Custom MQTT broker

1. OpenSSL software library (should be preinstalled by default on all Linux distributions)

2. Access to your router (via IP address using the administrator username and password)

3. External (static) IP provided by your internet service provider (ISP)

4. GUI-O application version 1.0.47 or higher

IMPORTANT NOTE #1: It is necessary to ask your ISP for static IP configuration. The certificate in the following steps will be issued for a specific IP. If you do not use static IP configuration, your ISP can change the IP address without notice and the connection to the MQTT broker will not work.

IMPORTANT NOTE #2: It is generally recommended that a host name is used instead of IP address, but this requires registering the host name with a domain name registrar and setting up some additional settings.

1. Open the terminal and install Mosquitto broker:

sudo apt install mosquitto

1. Enter the following command:

curl ifconfig.me; echo

This will output your external IP, which is needed when issuing the server certificate. You can alternatively navigate to: https://whatismyipaddress.com/.

1. Create a private key and CA certificate:

openssl req -new -x509 -days 365 -extensions v3_ca -keyout ca.key -out ca.crt

IMPORTANT NOTE: The "ca.key" file should be kept secure and not shared with anyone.

The "days" value is in this case set to 365 (1 year) and denotes the certificate validity. This value can be changed based on your requirements. After the command is executed, you will be prompted to enter a pass phrase and additional certificate information such as country code, state name, city, etc.

2. (Optionally) check the certificate info:

openssl x509 -noout -text -in ca.crt

1. Create "server.cnf" file (you can alternatively download the file here):

nano server.cnf

Add the following content and replace the "[dn]" and "[alt_names]" sections with your information (use the external IP address obtained in Step 2):

[req]

default_bits = 2048

prompt = no

default_md = sha256

distinguished_name = dn

req_extensions = req_ext

[dn]

C = COUNTRY_CODE_HERE

ST = STATE_HERE

L = CITY_HERE

O = ORGANIZATION_HERE

OU = ORGANIZATION_UNIT_HERE

CN = IP_ADDRESS_HERE

[req_ext]

subjectAltName = @alt_names

[alt_names]

IP.1 = IP_ADDRESS_HERE

NOTE: To save and exit "nano" text editor, press "Ctrl+x", then "y" and "Enter" key.

2. Create a private key:

openssl genrsa -out server.key 2048

3. Create certificate signing request:

openssl req -new -key server.key -out server.csr -config server.cnf

4. Create self-signed certificate using the signing request

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256

The "days" value is in this case set to 365 (1 year) and denotes the certificate validity. This value can be changed based on your requirements. After the command is executed, you will be prompted to enter the pass phrase for "ca.key" (this is the pass phrase that was set in Step 3).

5. Change the permissions for "server.key" file:

sudo chmod a+r server.key

1. Copy the "ca.crt" to your Android device (e.g., Documents folder), where GUI-O application is installed. You can send the certificate via email, transfer it via USB cable, etc.

1. Move the "ca.key" and "ca.crt" file to "/etc/mosquitto/ca_certificates" folder:

sudo mv ca.crt ca.key /etc/mosquitto/ca_certificates/

2. Move the "server.key" and "server.crt" file to "/etc/mosquitto/certs" folder:

sudo mv server.crt server.key /etc/mosquitto/certs/

1. Create "default.conf" file in "/etc/mosquitto/conf.d" (you can alternatively download the file here):

sudo nano /etc/mosquitto/conf.d/default.conf

Add the following content:

# Listener

listener 8883

cafile /etc/mosquitto/ca_certificates/ca.crt

certfile /etc/mosquitto/certs/server.crt

keyfile /etc/mosquitto/certs/server.key

require_certificate false

use_identity_as_username false

# TLS

tls_version tlsv1.2

# Security

allow_anonymous false

password_file /etc/mosquitto/passwd

# Logging

#log_type error

#log_type warning

log_type all

NOTE: To save and exit "nano" text editor, press "Ctrl+x", then "y" and "Enter" key.

2. Create user name and password for authentication when connecting to the broker (replace the "USER" and "PASS" with your user name and password - both will be required by the GUI-O application when connecting to the broker):

sudo mosquitto_passwd -b /etc/mosquitto/passwd USER PASS

NOTE: You can add more users with different credentials using this command.

