> ## Documentation Index
> Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Management VPN

> Understand the SDX management VPN used for router management, monitoring, jobs, and transient access.

The management VPN is the secure management path between an adopted MikroTik router and Altostrat SDX. During onboarding, SDX creates a PPP profile and an OpenVPN interface on the router. That interface connects outbound to `api.altostrat.io` on TCP port `8443` using AES-256 encryption.

The tunnel is for platform management. It is not a general user VPN and should not be treated as a branch internet path.

## What It Enables

The management VPN supports SDX operations such as:

* Site health and check-in behavior.
* Scheduled and synchronous automation tasks.
* Transient WinBox, SSH, and port access.
* Control plane policy operations.
* Configuration backup and diagnostic workflows.
* Site actions such as recreating the management tunnel or management filter.

```mermaid theme={null}
flowchart LR
  Router["MikroTik router"] -->|OpenVPN TCP 8443| SDX["Altostrat SDX"]
  SDX --> Jobs["Device jobs"]
  SDX --> Access["Transient access"]
  SDX --> Monitoring["Health and telemetry"]
```

## Addressing

Management tunnel addresses are selected from `100.64.0.0/10`. SDX also uses `154.66.115.255` as a management-plane address in control-plane filters and API-user restrictions.

During onboarding, SDX also creates the `altostrat-api` user for automation tasks. The portal copy notes that logins for this user are restricted to `154.66.115.255`.

<Warning>
  Do not remove the management VPN, the `altostrat-api` account, or the control-plane filter unless you have a recovery path. Those pieces are part of how SDX manages the router.
</Warning>

## Recover The Tunnel

If the management VPN appears missing or corrupted:

<Steps>
  <Step title="Open the site controls">
    Go to the affected site and open the site actions menu.
  </Step>

  <Step title="Run Recreate Management VPN">
    Select **Recreate Management VPN**. SDX dispatches the site action `site.recreate_tunnel` to tear down and rebuild the secure tunnel to the platform.
  </Step>

  <Step title="Recreate the management filter if needed">
    If management firewall rules are also suspect, select **Recreate Management Filter**. This reapplies the SDX management firewall rules.
  </Step>

  <Step title="Monitor the result">
    Watch the site state and orchestration history until the site resumes normal check-ins.
  </Step>
</Steps>

## Firewall Planning

Your upstream firewall should allow outbound connections from managed routers to SDX service endpoints. For the management tunnel, allow outbound TCP `8443` to `api.altostrat.io`.

No public inbound management rule is required for the tunnel itself because the router initiates the connection.

## Related Pages

<CardGroup cols={2}>
  <Card title="Trusted IPs and endpoints" icon="shield-check" href="./trusted-ips" arrow="true">
    Review endpoint planning for firewalls and control-plane filters.
  </Card>

  <Card title="Control plane policies" icon="sliders-horizontal" href="../fleet/control-plane-policies" arrow="true">
    Manage trusted networks, service ports, and management access.
  </Card>
</CardGroup>