Question

How do I find my VPCs subnet range and what should my UFW rules be to allow traffic through to my DB server?

Posted September 1, 2020 157 views
MySQLNetworkingFirewall

I was following this tutorial on setting up a Virtual Private Cloud (VPC):
How to Configure a droplet as a gateway

The droplet I’m using as a gateway is running OpenVPN. The user connects to the VPC via openVPN and uses it to access resources in the VPC. In particular, a java application accesses a droplet in the vpc containing a mysql database. I’ve managed this setup though I’m finding the Universal firewall rules slightly challenging on the MySQL server droplet.

The problem is as follows. If I specify:

sudo ufw allow in on eth1 to any port 3306

then traffic gets from the open vpn server/gateway to the droplet fine. However if I try to set a more restrictive rule to specify only traffic from within the VPC is allowed:

sudo ufw allow in on eth1 from 10.114.0.0/20 to any port 3306

The firewall blocks my traffic.

The logical reason for this is because the IP address range I’m specifying must be erroneous. Though when I’m in the Digital Ocean control panel and I look under the Overview section of the VPC there is text stating *network range * Specifying the range as: 10.114.0.0/20. My understanding is that this means the IP range is 10.114.0.1 to 10.114.15.254. However when I look at my private ip when connected to the VPC via open vpn it’s 10.20.0.6. So how do I get the correct IP range for to specify for the UFW rules so that this fiewall allows traffic from client machines connected within the VPC?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

Hi there @jonVonBallstein,

One way of checking your VPC IP range is via your DigitalOcean Control Panel -> go to Networking -> then click on VPC.

There you will see all of your VPC networks and IP ranges.

Another reason why your connection would be stopped is if MySQL is bound on 127.0.0.1:3306 and not 0.0.0.0:3306. To check if this is the case, you need to SSH to your MySQL server and run the following netstat command:

  • netstat -plant | grep 3306

If this is the case you need to follow the steps from this tutorial here in order to allow remote MySQL connections:

https://www.digitalocean.com/community/tutorials/how-to-allow-remote-access-to-mysql

Regards,
Bobby

by Mark Drake
Many websites and applications start off with their web server and database backend hosted on the same machine. With time, though, a setup like this can become cumbersome and difficult to scale. A common solution is to separate these functions by setting up a remote database, allowing the server...
  • Thanks @bobbyiliev,

    “One way of checking your VPC IP range is via your DigitalOcean Control Panel -> go to Networking -> then click on VPC.”

    When I look in this I can not see an IP range. I can only see 10.114.0.0/20. When I look at my own IP when I log into the private network it’s 10.20.0.6. so it’s part of the wider subnet but its not in the 10.114.0.0/20 range. This is confusing.

    “Another reason why your connection would be stopped is if MySQL is bound on 127.0.0.1:3306 and not 0.0.0.0:3306.”

    The MySQL bound is fine. It was originally set to 0.0.0.0 for setup and testing and then was changed to the private IP of the MySQL server for security. I tested traffic on this configuration and it worked fine if I specify a firewall rule so that the database only accepts traffic on the private network interface eth1:

    sudo ufw allow in on eth1 to any port 3306
    

    I think I just need a way to get the range of the IP pool that will be used to assign IPs to users joining the VPC via the OPenVPN that’s installed on the gateway server. The I can specify that on the firewall and it should all work fine. But I can’t get the IP range.

    Thanks,

    Jon

    • Hi there @jonVonBallstein,

      Would you mind sharing the output of the following command:

      • ip a

      You should see an extra interface attached to your VPC network.

      In my case it looks like this:

      1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
          link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
          inet 127.0.0.1/8 scope host lo
             valid_lft forever preferred_lft forever
          inet6 ::1/128 scope host
             valid_lft forever preferred_lft forever
      2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
          link/ether 42:6a:b7:c5:41:c2 brd ff:ff:ff:ff:ff:ff
          inet my_ip_address/20 brd my_ip_addr.255 scope global eth0
             valid_lft forever preferred_lft forever
          inet 10.15.0.7/16 brd 10.15.255.255 scope global eth0
             valid_lft forever preferred_lft forever
          inet6 fe80::406a:b7ff:fec5:41c2/64 scope link
             valid_lft forever preferred_lft forever
      3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
          link/ether e2:4e:0b:ad:23:31 brd ff:ff:ff:ff:ff:ff
          inet 10.123.0.2/16 brd 10.123.255.255 scope global eth1
             valid_lft forever preferred_lft forever
          inet6 fe80::e04e:bff:fead:2331/64 scope link
             valid_lft forever preferred_lft forever
      

      In my case, eth1 is the interface for me VPC network and it matches the range shown in my Control Panel.

      If you don’t see the additional interface, I would recommend following the steps here on how to add for existing Droplets here:

      https://www.digitalocean.com/docs/networking/vpc/how-to/enable/

      Let me know how it goes!
      Regards,
      Bobby

      • Thanks @bobbyiliev

        I’ve had a look using the ip a command it gives:

        3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
            link/ether 32:09:eb:5e:d2:d0 brd ff:ff:ff:ff:ff:ff
            inet 10.114.0.4/20 brd 10.114.15.255 scope global eth1
               valid_lft forever preferred_lft forever
            inet6 fe80::3009:ebff:fe5e:d2d0/64 scope link
               valid_lft forever preferred_lft forever
        

        When I look at the VPC in the Digital Ocean web control panel my servers are supposedly in the VPC. The given IP range is: 10.114.0.0/20. This seems in conflict with the output above.

        The IP addresses of my servers in the VPC are:
        10.114.0.2
        10.114.0.3
        10.114.0.4

        These seem fine for the range specified in the control panel but not fine for the range specified in the output of ip a. Any idea what might be going on?

        Best,

        Jon

        • Hi there @jonVonBallstein,

          The output that you’ve shared actually looks all correct.

          You could take a look at this netmask calculator here to confirm that:

          http://jodies.de/ipcalc?host=10.114.0.0&mask1=20&mask2=

          The output of your IP address indicates that your VPC IP is 10.114.0.4:

              inet 10.114.0.4/20 brd 10.114.15.255 scope global eth1
          

          And this is part of the 10.114.0.0/20 range.

          What I could suggest, is first connecting via SSH to your one of your Droplets and then using telnet try to connect to the MySQL server using the VPC IP address of your MySQL server. That way you will be able to check if the Droplets are able to communicate via the VPC network.

          Regards,
          Bobby

          • Thanks @bobbyiliev
            The droplets can talk to each other fine over the vpc as I’m able to ssh between them for the work I’m doing and they’re unreachable by their public IP.

            I think the issue is that when I connect via OpenVPN to the gateway server I get a private vpc ip like 10.8.0.6. Surely my private IP should be within the range 10.114.0.4/20 like the servers are? Its because the private IP address I get is out of scope that the firewall blocks it. As it’s outside the 10.114.0.4/20 address range. hmmm.... I look on the digital ocean help page but I can’t find a way to raise a direct ticket inquiry. I’m sure I’m missing something obvious.

            Thanks for all your comments and input. It’s really helped with debugging and I totally appreciate it.

            best regards,

            Justin

          • Hey @jonVonBallstein,

            No problem at all. In case that you need to you can contact support via this link here:

            https://www.digitalocean.com/support/

            Let me know how it goes!
            Regards,
            Bobby

Submit an Answer