MQTT broker accessible from outside without opening port in firewall?

Thomas Jensen
  • MQTT broker accessible from outside without opening port in firewall? Thomas Jensen

    I'd like my MQTT broker to be accessible from outside my home network, but I'm a bit reluctant to open a port in the firewall. And I'd like to avoid using my home IP.

    It's pretty convenient to have an unencrypted open broker at home, but that doesn't work if I am going to expose it. What other options do I have?

  • You basically have 3 options if you don't want to forward a port.

    1. Use a broker in the cloud so client from home always connect out to it. Use TLS and authentication so others can't eavesdrop or inject unwanted messages
    2. Use a cloud broker and set up a bridge between the internal broker and cloud broker (you still want to encrypt and set username/password on the cloud broker). This has the advantage that internal things keep working if the internet connection goes down.
    3. A VPN on all external devices to allow access to your home network (but, to be honest, you're probably going to have to either open a port for the VPN or have a router that supports being a VPN server)

    But forwarding a port to a properly configured (about the same as the cloud broker) is not really a risk.

  • Since the broker is a server, you MUST open at least one port for clients to connect.

    So, your problem becomes a special case of exposing a service on the Internet.

    This has been done via DMZ, either through proxy or other way to enforce stricter authentication than the default service. If your proxy lives on the cloud, that just extends your DMZ to the cloud.

    Your simplest approach is probably to harden your broker (disable anonymous clients) and restrict who can connect to it through the firewall (allow only certain client IP addresses, if you know them in advance).

  • @hardillb gave a good answer but let me try to add a few details adding some "real-life" touch:

    1. Choose some MQTT broker available to the public. HiveMQ can be a good example and you can start with the try-out page describing how to connect to the broker:

    Connect to Public Broker

    Host: broker.hivemq.com

    Port: 1883

    Websocket Port: 8000

    1. Choose which client best fits to you and use it for internal broker interconnection with the public MQTT broker. For example your C client could be Paho MQTT. The client has support for SSL/TLS so your security remains on a high level.

    2. Paho MQTT embedded can be your choice for external devices.

    3. HiveMQ has a pay-as-you-go licencing policy so you can consider it with care. Anyway you can check out this page for a list of cloud available and testing available MQTT brokers.

Tags
mqtt
Related questions and answers
  • I have linux server running with public ip. I have set up mosquitto broker with the following commands. apt-get install mosquitto apt-get install libmosquitto-dev apt-get install mosquitto-clients My broker is running in linux server.I am listening on port 1883. It is working fine when I try to run this in the server with the following commands. mosquitto_sub -h localhost -t "mqtt" -v mosquitto_pub -h localhost -t "mqtt" -m "Testing" But it is not working from outside when I try to access this broker from home network. I am trying MQTTlens as a tool to test the broker.

  • I have linux server running with public ip. I have set up mosquitto broker with the following commands. apt-get install mosquitto apt-get install libmosquitto-dev apt-get install mosquitto-clients My broker is running in linux server.I am listening on port 1883. It is working fine when I try to run this in the server with the following commands. mosquitto_sub -h localhost -t "mqtt" -v mosquitto_pub -h localhost -t "mqtt" -m "Testing" But it is not working from outside when I try to access this broker from home network. I am trying MQTTlens as a tool to test the broker.

  • I'd like my MQTT broker to be accessible from outside my home network, but I'm a bit reluctant to open a port in the firewall. And I'd like to avoid using my home IP. It's pretty convenient to have an unencrypted open broker at home, but that doesn't work if I am going to expose it. What other options do I have?

  • I have been given a Google Home from a contest at work. I think it would be very useful if it didn't spy on my every word. I wonder if I can wipe the installed Chrome OS it is based on and install Mycroft instead. Open source all the way! Is this possible? I understand there is a hidden USB port in the back: would this help?

  • I have been given a Google Home from a contest at work. I think it would be very useful if it didn't spy on my every word. I wonder if I can wipe the installed Chrome OS it is based on and install Mycroft instead. Open source all the way! Is this possible? I understand there is a hidden USB port in the back: would this help?

  • I would like to future-proof my home automation architecture Today, I have a very decentralized setup: an MQTT broker (Mosquitto) WiFi switches: two on-the-wire ones (Sonoff Basic) and one wall switch (Sonoff Touch), all of them connected to the MQTT broker Node-RED as the glue to automate their interactions I have also installed Home Assistant and Domoticz but I am not sure yet about... enabled and directly connected to the MQTT. This is probably not going to happen: I will have some sensors which will communicate via BLE or a 433 MHz signal, to some hub, which need to pass

  • I would like to future-proof my home automation architecture Today, I have a very decentralized setup: an MQTT broker (Mosquitto) WiFi switches: two on-the-wire ones (Sonoff Basic) and one wall switch (Sonoff Touch), all of them connected to the MQTT broker Node-RED as the glue to automate their interactions I have also installed Home Assistant and Domoticz but I am not sure yet about... enabled and directly connected to the MQTT. This is probably not going to happen: I will have some sensors which will communicate via BLE or a 433 MHz signal, to some hub, which need to pass

  • I am trying to set up IP whitelisting for my Mosquitto broker on Windows 7. To do so I have performed the following steps, based on this article: How to Whitelist Your IP - Windows Dedicated. Open Windows Firewall With Advanced Security from Start. Select Inbound Rules from the list on the left. Search for the rules called "mosquitto" there are 2-2 for TCP and UDP. (I do not know why...." Conclusion. It does not work, I cannot connect to the broker from the 192.168.1.5 address. It is all the same if I select the "Allow edge traversal" option. Once I switch back to the "Any IP address" my

  • I am trying to set up IP whitelisting for my Mosquitto broker on Windows 7. To do so I have performed the following steps, based on this article: How to Whitelist Your IP - Windows Dedicated. Open Windows Firewall With Advanced Security from Start. Select Inbound Rules from the list on the left. Search for the rules called "mosquitto" there are 2-2 for TCP and UDP. (I do not know why...." Conclusion. It does not work, I cannot connect to the broker from the 192.168.1.5 address. It is all the same if I select the "Allow edge traversal" option. Once I switch back to the "Any IP address" my

Data information