Private access to managed mongo database via Twingate

Question

I have created a twingate connector droplet within my VPC following this blog:

https://www.twingate.com/blog/static-ips-digitalocean

I can create another droplet “foo” in my VPC, add the private ip of foo as a twingate resource, and then ping the private IP address of foo successfully from my local computer. Therefore, it appears to me that the twingate routing is working correctly.

I have a managed mongodb also within the VPC. Not surprisingly, when I set my local computer’s IP address as trusted, I can connect to the public host <my_database_identifier>.mongo.ondigitalocean.com using the public connection string provided by digital ocean.

I’d like to be able to connect my local computer to the private host private-<my_database_identifier>.mongo.ondigitalocean.com from within the VPC, using access via the twingate connector droplet, so that any user in my twingate network can do the same. If I set the IP range of my VPC (10.124.0.0/20) as trusted and create a twingate resource for private-<my_database_identifier>.mongo.ondigitalocean.com, I can’t connect using the private connection string provided by Digital Ocean:

mongodb+srv://doadmin:<my-password> @private-<my-database-identifier>.mongo.ondigitalocean.com/admin?authSource=admin&replicaSet=team-data&tls=true

Maybe this is not suprising because, as far as I can tell, twingate should route traffic directly from my local computer rather than using the connector as a proxy.

However, I have tried to connect with my local computer IP address set as trusted and with all trusted IP’s removed, so that connections from any source should be accepted. So it’s not the lack of a trusted source that is the problem.

I note that Digital Ocean says that tls is required. Maybe the problem is trying to route tls through twingate? (That gets a little beyond the range of my knowledge…)

I am using mongodb Compass to test my connections (successfully to the public host, unsuccessfully to the private host).

Anyone out there have ideas as to what I could do to make a connection to the private host of a managed database through twingate?

Bobby Iliev · Answer

Hey Geoffrey,

Your setup with Twingate makes sense, but the key issue is that Twingate routes traffic directly from your local machine, not through the connector as a proxy. Since DigitalOcean only allows private connections from within the VPC, your connection might still be seen as external.

First, try SSHing into the Twingate connector and running nc -zv private-<my_database_identifier>.mongo.ondigitalocean.com 27017 to confirm if it can reach the private MongoDB endpoint. If that fails, there’s likely a routing issue or the database isn’t recognizing connections from the VPC correctly.

Since your local machine isn’t technically inside the VPC, an alternative is setting up an SSH tunnel through the connector and forcing traffic through it. You can do this with ssh -L 27018:private-<my_database_identifier>.mongo.ondigitalocean.com:27017 root@<your-twingate-connector-ip>, then connect to mongodb://localhost:27018/admin?authSource=admin&replicaSet=team-data&tls=true in MongoDB Compass. This ensures the request originates from inside the VPC.

DigitalOcean requires TLS for private MongoDB connections, but if you’re seeing handshake issues, try adding tlsAllowInvalidCertificates=true to your connection string just to rule out TLS mismatches. If nothing works, it’s best to check with DigitalOcean support at https://do.co/support to see if they can confirm whether your Twingate connector is properly recognized as part of the VPC.

- Bobby

Question

Private access to managed mongo database via Twingate

Become a contributor for community

DigitalOcean Documentation

Resources for startups and SMBs

Get our newsletter

The developer cloud

Get started for free