{"id":20079100,"url":"https://github.com/mkgeiger/mqtt-broker","last_synced_at":"2026-05-19T04:31:54.814Z","repository":{"id":177431998,"uuid":"328119274","full_name":"mkgeiger/mqtt-broker","owner":"mkgeiger","description":"setting up a local mqtt broker on raspberry-pi with mosquitto and node-red","archived":false,"fork":false,"pushed_at":"2021-01-30T14:57:29.000Z","size":433,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-13T01:12:33.876Z","etag":null,"topics":["1883","8883","broker","certificate-authority","certificate-request","dashboard","ddclient","dyn-dns","iot","key-pair","mosquitto","mqtt","node-red","openssl","publish","raspberry-pi","self-signed","subsribe","tls","topic"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mkgeiger.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-01-09T09:29:58.000Z","updated_at":"2023-03-26T09:40:22.000Z","dependencies_parsed_at":null,"dependency_job_id":"a6606209-72ee-45c5-91c2-52b18caa6b08","html_url":"https://github.com/mkgeiger/mqtt-broker","commit_stats":null,"previous_names":["mkgeiger/mqtt-broker"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mkgeiger%2Fmqtt-broker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mkgeiger%2Fmqtt-broker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mkgeiger%2Fmqtt-broker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mkgeiger%2Fmqtt-broker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mkgeiger","download_url":"https://codeload.github.com/mkgeiger/mqtt-broker/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241509658,"owners_count":19974071,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["1883","8883","broker","certificate-authority","certificate-request","dashboard","ddclient","dyn-dns","iot","key-pair","mosquitto","mqtt","node-red","openssl","publish","raspberry-pi","self-signed","subsribe","tls","topic"],"created_at":"2024-11-13T15:19:49.458Z","updated_at":"2026-05-19T04:31:49.770Z","avatar_url":"https://github.com/mkgeiger.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# MQTT broker with Mosquitto and Node-RED\n\n## Overview\nThis is a instuction how to install and configure a Raspberry Pi as an MQTT broker. The free software packages Mosquitto and Node-RED will be used. This project is intended to install a local MQTT broker in a local network which can also be accessed from Internet over a secure TLS connection. The benefit is to have full control over the broker and its availability and reliability instead of using a public (Chinese) broker.\n\n## Prerequisites\n* a DynDns-account (e.g. https://freemyip.com/) needs to be created to be able to access your MQTT broker from Internet. Due to that your Internet provider assigns from time to time a different IP-address to your router, your MQTT broker can be accessed allways under the same domain name. If you intent to use your MQTT broker only in the internal network then you can skip this step. As a DDNS-client I could recommend the `ddclient` daemon which also can run on the Raspberry Pi.\n* port forwarding needs to be configured in your router for port 8883. This the secured MQTT TLS port.\n* a static IP-address needs to be assigned to the Raspberry Pi instead of DHCP. This is required by the router for port forwarding and by the MQTT clients.\n\n## Setup\n![MqttSetup](/mqtt_setup.png)\n\n## Installation\nThe descision was made on the broker software Mosquitto.\n```\nsudo apt update\nsudo apt-get install mosquitto mosquitto-clients openssl\n```\nYou’ll have now a very basic and working MQTT broker on port 1883 with no user authentication. \n\n## Mosquitto daemon\nSeveral commands exist to control the daemon.\n```\nsudo systemctl stop mosquitto\nsudo systemctl start mosquitto\nsudo systemctl restart mosquitto\nsudo systemctl status mosquitto\n```\n\n## Create a user \nI locked down my broker so that only allow those clients who know the password can publish to a topic. You can get super granular here where certain usernames can publish to certain topics only. For my sake I only have 1 user who can publish. Create a password for publishing with:\n```\nsudo mosquitto_passwd -c /etc/mosquitto/passfile \u003cyour username\u003e\n```\n\n## The Mosquitto configuration file\nThe Mosquitto configuration file can be edited with following command. Make sure you have no empty spaces at the end of those lines or Mosquitto may give you an error.\n```\nsudo nano /etc/mosquitto/mosquitto.conf\n```\nThe Mosquitto configuration file used for this setup you see in the following. Short explanation: anonymous users are not allowed to connect, default port 1883 (no TLS) for internal MQTT clients, port 8883 (TLS v1.2 secured) for external MQTT clients with the required crypto material, no client certificates required.