I have an ESP32 running in a private network behind a firewall. Now I would like that the ESP32 is submitting it's sensor readings via MQTT to the VPS running e.g. Node-RED. Running this setup within the private network works, but now I am struggling to conceptualize the secure connection to the VPS through my firewall.
The options I am aware of are:
- Opening a port/ Port forwarding: Simple, but makes my more network vulnerable
- Holepunching via UDP: I read about it, but the implementation seems a bit too difficult for my skill/knowledge-level
- Communication between ESP and VPS via HTTPS: I would like to use MQTT to avoid the overhead, have better battery performance, publish/subscribe, etc.
- Using TLS/SSL for communication between ESP and VPS
- Setting up a DMZ, though even in that case proper security measures are needed
- VPN between your ESP32 and VPS
So my questions are:
- Would it be a good practice/secure way to open a port and let the ESP32 communicate with the VPS over TLS/SSL? Or does that still open vulnerabilities?
- Could I set both, VPS and ESP32, to just accept connections from their static IP adresses? In theory that seems to be a quite straightforward approach? Or let my firewall only accept connections from these IP adresses on port 8883?
- What would be the most beginner-friendly and secure way? (VPN, TLS/SSL, firewall settings, etc.)
I read already quite some threads, but these questions still remained. Some clarification would be really appreaciated, since I am still learning a lot about networking.
CodePudding user response:
I think you have a misunderstanding about how MQTT works.
The MQTT Client (the ESP32) makes a single outbound connection to the MQTT broker (on the VPS) that all messages in both directions (publishes and subscriptions) flow. This means the following:
- Only the VPS needs a static IP address (so the ESP32 knows where to find it)
- You can run MQTT over TLS (the VPS will need a certificate)
- You will need to open the MQTT port on VPS to allow the client to connect
Using TLS will be significantly easier than trying to run a VPN either on the ESP32 or on the router for that network.