Connect to Your MQTT Broker from the Internet: Port Forwarding MQTT

Thumbnail image of Jason Bauer
Jason Bauer
Last Updated: | Reading Time: 9 minutes

There's a lot of power locked up in your MQTT broker. You can use it to turn lights on and off. You can use it to trigger automations. What if you want to use it to do all of these things even when you are not at home.

Connecting to your MQTT broker from outside your home network is not difficult. There are a few different ways to do it, each with their own advantages and disadvantages. Let's examine connecting to your MQTT broker with a port forward vs a VPN.

Before You Expose Your MQTT Broker to the Internet

Before you open up your MQTT broker to the internet, you should make sure that it is securely locked down. The last thing you want is random people on the internet sniffing your MQTT data, and possibly taking over control of your home automations.

To lock down your MQTT broker, you need to do the following:

  • Make sure that you have a strong password on your MQTT broker. You can use the mosquitto_passwd utility to create a password file for your broker.
  • Possibly turn on TLS encryption on your MQTT broker.

A strong password is enough to keep most people out of your broker. Without knowing the MQTT password, no one will be able to connect to your broker.

You should also make sure that the allow_anonymous option is set to false in your mosquitto.conf file.

You can create multiple users and passwords for your MQTT broker. This is a good idea if you want to give access to your MQTT broker to other people.

If you want to be extra secure, you can also turn on TLS encryption on your MQTT broker. TLS encryption will encrypt all of your MQTT traffic, making it much more difficult for someone to sniff your MQTT traffic. This doesn't make it any more difficult to guess a password, but it does make it more difficult to sniff your MQTT traffic.

TLS encryption may not be available on all MQTT clients, as it takes quite a bit of computational power to encrypt and decrypt each packet.

For the vast majority of people, TLS encryption on their MQTT broker is not necessary. If you are just using your MQTT broker to control your home automations, you probably don't need to worry about TLS encryption.

Connecting to Your MQTT Broker with a Port Forward

The easiest way to connect to your MQTT broker from outside your home network is to use a port forward. A port forward is a way to forward traffic from a port on your router to a port on a computer inside your home network.

The default port for MQTT is 1883. If you are using TLS encryption, the default port is 8883.

After you set up a port forward in your router, you can connect to your MQTT broker from outside your network by connecting to your router's external IP address on the port that you forwarded.

What is a Port Forward?

A router is a device that sits between your home network and the internet. It is responsible for routing traffic between your home network and the internet. It also has a firewall that prevents traffic from the internet from reaching your home network.

If you want to conIf you want to connect to your MQTT broker from the internet, then you need to forward a port in your router.
If you want to conIf you want to connect to your MQTT broker from the internet, then you need to forward a port in your router.

Router's have 2 IP addresses: 1 internal IP address and 1 external IP address.

When you forward a port, you are creating a rule in your router that says "forward all traffic from port X on the internet (external IP) to port Y on my home network (internal IP)".

Setting Up a Port Forward

The first step to setting up a port forward in your router is logging in to your router.

You can find the IP address of your router by looking at the network settings on your computer. For home networks, routers are frequently located at 192.168.0.1 or 192.168.1.1. Of course, this will depend on your router.

You use a web browser to log in to your router. Open up your favorite web browser and type the internal IP address of your router in to the address bar. You will be prompted to log in to your router. The default username and password for most routers is admin. If you don't know your router's username and password, you can look it up on setuprouter.com.

Once you get logged in to your router, find the port forwarding section. It is usually located in the LAN section of your router. It can go by various other names, such as:

Once you find the port forwarding section, you will need to create a new port forward. You will need to specify the following:

After making these changes and applying them, you should be able to connect to your MQTT broker from the internet. A great way to test if you can connect is to use your cell phone. Turn off your cell phone's WiFi connection, and then attempt to connect to your MQTT broker using your current external IP address.

If you can connect, then your port forward is set up correctly.

Setting up Dynamic DNS

After you have forwarded a port to your MQTT broker, you need to know your current external IP address and connect to it. This is a problem, because your external IP address can change at any time. If your external IP address changes, you will not be able to connect to your broker from the internet anymore.

The solution to this problem is to use a dynamic DNS service. A dynamic DNS service will allow you to connect to your MQTT broker using a domain name, instead of an IP address. This means that you can connect to your MQTT broker using a domain name, even if your external IP address changes.

There is a free Dynamic DNS service called Duck DNS. You can sign up for a free account, and then set up a dynamic DNS domain name for your MQTT broker.

You have to run some sort of software on your home network to update your dynamic DNS domain name every once in a while. Duck DNS has a free client that you can use to update your domain name. Or, you can run one of the many free Docker containers that will update your domain name for you.

With a port forward and dynamic DNS set up, you can connect to your MQTT broker from anywhere, anytime.

Use a Different Port For Additional Security

There is one additional step that you should consider when setting up a port forward to your MQTT broker. Since MQTT is a common protocol, the default port (1883) is sometimes scanned by hackers. This means that your MQTT broker can be scanned for vulnerabilities. If your MQTT broker is vulnerable, it can be taken over by a hacker.

A simple way to greatly increase the security of your MQTT broker is to use a different port. You can use any port that you want, as long as it is not already in use by another service on your home network.

Let's say that you have chosen to use port 6789 for your MQTT broker. You will need to update your port forward to forward traffic from port 6789 (external) to port 1883 (internal) on your home network.

This technique, called port mapping, increases the security of your MQTT broker by making it more difficult for hackers to find your MQTT broker. It's a form of security through obscurity, and is just one layer in a multi-layered security system.

When you set up your forwarded ports this way, your internal MQTT clients still connect to port 1883 because your broker is still listening on port 1883. Your external clients connect to port 6789, which is forwarded to port 1883 on your home network.

Connecting to Your MQTT Broker with a VPN

Another way to connect to your MQTT broker from outside your home network is to use a VPN. A VPN is a virtual private network that allows you to connect to your home network from anywhere in the world.

If you are the only person that is going to connect to your MQTT broker from outside your network, then perhaps using a direct VPN connection to your home network is the best option for you.

This solution is straightforward if your router supports the OpenVPN standard. If your router supports OpenVPN, then you can enable it to allow VPN clients unrestricted connections to your home network.

There are many free OpenVPN clients available for all major operating systems.

After setting up OpenVPN on your router, you can install the OpenVPN client on your phone or other devices that are outside your network. Once you connect to your home network using the OpenVPN client you can connect to your MQTT broker. If the OpenVPN connection is up, then you can connect to your MQTT broker using the same internal IP address and port that you use when you are on your home network.

You can have other people connect to your OpenVPN connection this way, but be aware that you are giving them access to your entire home network. This is only a good option for immediate family members or trusted friends.

Keep Your MQTT Broker Secure

No matter which method you choose to connect to your MQTT broker, as soon as you expose it to the internet, you are opening yourself up to security risks. Do not forget to take the steps above to secure your MQTT broker.

At the very least, you need to require password authentication on your MQTT broker and disable anonymous users. You can also use TLS encryption to encrypt all traffic between your MQTT broker and your clients, if your traffic is highly sensitive. If you forward a port to your MQTT broker, consider using a different port to increase the security of your MQTT broker.

With a little effort, you can connect to your MQTT broker from anywhere in the world. You can use your MQTT broker to control your home automation devices and monitor your sensor data, even when you are away from home.

More from Efundies