3. Restart the Mosquitto service:

sudo systemctl restart mosquitto.service

4. (Optionally) check the status of the Mosquitto service:

sudo systemctl status mosquitto.service

1. Determine the MAC (hardware) address of your device, where the Mosquitto broker is running:

ifconfig

This command will output the MAC address after the "ether" keyword (formatted as xx:xx:xx:xx:xx:xx).

2. Open your browser and enter the router IP address into the address bar (the router IP is usually printed on the back of the router). Enter router user name and password when prompted.

3. Set a local static IP based on the MAC address of the device. Note that the procedure for setting a local static IP varies depending on the make and model of your router.

4. Setup port forwarding by using the local static IP and setting the internal port range from 8883 to 8883 (this is the port that the Mosquitto service is listening on). Set the external port range to any valid value based on your preferences (e.g., from 43519 to 43519). Use TCP protocol and save the settings, making sure that the newly added port forwarding rule is enabled.

5. Reboot the router.

6. Restart the device, where the Mosquitto broker is running. After the restart, the device should have obtained the local static IP (you can check this by running the "ifconfig" command).

1. Open GUI-O application on your Android device and navigate to "Settings -> Connections IoT -> IoT Settings".

2. Tap on "Server name" and set the value to your external IP, which was determined in Step 2.

3. Tap on "SSL port number" and set the value to your external port number, which was set in Step 8 (e.g., 43519).

4. Tap on "User name" and set the user name for authentication, which was created in Step 7.

5. Tap on "User password" and set the password for authentication, which was created in Step 7.

6. Tap on "Import certificate" and select the "ca.crt", which was transferred to the device in Step 5.

7. Return to the previous menu and tap "Connect". If everything was setup correctly, the connection to the Mosquitto broker should be established successfully.

1. Download BasicMQTT_Mosquitto.ino sketch and open it in Arduino IDE.

2. Get the "ca.crt" data in plain text format. Open the terminal on the device where the Mosquitto broker is running and run the following command:

cat /etc/mosquitto/ca_certificates/ca.crt

Copy the certificate displayed in the terminal and replace the one in BasicMQTT_Mosquitto.ino source code (keep same certificate formatting).

3. Finally, refer to ESP32 MQTT video example, while using the BasicMQTT_Mosquitto.ino sketch. Make sure that the external IP (mqttIP), external port number (mqttPort), user name (mqttUser) and password (mqttPass) variables are set according to Step 9.

NOTE: Do not forget to generate and set the publish and subscribe topics!

1. OpenSSL software library:

Download light version here and install. Install OpenSSL directly to the main partition (e.g., "C:\OpenSSL-Win64"). When prompted copy DLLs to OpenSSL binaries directory.

2. Access to your router (via IP address using the administrator username and password)

3. External (static) IP provided by your internet service provider (ISP)

4. GUI-O application version 1.0.47 or higher

IMPORTANT NOTE #1: It is necessary to ask your ISP for static IP configuration. The certificate in the following steps will be issued for a specific IP. If you do not use static IP configuration, your ISP can change the IP address without notice and the connection to the MQTT broker will not work.

IMPORTANT NOTE #2: It is generally recommended that a host name is used instead of IP address, but this requires registering the host name with a domain name registrar and setting up some additional settings.

1. Download Mosquitto broker here and perform full installation directly to the main partition (e.g., "C:\mosquitto")

1. Open the command prompt (cmd) and enter the following command:

curl ifconfig.me

This will output your external IP, which is needed when issuing the server certificate. You can alternatively navigate to: https://whatismyipaddress.com/.

1. Navigate to Mosquitto folder:

cd C:\mosquitto

2. Create a new folder:

mkdir certs

3. Navigate to newly created folder

cd certs

4. Create a private key and CA certificate:

C:\OpenSSL-Win64\bin\openssl req -new -x509 -days 365 -extensions v3_ca -keyout ca.key -out ca.crt

IMPORTANT NOTE: The "ca.key" file should be kept secure and not shared with anyone.

The "days" value is in this case set to 365 (1 year) and denotes the certificate validity. This value can be changed based on your requirements. After the command is executed, you will be prompted to enter a pass phrase and additional certificate information such as country code, state name, city, etc.

