12

I'd like my MQTT broker to be accessible from outside my home network, but I'm a bit reluctant to open a port in the firewall. And I'd like to avoid using my home IP.

It's pretty convenient to have an unencrypted open broker at home, but that doesn't work if I am going to expose it. What other options do I have?

Thomas Jensen
  • 473
  • 1
  • 3
  • 11

3 Answers3

10

You basically have 3 options if you don't want to forward a port.

  1. Use a broker in the cloud so client from home always connect out to it. Use TLS and authentication so others can't eavesdrop or inject unwanted messages
  2. Use a cloud broker and set up a bridge between the internal broker and cloud broker (you still want to encrypt and set username/password on the cloud broker). This has the advantage that internal things keep working if the internet connection goes down.
  3. A VPN on all external devices to allow access to your home network (but, to be honest, you're probably going to have to either open a port for the VPN or have a router that supports being a VPN server)

But forwarding a port to a properly configured (about the same as the cloud broker) is not really a risk.

Aurora0001
  • 18,520
  • 13
  • 55
  • 169
hardillb
  • 12,813
  • 1
  • 21
  • 34
3

Since the broker is a server, you MUST open at least one port for clients to connect.

So, your problem becomes a special case of exposing a service on the Internet.

This has been done via DMZ, either through proxy or other way to enforce stricter authentication than the default service. If your proxy lives on the cloud, that just extends your DMZ to the cloud.

Your simplest approach is probably to harden your broker (disable anonymous clients) and restrict who can connect to it through the firewall (allow only certain client IP addresses, if you know them in advance).

Gambit Support
  • 678
  • 3
  • 12
3

@hardillb gave a good answer but let me try to add a few details adding some "real-life" touch:

  1. Choose some MQTT broker available to the public. HiveMQ can be a good example and you can start with the try-out page describing how to connect to the broker:

Connect to Public Broker

Host: broker.hivemq.com

Port: 1883

Websocket Port: 8000

  1. Choose which client best fits to you and use it for internal broker interconnection with the public MQTT broker. For example your C client could be Paho MQTT. The client has support for SSL/TLS so your security remains on a high level.

  2. Paho MQTT embedded can be your choice for external devices.

  3. HiveMQ has a pay-as-you-go licencing policy so you can consider it with care. Anyway you can check out this page for a list of cloud available and testing available MQTT brokers.

Community
  • 1
Amit Vujic
  • 750
  • 1
  • 8
  • 18