SSH on private IP to Digital Ocean Droplet

Hello everyone,


  • a CentOS 7 Droplet with a public IP on eth0 & private IP on eth1

SSH Clients on my home computer which I use to connect using SSH keys

  • MobaXterm on Windows 7 or
  • VirtualBox CentOS 7 VM

Now the situation is as follows

  1. My home computer’s public WAN IP address changes via DHCP automatically by my ISP every once a week or so.

  2. On server, I’m fire-walling (herewith referring it as Firewall-layer for simplicity) as below

DigitalOcean Cloud firewall --> server firewall IPTables --> TCPWrappers layer

  1. By observing a pattern of my public IP subnets over a period of time, I’ve used them to determine my ISP’s AS number via this and, I have white-listed a few of them in my Firewall-layer (strangely, they repeat in a random order & are restricted to the same 3-4 subnets each with the CIDR /22, therefore the pattern)

  2. Now in the event when my public WAN IP changes, I momentarily lose access to my server since TCPWrappers prevent me from accessing it.

  3. The workaround I use is to take console access of my Droplet & un-comment out only that public IP subnet belonging to my current WAN IP address, leaving the others commented which I un-comment as soon as the above recurs.

  4. To fix this, I can either Leave all the entries in the TCPWrappers un-commented so as to avoid the hassle but as much I understand, I strongly it is wrong as a security best practice

therefore, the alternative OR

  1. I’m thinking of writing a bash script that would run on my VirtualBox VM which would detect my current outgoing WAN IP address using a simple cURL call & use it to modify the TCPWrappers & IPTables on my Droplet as explained in the workaround above

  2. But for it to work, I’d need to be able to SSH onto my Droplet via its private IP on eth1 which is what I’ve been tinkering with but unable to find an ideal way to do so, until now.

Could someone please guide me the ideal way to achieve this?

Do let me know if any additional information would be required if I may have missed out.


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

DigitalOcean doesn’t offer those services. You would have to build a second droplet which would host VPN or your portforwarding, but then your problem is securing that second droplet.

Have you considered using DO’s firewall instead of setting it up on the droplet yourself? You can control that through the DO webinterface (and secure that using 2FA if you wish) or use ‘doctl’ to programmatically control it.

That way, you don’t have to rely on the firewall on your droplet at all, and only need to trust DO to secure its own webinterface. But you have to trust that anyway.

Your private IP is only reachable from other servers in the same datacenter (and soon, only from other servers in the same datacenter on the same account)

It sounds like you’re trying to reach your private IP from the outside - that won’t work.