Mosquitto MQTT Broker on Raspberry Pi

This is a guide for a secure installation of Mosquitto MQTT broker on Raspberry Pi 4 running Ubuntu Server 21.10.
This guide is written for installation on Raspberry Pi however setup would be nearly identical on a VPS.

Mosquitto is an open source MQTT message broker. The MQTT protocol provides a lightweight method of carrying out messaging using a publish/subscribe model. This makes it suitable for Internet of Things messaging such as with low power sensors.

Table of Contents

    1. Install Ubuntu Server 21.10.

    See this guide for a secure basic installation of Ubuntu 21.10.

    2. Install Mosquito broker and clients

    The installation assumes user has root access

    1. Switch to root environment
      sudo -i
    2. Update Ubuntu’s package list
      apt-add-repository ppa:mosquitto-dev/mosquitto-ppa
      apt-get update
    3. Install broker and clients
      apt-get install mosquitto mosquitto-clients

    3. Configure MQTT Passwords

    Configure Mosquitto to use passwords instead of annonymous login.
    Reference: https://mosquitto.org/man/mosquitto_passwd-1.html

    The following example will create two accounts. Make sure to use your own unique user/passwords.

    • Friends User:
      • User: friends
      • Password: friends_password
    • MQTT Explorer User
      • User: mqtt_explorer
      • Password: mqtt_explorer_password
    1. Create Password file with initial user account. Replace friends with your username.
      mosquitto_passwd -c /etc/mosquitto/passwd friends
    2. Open up new configuration file for Mosquitto and tell it to use this password file to require logins for all connections
      nano /etc/mosquitto/conf.d/default.conf
      Paste in the following and then close file
      allow_anonymous false
      password_file /etc/mosquitto/passwd
    3. Create user account for MQTT explorer tool (use your own password)
      mosquitto_passwd -b /etc/mosquitto/passwd mqtt_explorer mqtt_explorer_password

    Note: Use the following command to add additional user accounts
    mosquitto_passwd -b /etc/mosquitto/passwd user password

    4. Configure listener

    1. Open configuration file
      nano /etc/mosquitto/conf.d/default.conf
    2. Paste this line at the bottom of the file to configure the port and then close file
      listener 1883
    3. Open MQTT port on firewall
      ufw allow 1883
    4. Restart Mosquitto
      service mosquitto stop
      service mosquitto start
    5. Check to make sure service started
      service mosquitto status

    5. Configure ACL(access control list)

    If you do not configure access control then all users will have full read/write access to all topics.
    Reference: https://medium.com/jungletronics/mosquitto-acls-ac062aea3f9
    Reference: https://www.chirpstack.io/project/guides/mqtt-authentication/

    1. Open Mosquitto configuration file
      nano /etc/mosquitto/conf.d/default.conf
    2. Add the following to the file and close it.
      acl_file /etc/mosquitto/acls
    3. Create and open access control list file
      nano /etc/mosquitto/acls
    4. Modify the following example to configure desired access control for each user.
    #give full read access to $SYS topic.
    pattern read $SYS/#
    
    #give **friends** /read/write access to **friendstopic** topic
    user friends
    topic friendstopic/#
    
    #give **mqtt_explorer** read access to all topics.
    user mqtt_explorer
    topic read #

    6. Reboot and Check that Broker is running

    reboot now

    SSH with user account and check service status
    sudo service mosquitto status