Mosquitto MQTT Broker on Ubuntu VPS or Raspberry Pi

This guide shows how to install opensource Mosquitto MQTT Broker on Ubuntu 20.x.
Basic configuration for password protected MQTT access and account level access for specific topics is also provided.

Table of Contents

    1. Install Mosquito broker and clients

    The installation assumes user has root access

    1. Update Ubuntu’s package list
      sudo apt-get update
    2. Install broker and clients
      sudo apt-get install mosquitto mosquitto-clients

    NOTE: version 1.4.15 is the newest version available in the Ubuntu repositories.
    The following should work to get new versions however I have not yet verified this.

    • sudo apt-add-repository ppa:mosquitto-dev/mosquitto-ppa
    • sudo apt-get update

    2. Configure MQTT Passwords

    Configure Mosquitto to use passwords instead of annonymous login.

    1. Create Password file with initial user account
      sudo mosquitto_passwd -c /etc/mosquitto/passwd sammy
    2. Open up new configuration file for Mosquitto and tell it to use this password file to require logins for all connections
      sudo nano /etc/mosquitto/conf.d/default.conf
    3. Paste in the following
      allow_anonymous false
      password_file /etc/mosquitto/passwd
    4. Restart Mosquitto and test our changes.
      sudo service mosquitto stop
      sudo service mosquitto start
    5. Open default MQTT port on firewall
      sudo ufw allow 1883
    6. Enable Firewall
      sudo ufw enable

    Use the following to add additional user accounts
    mosquitto_passwd -b /etc/mosquitto/passwd user password

    2. Configure ACL(access control list)

    If you do not configure access control then all users will have full read/write access to all topics. More details can be found here.

    1. Open Mosquitto configuration file
      • sudo nano /etc/mosquitto/conf.d/default.conf
    2. Add the following to the file
      • acl_file /etc/mosquitto/acls
    3. create access control list file
      • sudo nano /etc/mosquitto/acls
    4. add desired access for each user

    3. Reboot


    #give full read access to $SYS.
    pattern read $SYS/#
    #give **event_emitter** write access to **bind** topic
    user event_emitter
    topic bind/#
    #give **mqtt_explorer** read access to all topics.
    user mqtt_explorer
    topic read #