Bridge between two Mosquitto brokers

Working with MQTT pub/sub messages is fun and useful. Mosquitto is an open source MQTT broker which documentation is more transparent.  The Mosquitto broker supports TLS out of the box, and provides authentication either via username/password, pre-shared keys or TLS client certificates. Furthermore, Mosquitto has a simple ACL can be configured by the broker administrator which clients may access which topics.

There is a concept called bridge in Mosquitto to connect broker to broker. It is supporting multiple connections to share about the publish/subscribe each topic. Let’s start a simple example: Bridge our local Mosquitto instance with our remote Mosquitto instance.

Picture1

Configure local broker

Open the mosquitto.conf file and go the section “Bridges”. Here I want to bridge with the remote broker “10.101.16.82” for topic “v1/test”. Here’s what you configure in broker’s configuration file.


connection test-mosquitto-bridge
address 10.101.16.82:1883
topic v1/test both 1

Last line define which topic will be published (out) and which will be subscribed to (in) from the point of view of the broker. Also “both” can be use to published and subscribed topics as I used for the example. There are many things You can modify but this is how You should start.

TLS/SSL bridge connection

Mosquitto broker facilitate to create TLS/SSL secure bridge connection. Here is how to create secure bridge connection using self sign certificates.

Generate a certificate authority certificate and key.

openssl req -new -x509 -days <duration> -extensions v3_ca -keyout ca.key -out ca.crt
Remote Server

Generate a key.

openssl genrsa -des3 -out rserver.key 2048

Generate a certificate signing request to send to the CA.

openssl req -out rserver.csr -key rserver.key -new

Send the CSR to the CA, or sign it with your CA key.

openssl x509 -req -in rserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out rserver.crt -days <duration>
Local server

Generate a key.

openssl genrsa -des3 -out lserver.key 2048

Generate a certificate signing request to send to the CA.

openssl req -out lserver.csr -key lserver.key -new

Send the CSR to the CA, or sign it with your CA key.

openssl x509 -req -in lserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out lserver.crt -days <duration>

Open the local mosquitto.conf file and add the following confgurations for TLS/SSL bridge connection.

bridge_cafile ca.crt
bridge_certfile lserver.crt
bridge_keyfile lserver.key

Open the remote mosquitto.conf file and add the following confgurations.

cafile ca.crt
certfile rserver.crt
keyfile rserver.key

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s