\n```\npid_file /var/run/mosquitto.pid\n\npersistence true\npersistence_location /var/lib/mosquitto/\n\nlog_dest file /var/log/mosquitto/mosquitto.log\n\ninclude_dir /etc/mosquitto/conf.d\n\nallow_anonymous false\npassword_file /etc/mosquitto/passfile\n\nlistener 1883\n\nlistener 8883\ncertfile /etc/mosquitto/certs/server.crt\ncafile /etc/mosquitto/ca_certificates/ca.crt\nkeyfile /etc/mosquitto/certs/server.key\ntls_version tlsv1.2\nrequire_certificate false\n```\n\n## Creating TLS crypto material with openssl\n![TLShandshaking](/tls_handshaking.png)\n\n1. As we are our own CA (certificate authority) we create first our CA key pair. Make sure this CA key is stored secure that it cannot be stolen.\n```\nsudo openssl genrsa -out ca.key 2048\n```\n2. Now create a self-signed certificate for the CA using the CA key. Fill in every fields of the certificate request some information.\n```\nsudo openssl req -new -x509 -days 15000 -key ca.key -out ca.crt\n```\n3. Now we create a server key pair that will be used by the broker.\n```\nsudo openssl genrsa -out server.key 2048\n```\n4. Now we create a server certificate request. When filling out the form the `Common Name` is important and is usually the domain name of the server. In my case it would be `YOUR_DOMAIN.freemyip.com`. Please fill in the other fields with slightly different values as in step 2.\n```\nsudo openssl req -new -out server.csr -key server.key\n```\n5. Now we use the CA key to verify and sign the server certificate. This creates the server.crt file.\n```\nsudo openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 15000\n```\nNow copy server.crt and server.key to /etc/mosquitto/certs/ and ca.crt to /etc/mosquitto/ca_certificates/. Now changing the owner of these files needs to be done.\n```\nsudo chown -R mosquitto: /etc/mosquitto/certs/\nsudo chown -R mosquitto: /etc/mosquitto/ca_certificates/\n```\n\n## Testing the broker\n### Broker log file\nYou can see all traces of the MQTT broker in the mosquitto.log file. Best is to execute following command in a separate terminal.\n```\nsudo tail -f /var/log/mosquitto/mosquitto.log\n```\n### Local testing on the broker\nThe package `mosquitto-clients` is used for the following. Here is an example for publishing and subsribing to a topic.\n```\nmosquitto_pub -t \"your topic\" -h localhast -u \"your username\" -P \"your password\" -m \"your value\" -p 1883\nmosquitto_sub -t \"your topic\" -h localhost -u \"your username\" -P \"your password\" -p 1883\n```\n### Testing on other MQTT clients\nThe package `mosquitto-clients` is used for the following and needs to be installed also on the connected MQTT clients. Here is an example for publishing and subsribing to a topic from connected MQTT clients.\n```\nmosquitto_pub -t \"your topic\" -h 192.168.1.10 -u \"your username\" -P \"your password\" -m \"your value\" -p 1883\nmosquitto_sub -t \"your topic\" -h 192.168.1.10 -u \"your username\" -P \"your password\" -p 1883\nmosquitto_pub -t \"your topic\" -h raspberrypi.local -u \"your username\" -P \"your password\" -m \"your value\" -p 1883\nmosquitto_sub -t \"your topic\" -h raspberrypi.local -u \"your username\" -P \"your password\" -p 1883\n```\n## Android client\nI am using the IOT-MQTT-Panel-Pro app for Android OS. Make sure to copy the previously generated CA.crt file to your Android device and reference it from the app. This is required to estalish the secure TLS connection between your Android device and the broker. Now you can talk with your Android device to your IOT-device from all over the world.\n![IOTmqttPanelPro](/iot_mqtt_panel_pro.png)\n\n## Node-RED\nNode-RED is a programming tool for wiring together hardware devices and APIs. It provides a browser-based editor that makes it easy to wire together flows using the wide range of nodes in the palette that can be deployed to its runtime in a single-click.\n\n### Installation\nFor installation of Node.js, npm and Node-RED on the Broker you need issue following command.\n```\nbash \u003c(curl -sL https://raw.githubusercontent.com/node-red/linux-installers/master/deb/update-nodejs-and-nodered)\n```\nAfter successful installation you need to start the Node-Red by executing following command. \n```\nnode-red-start\n```\nNode-RED as a service can be started with this command.\n```\nsudo systemctl enable nodered.service\n```\nNow you can directly access Node-RED over the IP or hostname of the Raspberry Pi and the port 1880. You can configure your flows now. Your local Node-RED server can act as any other MQTT client and communicates directly with the Mosquitto broker.\n```\nhttp://raspberrypi.local:1880\n```\n\n### Dashboard installation\n![NodeRED](/node_red.png)\n\nNode-RED dashboard is a module that provides a set of nodes in Node-RED to quickly create a live data dashboard. To install the Node-RED Dashboard run the following commands.