Management VPN
How MikroTik devices connect securely to Altostrat for real-time monitoring and management.
Altostrat’s Management VPN creates a secure tunnel for real-time monitoring and remote management of your MikroTik devices—even those behind NAT firewalls. This tunnel uses OpenVPN over TCP 8443, ensuring stable performance across varied network conditions.
How It Works
- OpenVPN over TCP
Routers connect to
<mgnt.sdx.altostrat.io>:8443, allowing management-plane traffic to flow securely, even through NAT. - Regional Servers VPN tunnels terminate on regional clusters worldwide for optimal latency and redundancy.
- High Availability
DNS-based geolocation resolves
mgnt.sdx.altostrat.ioto the closest cluster. Connections automatically reroute during regional outages.
Identification & Authentication
- Unique UUID: Each management VPN tunnel is uniquely identified by a v4 UUID, which also appears as the PPP profile name on the MikroTik.
- Authentication: Certificates are managed server-side—no manual certificate installation is required on the router.
Comments like Altostrat: Management Tunnel often appear in Winbox to denote the VPN interface or PPP profile.
Security & IP Addressing
- Encryption: AES-CBC or a similarly secure method is used.
- Certificate Management: All certs and key material are hosted centrally by Altostrat.
- CGNAT Range: Tunnels use addresses in the
100.64.0.0/10space, avoiding conflicts with typical private LAN ranges.
Management Traffic Types
Through this tunnel, the router securely transmits:
- BGP Security Feeds
- DNS Requests for content filtering
- Traffic Flow (NetFlow) data
- SNMP metrics
- Synchronous API calls
- System logs
- Transient Access sessions for on-demand remote control
Nonessential or user traffic does not route through the Management VPN by default, keeping overhead low.
Logging & Monitoring
- OpenVPN logs on Altostrat’s regional servers track connection events, data transfer metrics, and remote IP addresses.
- ICMP Latency checks monitor ping times between the router and the regional server.
- Metadata like connection teardown or failures appear in the Orchestration Log for auditing.
Recovery of the Management VPN
If the tunnel is accidentally deleted or corrupted:
Go to Site Overview
In the Altostrat portal, select your site that lost the tunnel.
Recreate Management VPN
Look for a Recreate or Restore Management VPN button. Clicking it triggers a job to wipe the old config and re-establish the tunnel.
Confirm Connection
Wait a few seconds, then check if the router shows as Online. The tunnel should reappear under Interfaces in Winbox, typically labeled with the site’s UUID.
Usage & Restrictions of the Synchronous API
- Read Operations: Real-time interface stats and logs flow through this API.
- Critical Router Tasks: Certain operations like reboots also pass here.
- No Full Configuration: For major config changes, Altostrat uses asynchronous job scheduling to ensure reliability and rollback options.
If you need advanced control-plane manipulation, see Control Plane Policies or consult the Management VPN Logs for debugging.