VPN
The Mirox platform's VPN provides secure, certificate-based remote access to the internal networks of individual plants. Instead of maintaining a separate VPN profile for each plant, every user receives a single, personal VPN profile through which all plants the user is authorized for become reachable. Permission changes, new plants, new subnets, or revoked cooperations are automatically reflected in the VPN profile — without the user having to reinstall it.
Concept
The VPN is designed as a personal single-sign-on tunnel to all granted plant networks:
- One certificate per user: Every authenticated user can issue exactly one VPN certificate and install it on their device.
- Automatic route management: The set of reachable plant subnets is derived dynamically from the current permissions (organization role, job role, cooperations). Any permission change automatically updates the route set.
- Highly available: The tunnel terminates in multiple regions and fails over to another region if needed.
- No shared keys: The private key never leaves the user's device. Mirox only ever sees the public key.
What the VPN delivers
Personal tunnel to all granted plants
Once the VPN profile is installed, the user can address all plant networks they have permissions for — exactly as if they were physically on site. This typically covers:
- Web interfaces of inverters, tracker controllers, data loggers, control-cabinet PCs
- SSH access to service devices
- Modbus / TCP diagnostic tools against components in the plant network
- The user's own tools that talk directly to the plant infrastructure
Multiple plants with overlapping local subnets (e.g. two plants both using 192.168.1.0/24) are automatically disambiguated by the system, so mix-ups are not possible.
Certificate lifecycle
The user controls their certificate directly through the platform UI:
- Issue: Creates a new VPN profile. The complete configuration file containing the private key is shown exactly once in the browser and is never stored in the cloud.
- Rotate: Replaces the key set without deleting the certificate. Useful e.g. when switching devices or when a compromise is suspected. The new private key is again shown only once.
- Revoke: Disables the certificate immediately. All ongoing connections are terminated at the next sync cycle. The certificate's audit trail is retained for the legally mandated retention period.
Automatic route management
The reachable subnets follow from the user's permissions:
- For every park or portfolio permission, the corresponding route set is computed automatically.
- When a permission is revoked (end of a cooperation, role change), the route is removed automatically as well.
- Conflicts between two plants that use the same local subnet are visibly marked in the route overview. The user can decide which of the conflicting plants takes priority for them.
- Individual routes can be temporarily disabled by the user, e.g. to reach two plants with identical subnet ranges one after the other.
Session overview
The user has a dedicated session overview for their own certificate inside the platform:
- Current connections with connection time, geographical source and transferred data volume
- Historical sessions for traceability
- Region and node of the terminating endpoint (for easy latency diagnostics)
This overview is the user's self-transparency view of their own certificate. The full, legally compliant KRITIS / NIS2 audit trail is maintained separately by the plant operator and is not part of this view — see Audit Logging.
Security and control
Who may issue a certificate?
Any authenticated user can issue a certificate of their own — but the certificate alone is not enough to reach any plant. Only the permissions granted through the permission system (organization role, job role, cooperation) actually open routes.
Who may reach which plant?
The effective route set of a certificate is checked separately on each permission layer:
- Organization membership defines which portfolios and plants are accessible in principle.
- The job role (Operator, Technical Manager, Asset Manager, Viewer) decides whether a plant's subnets are added to the certificate.
- Cooperations between organizations can grant access to foreign plants — provided the cooperating user holds the required operator-level job role on the shared plant.
Plain members, guests, or external users without the corresponding role receive no route for those plants.
Key custody
- The private key is generated in the user's browser and never leaves the device.
- Mirox only knows the user's public key and the tunnel IP assigned to them.
- On rotation or revocation, old keys are invalidated server-side immediately.
Behavior on permission revocation
When a user loses a permission — e.g. because a cooperation ends, their job status changes, or a plant is deleted — the corresponding route automatically disappears from their certificate. Any open connections are terminated at the next sync cycle. No manual action is required.
Multi-region availability
The tunnel can terminate in multiple Mirox regions simultaneously. This means:
- The user is automatically routed to the region that offers the best reachability for their plant and source location.
- If a region fails, another region takes over the session on the next connection attempt.
- The user does not have to reconfigure anything; the region is selected transparently by the system.
Audit and compliance
Every access through the VPN is fully audited by the Mirox system. The audit trail captures:
- Which user connected when and from where
- Which plant subnets were reached during the session
- Which specific devices (IP, protocol, port) were touched and how often
- How much data volume was transferred per session and subnet
The audit trail is retained for at least 730 days and is only accessible to the responsible operator organization of the respective plant — not to the connected user themselves. For details see Access Audit Logging.
Distinction From Related Features
Mirox offers several remote-access flavours that are easy to confuse. The personal VPN described on this page is one of five; the table shows what each is for and who controls it.
| Flavour | Purpose | Who controls it? |
|---|---|---|
| Personal VPN (this page) | One personal tunnel that reaches every plant network you are authorized for | You, within your permissions |
| Organization VPN Service | A shared, organization-managed tunnel deployed into a region, with plants routed through it for the whole team | Organization admin or moderator |
| Direct Plant VPN — dial-out | The plant agent dials out to a customer's existing remote VPN, so Mirox can reach a network the customer hosts | Organization admin or moderator |
| Direct Plant VPN — host | The plant agent hosts a publicly reachable VPN endpoint that remote sites dial into; Mirox provisions the keys and certificates automatically | Organization admin or moderator |
| Browser Proxy | Open a device's web interface straight from the browser, with no VPN client to install | Plant operator (configures the web targets) |
The personal VPN is the right tool for technical staff who need to use arbitrary tools productively against devices across several plants. The Browser Proxy is the right choice when only a device's web interface needs to be opened — with no VPN installation, straight from the browser. The organization and direct plant VPNs are infrastructure-level tunnels managed centrally, rather than a personal profile you carry.
Related Features
- Proxy — browser-based access to plant devices without a VPN client
- Access Audit Logging — full audit trail of all VPN and Proxy access
- Permission System — controls which user reaches which plants
- Cooperations — sharing plants with third-party organizations
- Local Network Inspector — platform-side reachability checks of the plant network