\n```\nnode-red-stop\ncd ~/.node-red\nnpm install node-red-dashboard\n```\nThen reboot your Raspberry Pi to ensure that all changes take effect on Node-RED software. To open the Node-RED UI, type your Raspberry Pi IP address or hostname in a web browser followed by :1880/ui as shown below.\n```\nhttp://raspberrypi.local:1880/ui\n```\n### Securing Node-RED and the Dashboard\nAlso for Node-RED (and the Dashboard) it is possible to setup a 2-way handshake TLS-connection to secure the connection between a mobile client and the Node-RED server. Make sure to setup first port-forwarding for port 1880 in your router. The key and the certificates generated for the mosquitto server can be reused for Node-RED again. So copy ca.crt, server.key and server.crt to `/home/pi/.node-red` directory. Find, uncomment and adapt following sections in the file `/home/pi/.node-red/settings.js`:\n1. add user (admin) + password for the Node-RED flow editor\n```\n    adminAuth: {\n        type: \"credentials\",\n        users: [{\n            username: \"admin\",\n            password: \"$2b$18$SWlyou_will_not_guess_my_passwordUnoMkHu/eWAn0iaXcHjz\",\n            permissions: \"*\"\n        }]\n    },\n```\n2. set user + password for the nodes (e.g. the dashboard node)\n```\n    httpNodeAuth: {user:\"admin\",pass:\"$2b$18$SWlyou_will_not_guess_my_passwordUnoMkHu/eWAn0iaXcHjz\"},\n```\n3. setup https protocol with key and certificates with required client certificate authentication\n```\n    https: {\n      ca: require(\"fs\").readFileSync('/home/pi/.node-red/ca.crt'),\n      key: require(\"fs\").readFileSync('/home/pi/.node-red/server.key'),\n      cert: require(\"fs\").readFileSync('/home/pi/.node-red/server.crt'),\n      requestCert: true,\n      rejectUnauthorized: true,\n    },\n```\n4. redirect allways http requests to https requests\n```\n   requireHttps: true,\n```\nThe hash for the admin password (step 1 +2) can be generated with the command:\n```\nnode-red admin hash-pw\n```\nThe Node-RED server side security setup is now completed and the RaspberryPi can be restarted. Let's go to the client installation. The client can be a smartphone with e.g. Android installed. There needs no special Node-RED client to be installed as the Node-RED server is acting as a normal webserver and the default webbrowser would be enough. We need to generate the Node-RED client key and certificate for the client authentication.\n1. Now we create a client key pair that will be used by the client.\n```\nsudo openssl genrsa -out client.key 2048\n```\n2. Now we create a client certificate request.\n```\nsudo openssl req -new -out client.csr -key client.key\n```\n3. Now we use the CA key to verify and sign the client certificate. This creates the client.crt file.\n```\nsudo openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 15000\n```\n4. Now create a PKCS12 container for the client key and client certificate, so that it can be imported easily into e.g. the smartphone keystore.\n```\nsudo openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12\n```\nNow first transfer the files ca.crt and client.p12 to your smartphone's memory and install them (by double click) into your smartphone's keystore by giving meaningfull names. Don't forget to delete both files afterwards from the smartphone's memory. Done. You can now access from internet your Node-Red server editor by e.g. `https://YOUR_DOMAIN.freemyip.com:1880` and the dashboard by `https://YOUR_DOMAIN.freemyip.com:1880/ui`. Be aware an access from your internal network is now also only possible with https because all http requests will be redirected now to https. For the editor it is `https://YOUR_INTERNAL_IP:1880` and the dashboard `https://YOUR_INTERNAL_IP:1880/ui`.\n\n## DynDns client (ddclient) configuration example\n### Installation\nFirst you need to install ddclient.\n```\nsudo apt-get install ddclient\n```\n\n### Configuration\nYou need to edit following configuration file.\n```\nsudo nano /etc/ddclient.conf\n```\nHere is an example of the configuaration to be used with a freemyip-DynDns-account (of course there exist many others). Short explanation: your external WAN-IP address is requested by the server `checkip.feste-ip.net` (of course there exist many others). In this example the deamon would update your WAN-IP address every 600 seconds at the DynDns server.\n```\ncustom=yes\nprotocol=dyndns2\nuse=web\nserver=freemyip.com\nweb=checkip.feste-ip.net\nweb-skip='Current IP Address: '\ndaemon=600\nsyslog=yes\npid=/var/run/ddclient.pid\nlogin=YOUR_TOKEN\npassword='YOUR_TOKEN'\nYOUR_DOMAIN.freemyip.com\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmkgeiger%2Fmqtt-broker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmkgeiger%2Fmqtt-broker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmkgeiger%2Fmqtt-broker/lists"}