To support both the LoRa cards configuration over Sparkplug and Chirpstack data communication, a Moquitto MQTT container has been deployed as part of the LoRaWan package.This container encloses all the necessary features for a secure edge data broker:
- Mosquitto version 2.0.11 supporting MQTT v5.0/v3.1.1/v3.1.
- DNS advertising on the local network:
service-data-broker.service.veeamesh.local
- TLS encryption
-
3 ports endpoints for different connection configuration:
- port 1883: at customer disposal
- port 1884: at customer disposal
- port 1885: use by the VeeaHubs service to connect using a secure authentication method
- A FileBrowser webservice to enable configuration changes to mosquitto.conf
- A FileBrowser webservice to enable configuration changes to mosquitto.conf
The credentials are been defined at package deployment.
But if you upgrade the LoRaWAN package from v2 to v3, credentials will be default: admin/admin
You can still change those afterward in the Filebrowser Settings page.
Accessing the configuration file
Those templates can be added to the LoRaWan package through its FileBrowser interface.
1. From the Veea Control Center, open the FileBrowser UI.
2. This interface allows you to access 2 files:
- mosquitto.conf for configuration changes
- veea-root.pem a veea certificate (ca-file) necessary for all mqtt clients connecting through the Veea TLS encryption
3. All changes done to the mosquitto.conf will automatically trigger a restart of the mosquitto daemon to take those changes into account.
MQTT example: enable an unsecure endpoint for development purpose
If you want to spy on the MQTT messages to see, for instance, chirpstack device data, you can temporarily enable an insecure endpoint to easily connect from a computer.You can easily open the endpoint 1883 that has no security and allow anonymous connections.
Then, from your computer (connected to the Veea Mesh Wifi AP), you can subscribe to any topic.
$ mosquitto_sub -h service-data-broker.service.veeamesh.local -p 1883 -t "application/fa13d3f6-965b-4884-b96c-c17cae86b2e4/#"
{"deduplicationId":"42827393-0e13-424e-8bb0-2005cba0698a","time":"2024-03-28T10:10:19.104739419+00:00","deviceInfo":{"tenantId":"52f14cd4-c6f1-4fbd-8f87-4025e1d49242","tenantName":"ChirpStack","applicationId":"fa13d3f6-965b-4884-b96c-c17cae86b2e4","applicationName":"test","deviceProfileId":"2b0aeea5-5558-4796-a9bf-35b0ed49cc20","deviceProfileName":"test","deviceName":"test","devEui":"24e124136d379010","deviceClassEnabled":"CLASS_A","tags":{}},"devAddr":"01c1ef29","adr":true,"dr":0,"fCnt":2063,"fPort":85,"confirmed":false,"data":"A2fIAARoUA==","object":{"temperature":20.0,"humidity":40.0},"rxInfo":[{"gatewayId":"08beacffff18dbdb","uplinkId":56344,"gwTime":"2024-03-28T10:10:19.104739419+00:00","nsTime":"2024-03-28T10:10:19.144571682+00:00","rssi":-94,"snr":7.5,"rfChain":1,"location":{},"context":"RxbI7A==","metadata":{"region_config_id":"EU868","region_common_name":"EU868"},"crcStatus":"CRC_OK"}],"txInfo":{"frequency":868100000,"modulation":{"lora":{"bandwidth":125000,"spreadingFactor":12,"codeRate":"CR_4_5"}}}}
MQTT bridge example
It’s common to bridge an edge MQTT to a cloud MQTT broker in order to access the data on the cloud solution. Here are the steps to achieve such a connection.Regular MQTT bridge tutorials, such as Mosquitto Bridge are applicable.
- Cloud MQTT certificates
In a production environment, a TLS encryption is necessary for security reasons.From the FileBrowser interface, you can upload your key/certificates file in the persistent memory of the MQTT container.
- Mosquitto configuration
the port 1884 will be used for the Bridge configuration.
per_listener_settings true
# customer specific entry
# listener 1883
# customer specific entry
# endpoint used for bridging
listener 1884
# =========================================================
# Bridges
# =========================================================
connection <ANY-NAME-OF-BRIDGE-CONNETION>
address <IP-ADDRESS-OF-REMOTE-BROKER>:8883
# Specifying which topics are bridged and in what fashion
topic awsiot_to_localgateway in 1
topic localgateway_to_awsiot out 1
topic both_directions both 1
# remote connection login
remote_clientid <CLIENT-ID-FOR-THIS-CONNECTION-ON-THE-CLOUD-MQTT>
remote_password <PASSWORD-FOR-THIS-CONNECTION-ON-THE-CLOUD-MQTT>
# any specific settings for the remote connection
cleansession false
notifications false
start_type automatic
# Bridge certificates
bridge_cafile /var/lib/veea/mqtt/conf/bridge-certs/ca.crt
bridge_insecure false
bridge_certfile /var/lib/veea/mqtt/conf/bridge-certs/server.crt
bridge_keyfile /var/lib/veea/mqtt/conf/bridge-certs/server.key
# internal service configuration
# please don't touch it!
listener 1885
protocol mqtt
tls_version tlsv1.2
tls_engine dbus
tls_keyform engine
allow_anonymous false
password_file /app/password.txt
keyfile /app/dbus-device-key.pem
cafile /tmp/certificates/authority.pem
certfile /tmp/certificates/device.pem
- After updating the configuration file, the MQTT service should automatically restart with those changes and the bridge connection should be established.