I am looking options for communicating securely between two instances of node red across the internet.
Open one of the NRs to the internet. I don't want to do this if at all possible. I am not happy that the s/w is mature enough yet to be confident that this is secure.
Use Telegram. I was hoping to do this but have failed to get it to work [a].
Use a mosquitto MQTT server on a publicly accessible server, with tls and user/pwd. I can see that this should work ok. I also want to use Tasker on Android to send messages and I am not sure there is a stable MQTT plugin for Tasker yet, so this might not be ideal for me.
From your description I guess that both node-red installations are in two different local networks, connected by firewalls/NAT to the public Internet.
Since node-red and MQTT have concepts which fit to each other (messages and topics) I think this is the best way to go.
You need to run mosquitto at one of the places. I suggest to select the one where your ISP keeps the used IP address on the public side the same. Then you need to configure a port forwarding in your router to port 8883 of the mosquitto MQTT broker. I can go into more details, if you want to try this solution. Just let me know.
You open one port at one place, which makes the mosquitto broker accessible from the public Internet.
mosquitto is a well established and maintained software. You must protect the access with username/password and an SSL certificate for the SSL encryption, at least from the outside. You must keep your installation up to date. With these measures the risk is minimal and acceptable.
Thanks @Urs-Eppenberger, I believe I know how to do it. I have a server in the cloud that I would run the broker on, then I don't have to let anything into my local networks.
I think I will probably go down the MQTT route since so far the only other contender seems to be pushbullet and that does not fill me with confidence over the security of their system and actually I think MQTT is probably easier.
I have had a play with Tasker and the Webneurons MQTT Client and so far it seems ok so I think I can use it for signalling back to node-red from the phone which is one of the things I want to do.
If it is only point to point then i would either create a VPN between them or nail up an SSH tunnel and use that.
Probably dont need to tell you about VPNs - but an SSH tunnel will let you send a single (or multiple ports) between the two machines - so for instance anything sent to (say) port 1881 on one machine will be sent throught the ssh tunnel to a nominated port (such as 1880) on the other end (i.e. the tunnel just looks like another port on each end of the link)
If you need to connect two networks, I personally would use a VPN or, more likely, an SSH tunnel if you are only looking to connect a couple of ports. Either way, you will also need to make sure that you lock down the connection using firewalls at both ends with tightly controlled connections. See my discussion elsewhere about the dangers of VPN's between networks.
Also make sure that the devices on either end have different user id's/passwords. The idea is to make traversal more difficult if someone cracks into one side.
Sorry if this is already in Pete's article, I've not had a chance to read it.
Yes, the tunnel would be a good solution if it were just point to point and I have used them in the past, but I also want to get messages from Android into node-red and I don't want to have the phone permanently connected to my VPN. I see there are ssh tunnel apps for android but I would want to know it was secure before going down that path.
Put one of the better ssh tunnel clients on your android phone, turn off mobile data, connect it to your wireless LAN at home and then do a packet capture of everything from that address for 24 hours - make sure there is no bleed out from the app
Only real way to make sure it is secure, alternatively why not nail up a permanent OpenVPN from the phone for a single LAN address (i.e. not send everything out through the VPN) the overheads on the data side for the phone are minimal - but it does impact battery life if that is a concern. I have this on my phone and find it affects the battery life by about 10% each day
Alternatively SaaS with a VPN server of your own hosted by a provider
I assume you mean to put one on a VPS on the Internet? You will need to make sure that whatever Android client you use supports secure connectivity, preferably client-certificate based. You will also need to be very cautious how you set up your server. It is quite a bit of work to set up securely.
As always, a lot depends on the sensitivity of your system. If you are using as a convenience to turn on/off a few lights, that's one thing. Controlling your boiler, relying on it for building security, ... that might be different since the risks are higher.
Another alternative would be to set up an API server using a simple web server. This is more likely to have been battle tested. However, you'd lose the pub/sub element.
Yes, I already have a VPS in the cloud. I will only be using this route for informational data not critical control. I connect via my VPN when I want to do that. So I am not worried about the security of the data itself. In terms of security of the server that is more important, but I think that I am much more likely to get hacked via one of the web sites there than via an MQTT server. But even with the server I have (hopefully) designed everything so that even in the worst case I can regenerate the server from scratch without too much work. All the critical data there are backed up offsite.