Hello everyone
I have already installed Mosquitto on port 1883 and I use it in my LAN without problems. I need to access the broker also from the internet. I have read that it is possible to use port 8883 with the SSL certificate. Is it possible to configure Mosquitto to listen, at the same time on both ports to manage both services?
I have read a few tutorials, but they are not very clear and I am afraid of creating problems with the current configuration that works.
Any help?
thanks
Yes, of course. See the mosquitto.conf file which has lots of good comments. You just need to create a copy of the listener for port 1883 and change the parameters so it’s encrypted, where the cert files are, and the like.
Aside from the technical point (perfectly explained by @rlkoshak) , you should not do that for security reason. Better use a VPN tunnel.
2 Likes
I already use a vpn tunnel to command openhab from my phone. But in this case, however, I need to connect two esp8266s to the broker from another location. I ask you … isn’t an SSL connection secure? the open port, listening on the router, only accepts encrypted connections right? it should be the same as the VPN.
thanks for the clarifications
No, it is not remotely the same as a VPN.
An SSL connection can be secure, but it only requires authentication of the server. Any one can initiate a connection to your SSL port. All SSL does (and I really hope you are really talking about TLS, SSL is not safe to use) is verify that the server a client is talking to is the server it claims to be (i.e. there is no man-in-the-middle) and to establish an encrypted connection between the client and the server. There is absolutely nothing to prevent some malicious client from connecting and attacking your server.
If you are opening a port on your firewall to the internet, all SSL will do is allow the attackers to directly attack you over an encrypted TLS channel. It doesn’t prevent them from attacking. So the attackers can see that you are running MQTT, probably the name and version of the broker, and if you don’t configure Mosquitto to require username/password authentication or even better certificate authentication and set up ACLs in Mosquitto, than the attacker can publish and subscribe to all your topics and publish to any topic they want to. But you have TLS so at least all those attacks are encrypted. If you do set up strong authentication and ACLs than you could probably do this somewhat safely, but you will need to monitor Mosquitto like crazy for signs of compromise and monitor the CVEs for new vulnerabilities that get published.
With a VPN, all the attacker sees is the VPN port, or if you are using something like Algo VPN so you don’t even need to open a port on your firewall, and you configure it with certificate based authentication than you have even stronger protection. And because of the nature of the software, OpenVPN and other similar VPN servers have received way more security testing than Mosquitto has so it’s some what safer to open a port to enable the VPN than it is to open the port for Mosquitto.
But, given your requirements, you would probably be far better off using Cloud MQTT. You would almost certainly not user more than the free tier and it supports encrypted connections and authentication. Then you can bridge your local broker with this remote one or just configure OH to connect to both. Then you can keep your firewall up and not expose yourself to attack from the Internet.
thank you so much, you were very clear in the explanation. I’m going to see how Cloud MQTT works, it seems to me the simplest solution for me. I take advantage of your kindness, for one last question … my need is to connect my office to the broker MQTT, if I want to use the VPN (I use openVPN) and connect the esp8266 to the broker I need a computer in bridge mode that works as a VPN client, right? the ESP alone cannot work as a client connect to the router in wifi and connect to the broker, right?
Thanks again
Correct. That’s why I suggested Cloud MQTT instead. My explanation was mainly to clear up why SSL/TLS is not the same thing as a VPN. I am all but certain there is no way to put an OpenVPN client on the ESP8266.