Configuring VPN Servers per Agent (Direct VPN)
A direct plant VPN is a dedicated tunnel between a single plant's Mirox-Agent and that plant's own router — the right tool when a plant already runs its own VPN, or when you want Mirox to host a VPN that the plant router dials into. Unlike the personal VPN, which gives every user one profile that reaches all their authorized plants, a direct VPN is a per-plant infrastructure tunnel you set up once and the whole team's traffic for that plant rides over.
You configure direct VPNs from a plant's Networking page, on the Site VPN tab.
Open in Mirox
Open the plant's Site VPN tab. In the app this is the plant's Networking page, Site VPN tab.
When to Use a Direct VPN
Reach for a direct VPN when the plant's connectivity does not fit the standard personal-VPN model:
- The plant router already hosts its own VPN server. You have a configuration file (WireGuard
.conf) or an OpenVPN profile (.ovpn) and want Mirox to dial out to it. - The plant router can only dial out, not accept inbound connections. Mirox hosts the VPN endpoint and the router connects to it.
- You want one always-on tunnel for the whole plant rather than each user carrying a personal profile.
For day-to-day technical work across several plants — opening device web interfaces, running diagnostic tools — the personal VPN and the Browser Proxy are usually the better fit. The table below summarizes the distinction; the full comparison lives on the VPN feature page.
| Tool | What it is | Who sets it up |
|---|---|---|
| Personal VPN | One personal profile reaching every plant you are authorized for | Each user, within their permissions |
| Direct VPN (this guide) | A per-plant tunnel between the plant's agent and its router | A Moderator or Admin of the plant's organization |
| Browser Proxy | Open a device's web interface from the browser, no client install | The plant operator |
The Two Directions
A direct VPN can run in one of two directions. The setup wizard asks this first, under Where does the VPN server live?
Note: dashed lines indicate the connection direction — only one direction applies per direct VPN.
- Outgoing connection — Mirox connects to the plant router. The plant router runs its own VPN server; the Mirox-Agent dials out as the client. Choose this when you already have a config file or credentials for the router's VPN.
- Hosted here — the plant router connects to Mirox. Mirox runs the VPN server. The endpoint, port, and certificates are generated by Mirox and handed to you to load onto the plant router. Choose this when the router can dial out but cannot accept inbound connections.
Both directions support WireGuard and OpenVPN (UDP or TCP). For OpenVPN you can match an older router's settings (cipher, authentication digest, minimum TLS version, compression) so even legacy firmware connects.
Before You Start
Who can configure direct VPNs
The Site VPN tab is visible to Technical Manager or higher on the plant (including Operator). Creating, editing, or deleting a direct VPN requires a Moderator or Admin of the plant's own organization. Lower roles, and users reaching the plant through a cooperation, see the configured tunnels but cannot change them. Access follows the permission system.
Have ready:
- The direction you need (outgoing vs hosted), based on what the plant router supports.
- For the outgoing direction: the router's VPN config file (
.confor.ovpn), or the endpoint address and keys to enter manually. - The plant subnet(s) behind the router that you want to reach — the local network ranges (CIDRs) where the inverters, loggers, and other devices live.
Adding a Direct VPN
- Open in Mirox: open the plant's Site VPN tab — the plant's Networking page, Site VPN tab.
- Click Add direct VPN. A short wizard opens.
- Choose the direction — Mirox connects to Park-Router (outgoing) or Park-Router connects to Mirox (hosted).
- Basic settings — give the tunnel a name and optional description, and pick the protocol (WireGuard or OpenVPN). For a hosted OpenVPN server you can also pick UDP or TCP and, under Advanced, match a legacy router's crypto settings.
- Connection details — (outgoing only) upload the router's
.conf/.ovpnfile, or switch to manual entry and type the endpoint and keys. For a hosted VPN there is nothing to enter here; Mirox provisions the endpoint and keys. - Plant subnet — add the local network range(s) reachable behind the router. The platform validates each range and blocks anything that would clash with the reserved tunnel range, an organization VPN route, or another direct VPN on the same plant.
- Review and apply — confirm the summary, then click Apply.
Save the hosted-VPN credentials immediately
When you create a hosted VPN, Mirox generates the certificate and key the plant router needs to dial in, and shows them only once. Download and load them onto the router before closing the dialog — they cannot be retrieved later. If you lose them, delete and recreate the server.
Once the tunnel is up, the devices on the configured plant subnets become reachable, and any network device discovery you run on the plant scans through it.
Default route is never allowed
A direct VPN never carries a 0.0.0.0/0 "send everything" route. Always list the explicit plant subnets you want to reach. If you upload a config that contains a default route, the platform strips it and asks you to add the specific ranges.
Managing an Existing Direct VPN
Each direct VPN appears as a card on the Site VPN tab, marked Server (hosted) or Client (outgoing), with a live connection bar and traffic indicator. Open the card's ... menu for:
- Edit — change the name, description, subnets, endpoint, or keys.
- Restart VPN — cycle the tunnel without changing its configuration; useful after a settings change or a transient drop.
- Open Logs — view the tunnel's recent connection logs to diagnose a problem.
- Diagnose — (shown when the tunnel is currently disconnected) run a guided check that suggests what to fix.
- Delete / Disable — remove the tunnel.
Managing the Plant Subnets
The subnets a direct VPN routes are what make the plant's devices reachable. Add or remove ranges from the VPN's Edit view at any time. Removing a subnet that still has network devices behind it leaves those devices unrouted — the delete dialog warns you and lists which devices are affected, so you can reassign them to another tunnel first.
Hosted VPN: Connecting Clients
A hosted VPN can accept two kinds of connections, both managed without leaving the plant:
- Site connections — the plant router itself (or another fixed site) dialing in and announcing the plant subnets. The first site client is created for you when you set up a hosted VPN.
- User connections — individual people dialing in to the same hosted server. These are listed on the separate User VPN tab, where you can add a user, hand them their show-once profile, and remove their access later.
Disabling a hosted server is destructive
Deleting a hosted VPN removes the server and every connecting client — both sites and users. Their existing configurations stop working immediately and cannot be reissued; if you re-enable the server later, all clients must be created from scratch.
Related Features
- Using the VPN — the personal, per-user VPN profile that reaches all your authorized plants
- Using the Proxy — open a device's web interface in the browser without a VPN client
- Managing Network Devices — discover and monitor the devices reachable over a tunnel
- VPN (feature) — how the VPN flavours differ and how routing and auditing work
- Local Network Inspector — platform-side reachability checks of the plant network
- Access Audit Logging — the audit trail covering all remote access