I have created a twingate connector droplet within my VPC following this blog:
https://www.twingate.com/blog/static-ips-digitalocean
I can create another droplet “foo” in my VPC, add the private ip of foo as a twingate resource, and then ping the private IP address of foo successfully from my local computer. Therefore, it appears to me that the twingate routing is working correctly.
I have a managed mongodb also within the VPC. Not surprisingly, when I set my local computer’s IP address as trusted, I can connect to the public host <my_database_identifier>.mongo.ondigitalocean.com using the public connection string provided by digital ocean.
I’d like to be able to connect my local computer to the private host private-<my_database_identifier>.mongo.ondigitalocean.com from within the VPC, using access via the twingate connector droplet, so that any user in my twingate network can do the same. If I set the IP range of my VPC (10.124.0.0/20) as trusted and create a twingate resource for private-<my_database_identifier>.mongo.ondigitalocean.com, I can’t connect using the private connection string provided by Digital Ocean:
mongodb+srv://doadmin:<my-password> @private-<my-database-identifier>.mongo.ondigitalocean.com/admin?authSource=admin&replicaSet=team-data&tls=true
Maybe this is not suprising because, as far as I can tell, twingate should route traffic directly from my local computer rather than using the connector as a proxy.
However, I have tried to connect with my local computer IP address set as trusted and with all trusted IP’s removed, so that connections from any source should be accepted. So it’s not the lack of a trusted source that is the problem.
I note that Digital Ocean says that tls is required. Maybe the problem is trying to route tls through twingate? (That gets a little beyond the range of my knowledge…)
I am using mongodb Compass to test my connections (successfully to the public host, unsuccessfully to the private host).
Anyone out there have ideas as to what I could do to make a connection to the private host of a managed database through twingate?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hey Geoffrey,
Your setup with Twingate makes sense, but the key issue is that Twingate routes traffic directly from your local machine, not through the connector as a proxy. Since DigitalOcean only allows private connections from within the VPC, your connection might still be seen as external.
First, try SSHing into the Twingate connector and running nc -zv private-<my_database_identifier>.mongo.ondigitalocean.com 27017
to confirm if it can reach the private MongoDB endpoint. If that fails, there’s likely a routing issue or the database isn’t recognizing connections from the VPC correctly.
Since your local machine isn’t technically inside the VPC, an alternative is setting up an SSH tunnel through the connector and forcing traffic through it. You can do this with ssh -L 27018:private-<my_database_identifier>.mongo.ondigitalocean.com:27017 root@<your-twingate-connector-ip>
, then connect to mongodb://localhost:27018/admin?authSource=admin&replicaSet=team-data&tls=true
in MongoDB Compass. This ensures the request originates from inside the VPC.
DigitalOcean requires TLS for private MongoDB connections, but if you’re seeing handshake issues, try adding tlsAllowInvalidCertificates=true
to your connection string just to rule out TLS mismatches. If nothing works, it’s best to check with DigitalOcean support at https://do.co/support to see if they can confirm whether your Twingate connector is properly recognized as part of the VPC.
- Bobby
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Full documentation for every DigitalOcean product.
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.
New accounts only. By submitting your email you agree to our Privacy Policy
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.