This guide explains how to securely access your MikroTik router using WinBox through the Management VPN. Even if your router is behind a NAT firewall, you can establish on-demand access via Transient Access credentials.

Introduction

When you add a MikroTik router to Altostrat, we automatically configure a secure tunnel called the Management VPN. This VPN enables enables you to create temporary access to the router—called Transient Access—by generating short-lived credentials for WinBox or SSH. Once they expire, these credentials are automatically revoked, keeping your device secure.

Requirements

  • Your MikroTik router must be connected to the Altostrat platform.
  • You have WinBox installed on your computer.
  • Both the router and your computer must have internet access.

Step-by-Step Instructions

1. Log in to the Altostrat Portal

  1. Visit https://sdx.altostrat.app and sign in.
  2. Locate Sites from the main menu.

2. Select a Site

  1. From the Sites page, click on the site that contains the router you want to access.
  1. Wait for the site overview to load.

3. Open Transient Access

  1. Click on the Transient Access tab (or similarly labeled section).
  2. You’ll see any existing access sessions listed here.

4. Generate Transient Access Credentials

  1. Click Add or New to generate fresh credentials.
  1. Choose the Access Type (e.g., WinBox) and specify if full admin or read-only is needed.
  2. Confirm or edit the CIDR or IP range from which you’ll connect (defaults to your IP).
  3. Set an expiration time (e.g., 2 hours).
  4. Click Add -> to receive a username/password and endpoint.

Because these credentials expire and are unique, you can share them safely with authorized teammates.

5. Copy and Use the Credentials

  1. Click Copy next to the credential block or manually copy the username/password and endpoint.
  2. Open WinBox on your PC or Mac.
  3. In the Connect To field, paste the endpoint.
  4. Enter the username and password as displayed in the credentials menu.
  5. Click Connect.

Once credentials are validated, WinBox will launch a direct session to your router through the Management VPN.

If you Click on the Winbox button next to the Credentials button and you have our application installed, the winbox session will automatically launch the Winbox utility.

Revoking Transient Access (Optional)

If you need to remove credentials before they expire:

  1. Return to the site’s Transient Access tab in the Altostrat portal.
  2. Locate the session under Active Credentials.
  3. Click Revoke to invalidate them immediately.

When revoked, the credentials no longer function, and the NAT session on the regional server is torn down.

If you run into issues, check the Orchestration Log to diagnose connection attempts or errors.

Was this page helpful?