Question

How do I find my VPCs subnet range and what should my UFW rules be to allow traffic through to my DB server?

I was following this tutorial on setting up a Virtual Private Cloud (VPC): How to Configure a droplet as a gateway

The droplet I’m using as a gateway is running OpenVPN. The user connects to the VPC via openVPN and uses it to access resources in the VPC. In particular, a java application accesses a droplet in the vpc containing a mysql database. I’ve managed this setup though I’m finding the Universal firewall rules slightly challenging on the MySQL server droplet.

The problem is as follows. If I specify:

sudo ufw allow in on eth1 to any port 3306

then traffic gets from the open vpn server/gateway to the droplet fine. However if I try to set a more restrictive rule to specify only traffic from within the VPC is allowed:

sudo ufw allow in on eth1 from 10.114.0.0/20 to any port 3306

The firewall blocks my traffic.

The logical reason for this is because the IP address range I’m specifying must be erroneous. Though when I’m in the Digital Ocean control panel and I look under the Overview section of the VPC there is text stating **network range ** Specifying the range as: 10.114.0.0/20. My understanding is that this means the IP range is 10.114.0.1 to 10.114.15.254. However when I look at my private ip when connected to the VPC via open vpn it’s 10.20.0.6. So how do I get the correct IP range for to specify for the UFW rules so that this fiewall allows traffic from client machines connected within the VPC?


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Hi there @jonVonBallstein,

One way of checking your VPC IP range is via your DigitalOcean Control Panel -> go to Networking -> then click on VPC.

There you will see all of your VPC networks and IP ranges.

Another reason why your connection would be stopped is if MySQL is bound on 127.0.0.1:3306 and not 0.0.0.0:3306. To check if this is the case, you need to SSH to your MySQL server and run the following netstat command:

  1. netstat -plant | grep 3306

If this is the case you need to follow the steps from this tutorial here in order to allow remote MySQL connections:

https://www.digitalocean.com/community/tutorials/how-to-allow-remote-access-to-mysql

Regards, Bobby