Skip to content

shirou/mqtunnel

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
.ci
.ci
 
 
.github/workflows
.github/workflows
 
 
cmd/mqtunnel
cmd/mqtunnel
 
 
.gitignore
.gitignore
 
 
.goreleaser.yaml
.goreleaser.yaml
 
 
LICENSE.txt
LICENSE.txt
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
config.example.json
config.example.json
 
 
config.go
config.go
 
 
control.go
control.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
mqtt.go
mqtt.go
 
 
mqtunnel.go
mqtunnel.go
 
 
mqtunnel_test.go
mqtunnel_test.go
 
 
tcp.go
tcp.go
 
 
tcp_listener.go
tcp_listener.go
 
 
tunnel.go
tunnel.go
 
 

Repository files navigation

mqtunnel: tunnel via MQTT broker

This tool tunnels TCP Connection through the MQTT Broker.

In other words, poor-man's AWS IoT Secure tunnel.

Note: This tool is under construction. Please do not use this yet.

How to use

  1. Prepare config file with MQTT broker connection endpoint. control means a topic name which is used for sending control packet. The topics used for a tunnel will be created at the same level as this control topic. Therefore, wildcard permission of at least + for this level is required.
{
    "host": "localhost",
    "port": 1883,
    "control": "device/1/control"
}
  1. Run on remote host mqtunnel -c config.json
  2. Run on local host mqtunnel -c config.json -l 2022 -r 22 with same config.json.
    • -l : local port
    • -r : remote port
    • (optional) -C: overwrite control topic
  3. Enjoy!

Config file

We can use certs in Config file.

{
    "host": "A11222333.iot.ap-northeast-1.amazonaws.com",
    "port": 8883,
    "caCert": "certs/root-CA.crt",
    "clientCert": "certs/5a880e326f-certificate.pem.crt",
    "privateKey": "certs/5a880e326f-private.pem.key",
    "control": "device/1/control"
}

Other options

  • clientId: MQTT ClientID. If empty, random string is generated
  • username: MQTT broker username
  • password: MQTT broker password

Important Notice: Security

This tool itself has no security. If encryption is required, use ssh or similar.

Also, please note that although the topics used add random strings, they can be easily sniffed by others who are authorized to read wildcards.

Architecture

Example: Local port = 2022, Remote port = 22,

sequenceDiagram

LocalTCP ->> LocalMQTunnel: conn read from port 2022
LocalMQTunnel ->> MQTTBroker: Publish to local port topic '/2022'
MQTTBroker ->> RemoteMQTunnel: Recieve from local port topic '/2022'
RemoteMQTunnel ->> RemoteTCP: conn write to port 22
RemoteTCP ->> RemoteMQTunnel: conn read from port 22
RemoteMQTunnel ->> MQTTBroker: Publish to local port topic '/22'
MQTTBroker ->> LocalMQTunnel: Recieve from local port topic '/22'
LocalMQTunnel ->> LocalTCP: conn write to port 2022
Loading

More internal architecture

sequenceDiagram

participant Remote
participant RemoteTCP
participant RemoteTCPConnection
participant RemoteMQTunnel

RemoteMQTunnel ->> RemoteMQTunnel: subscribe control topic
LocalMQTunnel ->> LocalMQTunnel: make a Tunnel instance which includes local/remote port pair
LocalMQTunnel ->> LocalTCP: NewTCPConnection()
LocalTCP ->> LocalTCP: start listening
Local ->> LocalTCP: connect
LocalTCP ->> LocalMQTunnel: OpenTunnel()
LocalMQTunnel ->> RemoteMQTunnel: Publish control packet
RemoteMQTunnel ->> RemoteTCPConnection: NewTCPConnection()
RemoteTCPConnection ->> RemoteTCP: connect()
RemoteTCP ->> Remote: connect()
Loading

License

  • Apache License

About

TCP tunnel via MQTT

Resources

Readme

License

Apache-2.0 license
Activity

Stars

9 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 1

v0.0.1 Latest
May 8, 2023

Packages

No packages published

Languages