5. (Optionally) check the certificate info:

C:\OpenSSL-Win64\bin\openssl x509 -noout -text -in ca.crt

1. Create "server.cnf" file (you can alternatively download the file here):

cd. > server.cnf

Add the following content and replace the "[dn]" and "[alt_names]" sections with your information (use the external IP address obtained in Step 2):

[req]

default_bits = 2048

prompt = no

default_md = sha256

distinguished_name = dn

req_extensions = req_ext

[dn]

C = COUNTRY_CODE_HERE

ST = STATE_HERE

L = CITY_HERE

O = ORGANIZATION_HERE

OU = ORGANIZATION_UNIT_HERE

CN = IP_ADDRESS_HERE

[req_ext]

subjectAltName = @alt_names

[alt_names]

IP.1 = IP_ADDRESS_HERE

2. Create a private key:

C:\OpenSSL-Win64\bin\openssl genrsa -out server.key 2048

3. Create certificate signing request:

C:\OpenSSL-Win64\bin\openssl req -new -key server.key -out server.csr -config server.cnf

4. Create self-signed certificate using the signing request

C:\OpenSSL-Win64\bin\openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256

The "days" value is in this case set to 365 (1 year) and denotes the certificate validity. This value can be changed based on your requirements. After the command is executed, you will be prompted to enter the pass phrase for "ca.key" (this is the pass phrase that was set in Step 3).

1. Copy the "ca.crt" to your Android device (e.g., Documents folder), where GUI-O application is installed. You can send the certificate via email, transfer it via USB cable, etc.

1. Use any text editor to open "mosquitto.conf" file located under "C:\mosquitto" (you can alternatively download the file here):

Find the "Listeners" section and set:

listener 8883

Find the "Certificate based SSL/TLS support" section and set:

cafile C:\mosquitto\certs\ca.crt

certfile C:\mosquitto\certs\server.crt

keyfile C:\mosquitto\certs\server.key

require_certificate false

use_identity_as_username false

tls_version tlsv1.2

Find the "Security" section and set:

allow_anonymous false

password_file C:\mosquitto\pwfile.example

Save the file.

2. Create user name and password for authentication when connecting to the broker (replace the "USER" and "PASS" with your user name and password - both will be required by the GUI-O application when connecting to the broker):

C:\mosquitto\mosquitto_passwd -b C:\mosquitto\pwfile.example USER PASS

NOTE: You can add more users with different credentials using this command.

3. Restart Windows

4. If the Mosquitto service is not started after the restart, open the cmd as administrator and run:

C:\mosquitto\mosquitto install

1. Open cmd and determine the MAC (hardware) address of your device, where the Mosquitto broker is running:

ipconfig /all

This command will output the MAC address / "Physical Address" (formatted as xx-xx-xx-xx-xx-xx).

2. Open your browser and enter the router IP address into the address bar (the router IP is usually printed on the back of the router). Enter router user name and password when prompted.

3. Set a local static IP based on the MAC address of the device. Note that the procedure for setting a local static IP varies depending on the make and model of your router.

4. Setup port forwarding by using the local static IP and setting the internal port range from 8883 to 8883 (this is the port that the Mosquitto service is listening on). Set the external port range to any valid value based on your preferences (e.g., from 43520 to 43520). Use TCP protocol and save the settings, making sure that the newly added port forwarding rule is enabled.

5. Reboot the router.

6. Restart the device, where the Mosquitto broker is running. After the restart, the device should have obtained the local static IP (you can check this by running the "ipconfig" command).

1. Open GUI-O application on your Android device and navigate to "Settings -> Connections IoT -> IoT Settings".

2. Tap on "Server name" and set the value to your external IP, which was determined in Step 2.

3. Tap on "SSL port number" and set the value to your external port number, which was set in Step 7 (e.g., 43520).

4. Tap on "User name" and set the user name for authentication, which was created in Step 6.

5. Tap on "User password" and set the password for authentication, which was created in Step 6.

6. Tap on "Import certificate" and select the "ca.crt", which was transferred to the device in Step 5.

7. Return to the previous menu and tap "Connect". If everything was setup correctly, the connection to the Mosquitto broker should be established successfully.

1. Download BasicMQTT_Mosquitto.ino sketch and open it in Arduino IDE.

2. Open the "ca.crt" file using a text editor and copy / replace the certificate with the one in BasicMQTT_Mosquitto.ino source code (keep same certificate formatting)

3. Finally, refer to ESP32 MQTT video example, while using the BasicMQTT_Mosquitto.ino sketch. Make sure that the external IP (mqttIP), external port number (mqttPort), user name (mqttUser) and password (mqttPass) variables are set according to Step 8.

NOTE: Do not forget to generate and set the publish and subscribe topics!