Question

How do I find my VPCs subnet range and what should my UFW rules be to allow traffic through to my DB server?

I was following this tutorial on setting up a Virtual Private Cloud (VPC): How to Configure a droplet as a gateway

The droplet I’m using as a gateway is running OpenVPN. The user connects to the VPC via openVPN and uses it to access resources in the VPC. In particular, a java application accesses a droplet in the vpc containing a mysql database. I’ve managed this setup though I’m finding the Universal firewall rules slightly challenging on the MySQL server droplet.

The problem is as follows. If I specify:

sudo ufw allow in on eth1 to any port 3306

then traffic gets from the open vpn server/gateway to the droplet fine. However if I try to set a more restrictive rule to specify only traffic from within the VPC is allowed:

sudo ufw allow in on eth1 from 10.114.0.0/20 to any port 3306

The firewall blocks my traffic.

The logical reason for this is because the IP address range I’m specifying must be erroneous. Though when I’m in the Digital Ocean control panel and I look under the Overview section of the VPC there is text stating **network range ** Specifying the range as: 10.114.0.0/20. My understanding is that this means the IP range is 10.114.0.1 to 10.114.15.254. However when I look at my private ip when connected to the VPC via open vpn it’s 10.20.0.6. So how do I get the correct IP range for to specify for the UFW rules so that this fiewall allows traffic from client machines connected within the VPC?

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Hi there @jonVonBallstein,

One way of checking your VPC IP range is via your DigitalOcean Control Panel -> go to Networking -> then click on VPC.

There you will see all of your VPC networks and IP ranges.

Another reason why your connection would be stopped is if MySQL is bound on 127.0.0.1:3306 and not 0.0.0.0:3306. To check if this is the case, you need to SSH to your MySQL server and run the following netstat command:

  1. netstat -plant | grep 3306

If this is the case you need to follow the steps from this tutorial here in order to allow remote MySQL connections:

https://www.digitalocean.com/community/tutorials/how-to-allow-remote-access-to-mysql

Regards, Bobby