Connecting 2 MQTT Brokers

I would like to connect 2 OpenHAB instances using the EventBus and MQTT.

From my research, there are 2 options for connecting 2 local MQTT brokers…

  1. Directly
  2. Indirectly via a cloud service ie CloudMQTT

I have done a fair bit of reading especially from http://www.steves-internet-guide.com/mosquitto-bridge-configuration/

I like the idea of a direction connect using SSL but am wondering if that is a secure enough option. It seems a using CloudMQTT would be easier to maintain and I don’t have to open a port on my router. But, it adds another fail point.

Has anyone had experience using either option?

You might be mixing things up here. You don’t need two brokers and if you are using two brokers for some reason, that would be completely invisible to OH itself. So is there some other requirement here that we don’t know that is pushing you to using more than one broker?

I don’t have experience bridging brokers but I would imagine that Mosquitto supports the same sorts of options for bridging that it provides for clients. If that’s the case, the most secure would be setting up SSL and using client certificates for authentication.

In don’t know of CloudMQTT supports client certificate authentication or not, but SSL and username/password isn’t too bad either. The SSL ensures you are talking to the broker and not an impostor and the encryption protects the username/password.

But if connecting the two brokers together directly is an option, why not avoid the complexity and just have both OH instances connect to the same broker?

Hi Rich,

First I should clarify and make sure and I am not falling into the xy problem…

I have 2 OpenHAB instances, one at home, one at cabin and would to connect them primarily for use with the OpenHAB iPhone app. My understanding is MQTT and the EventBus work you have done would be the best way to do that.

Both instances run independently of one another and both use a local MQTT broker with IoT devices that are not securely connected to that MQTT broker. Also, I want to keep both instances completely local so that if the internet goes down, they will still (mostly) be functional.

My options are a direct to direct broker bridge (mosquito supports this) but this requires opening a port or using a cloud broker like CloudMQTT to bridge the two local brokers. No open port, more complexity.

I have read a fair bit and my understanding is TSL/SSL between two local brokers should be very secure and that having a port open in that instance is relatively low risk. The CloudMQTT option seems to be less risk as there are ports open on my router.

I have a somewhat similar setup so agree with that.

OK, that’s a good reason to have two separate brokers. But that doesn’t necessarily mean you need to go through the effort of bridging them if the two can see each other (e.g. using a VPN). Depending on how separate everything is, you can easily just create more than one Broker Things, on to connect to the local broker and another to connect to the remote broker.

Or setting up a VPN to connect. There are lots of options here that you can use. I personally am running pfSense as my firewall so I use the wizard on that to set up an OpenVPN instance. But that does require exposing the OpenVPN port to the internet. An alternative is to rent a cloud server and deploy something like Algo. This would put the VPN server outside your LANs and your home and cabin would connect to it, getting rid of the need for punching a hole in your firewall to allow the VPN connections.

If you are OK with a third party being in the middle of your VPN, I had a lot of good experiences using Hamachi as well. It doesn’t require punching any holes in your firewall nor does it require you to rent a VPS. But it does put LogMeIn in the middle of your connection.

CloudMQTT seems to no longer offer a free tier so cost wise, Hamachi might be the cheapest option that allows you to avoid punching a hole in your network since it allows up to five connections for free.

Rather than a full up VPN, another solution could be setting up an SSH tunnel. One machine could set up an SSH tunnel to the other and then route all the MQTT traffic through the tunnel. This would potentially be less challenging to set up than a VPN server (though Wireguard is supposed to be pretty easy) and you can get the security of certificate based logins, but it still requires opening a port to the internet.

There are lots of options available. I can’t say what would be the best approach for you. As I said, I used OpenVPN to solve the problem personally. I like how the machine remains part of my LAN even though it physically resides 100 miles away. Also, with my own VPN server, I can use PFBlocker (kind of like PiHole) and connect our phones to it to get ad blocking/parental controls/malware blocking while away from the house.

I’ve used Hamachi in the past and was happy with it too.