Yes so what i was saying - i will illustrate with some network numbers
Lets say all your devices that are providing information are on a private subnet - lets call it
172.16.1.0/24 - default gateway to get off this subnet/vlan = 172.16.1.1
You assign your internal MQTT broker and IP address on this subnet of 172.16.1.100
All client devices that wish to pub/sub to MQTT will use this as the address - you would on this setup appropriate IPTables/UFW rules to only allow MQTT in from devices with (say) a range of 172.16.1.200 - 172.16.1.250 on this internal interface
You would have a 2nd interface on your MQTT broker - this would be in a seperate subnet on a seperate VLAN (or physical switch)
Lets say this interface has an IP Address of 172.16.2.100 - no default gateway
You put a client device on this same subnet - 172.16.2.101 and this has a default gateway of the firewall/switch for that VLAN/Subnet - lets call it 172.16.2.1
You would establish a VPN from that firewall through to your external broker in the cloud
Lets say the broker in the cloud is on a subnet with your provider with an IP address of 172.16.100.1
You will setup a VPN between this subnet and the 172.16.2.0 subnet in the office - firewall rules will only allow traffic between the 172.16.100.1 IP address and the 172.16.2.101 - client to the internal broker
You only allow stateful packets across this link initiated from the DMZ client at 172.16.2.101 i.e. the client can sub/pub to the MQTT broker but the broker can not initiate any communication back into the client machine
You then establish a 2nd VPN that will be for External Clients/Tablets etc - this VPN will only be able to talk to the broker at 172.16.100.1 and restrict what they can send - preferably only MQTT traffic.
If you draw this up with some pictures and the IP addresses laid out (i have just done this off the top off my head) it will give you a good starting point.
There are additional pieces that could be added to this along the way depending on how bulletproof you wanted to make the system.
Remember with security it should be like an onion with more and more layers - and i always keep in mind that there are smarter hackers out there than me - so you need as many layers as possible.
Craig