How to Connect to a DigitalOcean Managed Database When Your IP Address Changes

If you’re working with a DigitalOcean managed database from your local machine, you’ve probably run into this frustrating scenario: everything works perfectly one day, then suddenly your database connection times out. The culprit? Your IP address changed, and it’s no longer in the database’s trusted sources list.

This is a common problem for developers working from home, coffee shops, or anywhere with dynamic IP addresses. Here’s how I solved it, and how you can too.

The Problem

DigitalOcean’s managed databases use IP whitelisting for security. This means only connections from approved IP addresses can access your database. When you’re on a residential or mobile internet connection, your IP address can change frequently, breaking your database connection each time.

My initial setup worked great with DBeaver on my Mac, but after my IP changed, I was locked out. I even tried setting up Tailscale as a workaround, but still experienced timeouts.

The Solution: SSH Tunnel Through Your Droplet

The elegant solution is to use your DigitalOcean droplet as a jump host. Since your droplet has a static IP that’s already trusted by your database, you can tunnel your database connection through it.

This approach offers several benefits:

• No need to constantly update trusted IP addresses
• Works from anywhere, even on public WiFi
• More secure than exposing your database to multiple IP addresses
• Simple to set up in most database clients

Step-by-Step Setup in DBeaver

Prerequisites

• A DigitalOcean droplet with SSH access
• Your droplet’s IP added to the database’s trusted sources
• SSH key configured for your droplet (usually ~/.ssh/id_rsa)

Configuration Steps

1. Open Your Database Connection in DBeaver

Navigate to your existing database connection or create a new one.

2. Configure the SSH Tunnel

Click on the SSH tab in the connection settings and configure the following:

• ✅ Check Use SSH Tunnel
• Host/IP: Your droplet’s public IP address
• Port: 22
• User Name: Your SSH username (usually root or your custom user)
• Authentication Method: Select Public Key
• Private Key: ~/.ssh/id_rsa (or your key’s path)
• Public Key: Leave empty (auto-detected)
• Passphrase: Enter if your key has one, otherwise leave blank

3. Test the Connection

Before testing the database connection, click Test tunnel configuration to verify the SSH connection works properly. You should see a success message.

4. Configure Database Connection

Go back to the Main tab and enter your database credentials as normal:

• Host: Your database hostname (from DigitalOcean)
• Port: Your database port (usually 25060 for PostgreSQL)
• Database name
• Username and password

5. Test and Save

Click Test Connection. If everything is configured correctly, you should see a successful connection message. Save your connection settings.

How It Works

When you connect to your database through an SSH tunnel:

1. DBeaver establishes an SSH connection to your droplet
2. Through that encrypted connection, it forwards your database traffic
3. The database sees the connection coming from your droplet’s IP (which is trusted)
4. Your local IP address becomes irrelevant

This creates a secure, encrypted pathway from your local machine to your database, regardless of where you’re connecting from.

Alternative Solutions

While the SSH tunnel method is my recommended approach, here are other options:

Option 1: Manual IP Whitelisting

Add your current IP address to the database’s trusted sources each time it changes. This works but becomes tedious quickly.

Option 2: VPN with Static IP

Use a VPN service that provides a static IP address and whitelist that IP. This adds another service to manage but works across all applications.

Option 3: VPC Network

If your applications run on DigitalOcean droplets, you can use DigitalOcean’s VPC (Virtual Private Cloud) to keep database traffic on a private network without exposing it to the internet.

Troubleshooting Tips

Connection times out:

• Verify your droplet’s IP is in the database’s trusted sources
• Check that port 22 is open on your droplet’s firewall
• Ensure you’re using the correct SSH key

Authentication failed:

• Verify the path to your SSH private key is correct
• Check if your key requires a passphrase
• Ensure your SSH key is added to the droplet’s authorized_keys

Database connection fails after SSH succeeds:

• Double-check your database hostname and port
• Verify your database credentials
• Confirm the droplet’s IP is whitelisted in the database settings

Security Considerations

This setup is actually more secure than constantly adding IP addresses to your whitelist:

• All traffic is encrypted through SSH
• You only need one trusted IP (your droplet) instead of many
• Reduces the attack surface of your database
• SSH key authentication is more secure than password-only database access

Conclusion

Dynamic IP addresses don’t have to be a headache when working with managed databases. By leveraging an SSH tunnel through your existing infrastructure, you get a reliable, secure connection that works from anywhere.

This solution has saved me countless hours of frustration and eliminated the need to update trusted sources every time my IP changes. Plus, it’s a technique that works with virtually any database client that supports SSH tunneling, not just DBeaver.

Have you dealt with similar connectivity issues? What solutions have worked for you? Share your experiences in the comments below.