A little diagram explaining what i’m using to get a secure mqtt owntracks setup. (reinstall)
Mobile connects with certificates and password to my server in DMZ using port 8883 (no sockets activated at the moment)
Mqtt server in DMZ connects via a bridge to my internal mqtt server. (Both Mosquitto)
Node-red using a worldmap plugin displays the current position of my mobile. Coordinates are stored in a InfluxDB and geolocation is being used to activate/de-activate other node-red nodes.
./generate-CA.sh # creates ca.crt and server.{key,crt}
./generate-CA.sh mqttserver # creates server certs
./generate-CA.sh client workstation # creates client certs
./generate-CA.sh client mobile # creates mobile cert
NOTE: My workstation client is MQTT-explorer, no need to change anything For owntracks on your mobile you need a P12 certicate, thats a combined cert+key certificate.
TLS mosquitto example, change where needed. (this is a multi setup, portforward ONLY 8883 to this instance) 1883 is only for internal bridge communication.
# Place your local configuration in /etc/mosquitto/conf.d/
#
# A full description of the configuration file is at
# /usr/share/doc/mosquitto/examples/mosquitto.conf.example
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
# Plain MQTT protocol
listener 1883
# End of plain MQTT configuration
# MQTT over TLS/SSL
listener 8883
cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
allow_anonymous false
password_file /etc/mosquitto/passwords
# End of MQTT over TLS/SLL configuration
listener 9001
protocol websockets
# End of plain Websockets configuration
# WebSockets over TLS/SSL
listener 9883
protocol websockets
cafile /etc/mosquitto/certs/ca.crt
certfile /etc/mosquitto/certs/server.crt
keyfile /etc/mosquitto/certs/server.key
log_dest file /var/log/mosquitto/mosquitto.log
#include_dir /etc/mosquitto/conf.d
connection bridge-01
address INTERNALIP:1883
topic owntracks/# both 0
Plain internal ‘open’ mosquitto setup only needs bridge config
connection bridge-01
address TLSMOSQUITTOINSTANCE-IP:1883
topic # in 2