I am looking for a smart socket that will connect to a third party WiFi network and which can be configured to connect to my MQTT broker (at a fixed public IP address).
I want to be able to turn this on and off with MQTT messages from Node Red and also remotely read its status (i.e. off or on).
Any recommendations for such a product?
N.B. I have no control over the network to which the smart socket connects, I only have credentials to use the network.
All shellys have MQTT capabilities.
They have a smart plug: Shelly Plug S - Shelly Cloud
It just works 
Provided the remote network can access your mqtt broker via the internet then it should be straightforward. Configure the plug with your mqtt address and credentials and it should just work. Make sure the plug you select can be configured for whatever type of connection and credentials you are using.
You will need to be very careful about security with this setup. You are transferring control messages over a public network and it is highly likely that a cheap Wi-Fi switch will not have any real security (TLS) on it. That may mean that anyone with basic skills trawling through the Wi-Fi network may be able to take control of the switch and indeed may well be able to send/receive information to/from your MQTT Broker. In the worse case, they may well be able to get access to your server and do anything they like.
Folk responding to questions like this - please let's take care to inform people of the risks.
You are absolutely right, of course. I consider myself suitably admonished.
Yes, it's a fair point. Clearly, unencrypted MQTT traffic on public networks is an exposure.
I should possibly have stated that the WiFi network I would be using is not 'public' but is provided by a third party for customer use. It is also professionally configured and managed.
I did some testing previously and established that the WiFi network in question (a) isolates clients and
(b) has a fixed public IP address
I limit access to my MQTT broker to traffic with the WiFi network public IP address, while accepting that this could probably be spoofed.
In my case the data and control is entirely non-critical.
As a point of information, I have two solutions to implementing the control (simple off/on) I'm considering. The 'lazy' option would be to use a 'smart' socket and define the control functions in NodeRed, but I also have the option of implementing this as additional configuration of an already installed ESP32 based 'outstation' which currently operates as a data collector only.
I would just add a relay to this in that case.
Yeah, that's probably what I'll do!
And it's good now to be aware of the Shelly products too!
OK, not so bad then, I was worried that this might be a university network 
That is good as it massively reduces the attack possibilities.
You might want to limit the access from the network to only allow a specific root topic as well. That will help you if you want to later bridge MQTT brokers.
Of course, you would ideally enforce TLS encryption on the broker but it is unlikely that your IoT devices will support it. Without TLS, there is no point in adding user id/password for clients either.
...any plug flashable with tasmota will work: https://templates.blakadder.com/
regarding save access from remote, I recommend the following:
...newest tasmota supports TLS on mqtt, I believe, but for a local broker, I am still using the connection without (only "secured" my devices and broker in a separate VLAN, where Kids and guests are not allowed 
My IoT device is custom on ESP32, but despite many attempts, I've still not managed to get TLS working between my broker and this, but that's one for another forum!
Flash Tasmota firmware to any suitable ESP8266 based wifi plug.
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy