Secure MQTT with bridge for owntracks

Last Updated or created 2022-03-22

A little diagram explaining what i’m using to get a secure mqtt owntracks setup. (reinstall)

Mobile connects with certificates and password to my server in DMZ using port 8883 (no sockets activated at the moment)

Mqtt server in DMZ connects via a bridge to my internal mqtt server. (Both Mosquitto)

Node-red using a worldmap plugin displays the current position of my mobile. Coordinates are stored in a InfluxDB and geolocation is being used to activate/de-activate other node-red nodes.

Start with downloading :

Get some environment stuff into place

export IPLIST="83.161.x.x"
export HOSTLIST=""

Generate Certificates and client certificates.

./ # creates ca.crt and server.{key,crt}
./ mqttserver # creates server certs
./ client workstation # creates client certs
./ client mobile # creates mobile cert

My workstation client is MQTT-explorer, no need to change anything
For owntracks on your mobile you need a P12 certicate, thats a combined cert+key certificate.

openssl pkcs12 -export -in mobile.crt -inkey mobile.key -out mobile.p12

Check certs with

openssl x509 -noout -text -in server.crt  | grep DNS:

Download p12 and ca.crt to you mobile.
MQTT-explorer, add a new connection and select workstation.crt ca.crt and workstation.key

Create a mqtt password file

mosquitto_passwd -c /etc/mosquitto/passwordfile firstuser
mosquitto_passwd -b /etc/mosquitto/passwordfile nextuser

TLS mosquitto example, change where needed. (this is a multi setup, portforward ONLY 8883 to this instance)
1883 is only for internal bridge communication.

# Place your local configuration in /etc/mosquitto/conf.d/
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/
persistence true
persistence_location /var/lib/mosquitto/
# Plain MQTT protocol
listener 1883
# End of plain MQTT configuration
listener 8883
cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
allow_anonymous false
password_file /etc/mosquitto/passwords
# End of MQTT over TLS/SLL configuration
listener 9001
protocol websockets
# End of plain Websockets configuration
# WebSockets over TLS/SSL
listener 9883
protocol websockets
cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
log_dest file /var/log/mosquitto/mosquitto.log
#include_dir /etc/mosquitto/conf.d
connection bridge-01
address INTERNALIP:1883
topic owntracks/# both 0

Plain internal ‘open’ mosquitto setup only needs bridge config

connection bridge-01
topic # in 2
Node-red Flow
Nov 2019 example of a track in nodered (A2 to our old home)