Open UDP port 64738 in a DigitalOcean firewall (Mumble)

What you’re trying to achieve

• Allow inbound UDP 64738 to your droplet
• (Optional) allow inbound TCP 64738 as a fallback
• Block everything else that you don’t need

Default Mumble port: 64738. If you changed it in config, use your chosen port everywhere below.

Step 1: confirm Mumble is running and listening

On the server:

sudo systemctl status mumble-server.service --no-pager

# Show listening sockets (UDP/TCP)
ss -lunpt | grep -E '(:64738\b|mumble)' || true

If nothing is listening on UDP 64738, fix that before touching firewalls.

Step 2: DigitalOcean Cloud Firewall rule (inbound)

In the DigitalOcean control panel: Networking → Firewalls (or the firewall attached to the droplet).

Create an inbound rule:

• Protocol: UDP
• Port range: 64738
• Sources: ideally your expected client IPs; otherwise 0.0.0.0/0 (and optionally ::/0)

If you can restrict sources to a known set of IPs, do it. If you can’t (mobile users, travel), keep it open but ensure your server is not publicly listed and uses join controls.

Step 3: UFW rule (host firewall)

If you use UFW on Ubuntu/Debian:

sudo ufw status verbose

# Allow Mumble
sudo ufw allow 64738/udp
sudo ufw allow 64738/tcp

sudo ufw status

If you prefer to only open UDP (common), you can skip TCP — but some clients/networks behave better with TCP as a fallback.

Step 4: verify from the outside

UDP is harder to “probe” than TCP, so don’t rely on a single test. Use multiple signals:

• Your Mumble client can connect and stays connected
• ss -lunp shows the server listening
• Server logs show connection attempts

If you need a structured debug flow, use: Mumble server not reachable (UDP blocked) — fix checklist.

Common mistakes

• Only opening UFW but forgetting the DigitalOcean firewall (or vice versa).
• Opening TCP 64738 but forgetting UDP 64738 (voice will feel “dead”).
• Firewall is attached to the wrong droplet / wrong VPC.
• IPv6 is enabled and blocked (or clients try IPv6 first).