliders-horizontal" href="./instances-and-peers" arrow="true">
  Create a VPN instance, connect site peers, and issue client profiles.
</Card>