-->
Page 1 of 1

IP over MQTT (a kind of VPN)

PostPosted: Fri Feb 15, 2019 8:43 am
by martin_g
The idea of this project is to enable bidirectional IP connectivity, where it is not available otherwise, e.g. if one node is hidden behind (several layers of) NAT. This is the case in most private networks and also in mobile IP networks. Prerequisite is, that all connected nodes can reach a common MQTT broker. This allows you to "dial-in" into an IoT device sitting anywhere in the internet.

On all connected clients it sets up a simple (not yet encoded) IP network where all clients connected to the same MQTT broker can communicate with each other via IP (IPv6 is not yet working). IP is tunneled via MQTT. On the nodes it creates a TUN interface, assignes an IP address, and publishes all packets to an MQTT topic mqttip/[dest IP address]. At the same time it subscribes to an MQTT topic mqttip/[own IP address]. This establishes a fully connected IP network. "Switching" is done via the pub/sub mechanism of the MQTT broker.

This is work in progress.

Find the repo at: https://github.com/martin-ger/MQTT_VPN

Re: IP over MQTT (a kind of VPN)

PostPosted: Fri Feb 15, 2019 12:05 pm
by rudy
On all connected clients it sets up a simple (not yet encoded) IP network where all clients connected to the same MQTT broker can communicate with each other via IP


Do you mean that MQTT is used to acquire the IP of the devices, and then the devices can communicate with each other via IP and not through the MQTT broker?

Re: IP over MQTT (a kind of VPN)

PostPosted: Sat Feb 16, 2019 1:50 am
by martin_g
rudy wrote:Do you mean that MQTT is used to acquire the IP of the devices, and then the devices can communicate with each other via IP and not through the MQTT broker?

It is more or less the other way round:
All devices and some backend controllers can reach a known common MQTT broker (of course via TCP). This is the usual case in an MQTT-based IoT application. However often distributed devices are hidden in various IP subnets behind NAT routers and you cannot reach them directly from the outside and the devices cannot communicate with each other.

With this VPN driver IP packets are send as payload of MQTT packets. All connected devices will have an additional IP address in a separate IP subnet and can directly reach each other via tunneled plain IP. It acts like an additional LAN between all these devices.

Possible use cases are:
- you can reach an HTTP server on the device anywehre in the world
- distributed devices can have arbitrary IP traffic with each other
- you can login into some kind of device managment

This can be done via MQTT over TLS (not yet enabled for the ESP). And in the near future MQTT login wil be used and the IP packets as payload can be additionally authenticated and encrypted using symmetrical crypto (probably libsodium). This means that you really have a secured VPN between your devices.

Of course you can implement the same flow of information directly via exchanging some kind of MQTT topics, but this VPN solutions enables a re-use of all existing IP protocols, especially HTTP to the devices.