Secure MQTT connection

I have client (Raspberry pi). On raspberry mosquitto and node red are running. On ther side i have rented a server on a cloud.On sever also mosquitto and node-red are running. Obviously, i would not let every body to send data on my server, therefore I am using VPN concept.
At the moment for some reason, i want not to use VPN. Then comes the next solution "implementing the TLS/SSL".

I have read many posts but i could not understood it properly. Could anyone help me please. Atleast some clear steps i need to take.

What i have understood so far, i need to

  1. Retrieve the SSL from letsenrypt (on my server side). Then need to make some configuration. Then i need to create user and password on the server.

  2. Then i need to generate the self signed SSL certificate (On Raspberry pi side). Then i need to use the user and password ( that has been created in step 1) in the node-red configuration. My server would let the Raspi to send data on server if it has the correct user and password.

If you are using Let's Encrypt, you don't need to use a self-signed cert. Though if you want to use the LE cert internally on your network as well as across the Internet, you will need to make sure that you access internal resources using a recognisable domain name (a LE cert can be valid for multiple domain names but it can never be valid for non-routable IP addresses). If you don't do that, you will always get invalid certificate warnings when using internally.

There is a custom node that will help you manage LE certs or you can simply set up the acme.sh script.

Do yourself a favour though and on that VPS, change or proxy any external well-known TCP/IP port numbers to something custom (except for ports 80 and 443). Most especially change the default ports for SSH, Node-RED and MQTT. Also make sure that you have correctly configured the VPS's local firewall and installed and correctly configured Fail2Ban. Also make sure that no root login is allowed on SSH and that you have set strong passcodes everywhere (use a passcode generator and manager, minimum 15 character passcodes, 23 character is better).

Thank you very much.

@TotallyInformation What you have suggested me in the last paragraph, i have almost every thing already. My request to you is
How can i send data via mqtt form Raspberry pi to my cloud server in a secure way?
Please write me a very simple explanation, as i dont have deep knowledge about these stuff.

Thank you once again

@Paul-Reed I have seen your one post related to it. Could you please help me out.

I have a remote linux server having domain name (laibek.daibj.hfw.de).

Now i want to send data from a raspberry pi to this server via secure mqtt.

Getting the SSL/TLS certificate for remote server is not a big deal as server has a domain name. But how can i get the SSL/TLS certificate for my client (Raspberry pi)?

where to get these files? for raspberry pi
1

Thank you in advance

Node-RED's MQTT nodes support TLS encryption and that is the same as a website where HTTP becomes HTTPS. MQTT becomes MQTTS. You need to configure the Broker on your VPS with TLS and disallow non-TLS traffic. There is a long thread on this somewhere on the forum. I'm afraid that I don't currently have the time available to create a detailed tutorial.

Do it all on the Pi first to get it working then transfer the settings to your VPS.

I've already outlined that. You either create a self-signed certificate - there are plenty of tutorials for that on the web. If you go this way, you will need to copy the public key to your VPS so that it can validate the incoming encrypted handshake.

Or you choose to use a domain name locally. How you do that rather depends on your local router (whether it supports "hairpin DNS"), if not, you can use HOSTS files. on each computer.


To be honest, you have jumped into the most complex security scenario without, it sounds like, the experience to make sure that it is going to be secure. I would be reluctant to try and give you a step-by-step guide because TLS is notoriously hard to keep secure. A single misconfiguration would leave you in a position where you think you are secure but you are not.

@TotallyInformation
I appreciate your for support. Thank you. I will try and then i will let you know

By the way, is it make sense that on server side i can get the ssl from lets encrypt and on Raspi side a self signed certificate?

You don't need a certificate on the Pi just in order to use wss to access mqtt on the server. Just the same as you don't need a certificate on your PC to access https websites. Just configure the MQTT nodes to use wss but don't Enable Secure Connection, unless you need more that the normal wss with user/pwd access provides.

@Colin Thank you. It did work for me :slight_smile:

Now i have on my remote server SSL certificate from letsencrypt. I have configured the mosquitto file on server so that i could set the path to the ssl files. In addition to this i opened the port 8883 on my remote server.

On Raspberry pi i only changed the port (8883) and server (mqtts:laibek.daibek.hfsw.de).

I am able to connect to my server . I have the following questions

  1. Is it safe to keep this port 8883 open in remote server?
  2. Is the above above connection (from raspberry pi to server) secure?
  3. In this way anybody who knows my server domain name can send the data, is not it dangerous? I want only my trusted customer could send the data to my server.

Gratefull for your valuable support

I will answer that question first. I deduce from the fact that you ask the question that you have not setup mosquitto to require a username/password (and make the password strong, you don't need to type it regularly so it can be a random selection of characters). You must do that and then only those with the credentials will be able to connect.

It depends what you mean by safe. Provided you keep mosquito up to date in case any security issues are found there then it should be secure against normal hackers. If, however, you became the focus of a specific determined attack against you by an organisation with significant resources then all bets are off, pretty much whatever you do.

The same answer as above, without knowledge of the credentials then a normal hacker will not be able to get in, and since you have chosen a good strong password and non-obvious user name then brute force attacks should not let anyone in.

@Colin Great!

Just i need one more thing to know. I will have to generate that user/password in my server? Then that credentials, my trusted user can use it in their node-red mqtt configurartion (Raspberry pi)

Yes, see http://www.steves-internet-guide.com/mqtt-username-password-example/

I already said that you should change all of the default ports (other than 80 and 443) to something else. It will save you a lot of trouble.

You also need to configure the Linux firewall and install and configure fail2ban.

I would never expose a server to the internet without this minimalist protections.

Better still, in the firewall make sure that you only allow inbound connections from known source locations - e.g. your home broadband IP address. If you are on a dynamic IP address, at least restrict the addresses to the band that your ISP might issue you.

That way, it is very hard for any attack to get a foothold.