Skip to main content

Documentation Index

Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt

Use this file to discover all available pages before exploring further.

The management VPN is the secure management path between an adopted MikroTik router and Altostrat SDX. During onboarding, SDX creates a PPP profile and an OpenVPN interface on the router. That interface connects outbound to api.altostrat.io on TCP port 8443 using AES-256 encryption. The tunnel is for platform management. It is not a general user VPN and should not be treated as a branch internet path.

What It Enables

The management VPN supports SDX operations such as:
  • Site health and check-in behavior.
  • Scheduled and synchronous automation tasks.
  • Transient WinBox, SSH, and port access.
  • Control plane policy operations.
  • Configuration backup and diagnostic workflows.
  • Site actions such as recreating the management tunnel or management filter.

Addressing

Management tunnel addresses are selected from 100.64.0.0/10. SDX also uses 154.66.115.255 as a management-plane address in control-plane filters and API-user restrictions. During onboarding, SDX also creates the altostrat-api user for automation tasks. The portal copy notes that logins for this user are restricted to 154.66.115.255.
Do not remove the management VPN, the altostrat-api account, or the control-plane filter unless you have a recovery path. Those pieces are part of how SDX manages the router.

Recover The Tunnel

If the management VPN appears missing or corrupted:
1

Open the site controls

Go to the affected site and open the site actions menu.
2

Run Recreate Management VPN

Select Recreate Management VPN. SDX dispatches the site action site.recreate_tunnel to tear down and rebuild the secure tunnel to the platform.
3

Recreate the management filter if needed

If management firewall rules are also suspect, select Recreate Management Filter. This reapplies the SDX management firewall rules.
4

Monitor the result

Watch the site state and orchestration history until the site resumes normal check-ins.

Firewall Planning

Your upstream firewall should allow outbound connections from managed routers to SDX service endpoints. For the management tunnel, allow outbound TCP 8443 to api.altostrat.io. No public inbound management rule is required for the tunnel itself because the router initiates the connection.

Trusted IPs and endpoints

Review endpoint planning for firewalls and control-plane filters.

Control plane policies

Manage trusted networks, service ports, and management access.