Thoughts about routing the domain to the MQTT server IP address

[microraptor]

EDIT: It turns out it is possible to just set the local private IP address directly in the field Server domain name/IP of the Growatt device on the ShinePhone app instead of having to use a domain name. See the discussion below in the comments. I incorrectly assumed that wasn't possible. Therefore, most of this post is completely unnecessary and the three options I explain below, for routing the domain to the MQTT server IP address, are useless for setting up GroBro, since the IP address can just be used directly, as far as I know (now).

I will leave this post for informational purposes and if it should happen that a device or firmware comes along in the future, which checks that the MQTT broker address and certificate domain match.

The section about the certificate at the end is still useful though, because a valid TLS certificate is required for running GroBro, even if it doesn't matter what domain it is for and what IP that domain resolves to.

---

A main complication of this project seems to be, that the Growatt device has to address the MQTT server (the setting "Server domain name/IP" in the ShinePhone app) with a proper domain like example.duckdns.org and cannot just use the private IP address like 192.168.1.111. The reason for this is the Growatt devices properly checking the certificates of the TLS connection as explained in the readme. Edit: Turns out that this is not true!

As far as I can think of there are three solutions to route the domain to the MQTT server IP address:

1. Resolve the domain via public DNS to the external public IP address of the home network
2. Resolve the domain via a local DNS server to the local private IP address of the MQTT server
3. Resolve the domain via public DNS to the local private IP address of the MQTT server

All these solutions require, that the device the MQTT broker is running on has a permanent local IP address configured in your router and that the certificate of the domain is renewed regularly (I talk more about automatic certificate renewal in the last section).

Let me preface this by saying that I am in no means an expert and this should be taken with a grain of salt, especially the parts about security.

1. Resolve the domain via public DNS to the external public IP address of the home network

This involves using a DynDNS service, running a DynDNS client on the router or another device (unless the ISP already provides a domain adress) and then setting up port forwarding in the firewall settings of the router for the TLS port of the MQTT broker. The TLS port is then exposed to the internet and can be accessed externally.

However, it is important that people know what they doing, since making a mistake and forwarding the wrong ports to the internet might be a huge security issue. When exposing ports to the internet, it would be also best practice is to have some kind of security software running like CrowdSec to limit the login attemps, which further complicates this setup.

If you have already configured most of the stuff mentioned above anyways (you are accessing sevices from your home network already externally), this solution is very easy, because only the TLS MQTT port forward has to be added. However, there are some security considerations about exposing this port.

I think it would be more secure to use an arbitrarily chosen port number instead of default ones like 1883, 8883, 9001 or 7006. For Growatt the login credentials don't seem to be very secure (username is the serial number and the password is "Growatt"). A mistake you also have to be careful with is configuring another user with a very weak password in the MQTT broker, which is meant for use only by home devices, and not realizing this user can also be used login into the MQTT broker through the internet, unless the Mosquitto option per_listener_settings is enabled. The Home Assistant MQTT add-on actually accepts all user logins, which are configured in Home Assistant. So with the default configuration all Home Assistant users have to have strong passwords, if you want to safely forward the TLS port of the MQTT add-on.

Having said that, I don't think an intruder gaining access to the MQTT broker can actually do any harm in most cases, but it might open the door to other exploits to gain further access to the private network.

2. Resolve the domain via a local DNS server to the local private IP address of the MQTT server

This requires to have some custom configuration on a local DNS server, which runs either on your router or another device on the network. This is mentioned in the readme instructions at step 5.

This is completely secure, because everything stays within the local network. No port forwarding and no DynDNS is required. However, the certificate still has to be renewed somehow.

This is a rather easy and convenient way, if you are already running a DNS server, where manual DNS routing entries can be configured like Pi-Hole, AdGuard Home or you have advanced options on your router. Unfortunately, most ISP provided routers don't have these options and often don't even allow changing the DNS server address, so you can reroute DNS requests to a DNS server on your local network. In this case it would be necessary to upgrade the router, because there doesn't seem to be a way to set a custom DNS address in the Growatt devices.

3. Resolve the domain via public DNS to the local private IP address of the MQTT server

I haven't seen this being discussed here and I can't test this yet, but I think this should also be possible as a third option: Setting the domain record publicly to the private local IP address of the MQTT server.

The advantage is that no port forwarding, no DynDNS and no local DNS server with custom config is required. However, the certificate still has to be renewed somehow.

There are some minor security considerations about this, because you are publicly exposing what local private IP address your device has, as far as I understand it. However, this should be an insignificant concern. Here is a discussion about this.

As an example, this can be achieved by registering a new subdomain at Duck DNS and the just manually entering the local private IP address of the MQTT server (192.168..., 172..., or 10...) in the IPv4 field of the subdomain on the Duck DNS website. Because the IP address stays constant, don't run any kind of DynDNS client for this domain.

Automatic renewal of a certificate without running a web server

If you are running already a web server or are self hosting stuff with external access, you can just use the same certificate your reverse proxy or web hoster provides, if you have easy access to the private key.

The TLS certificate of your domain has to be renewed regularly (typically every 2 months). In order to automatically renew the certificate without exposing a port 80 to the internet or running a webserver elsewhere, it is required to run a ACME client configured to use a DNS challenge (on any device anywhere with internet). A list of compatible DNS host providers and ACME clients can be found here. For example here is the config to use the acme.sh client with DuckDNS.

If you are running Home Assistant OS, the Duck DNS addon is an easy way to get a certificate which is automatically renewed. This addon uses a DNS challenge and does not require forwarding/exposing ports.

I believe after the certificate is renewed, it is necessary to concatenate a full-chain certificate again, as it is outlined in the guide here. The MQTT broker also has to be told to reload the certificate.

As an example, I described how to get a certificate and update it using a DNS challenge, Duck DNS and the acme.sh docker container in this post here.

[robertzaage]

Hi, thanks for your write up. I think private IP in public DNS with ACME DNS-challenge could be a really good thing for minimal setups. Would you validate if this works out?

[vinyli85]

if the Growatt device connects to the TLS port of the MQTT broker without issues.

If I got you right then this works (for me at least).

I have following setup:

• DuckDNS-Addon in HA for my *.duckdns.org domain to get the certificates
• MQTT-Addon in HA
• GroBro-Addon HA which connects to MQTT

I set my local IP-Adress of my HA-Instance via the ShinePhone-App. Everything connects to each other and I receive all my data from my inverter. I blocked the internet access of the inverter in my router, so no communication to Growatt servers on my side. Everything works as expected, no issues so far.

[microraptor]

I set my local IP-Adress of my HA-Instance via the ShinePhone-App.

If I understand this correctly, you actually just avoided the problem all together and did something I assumed wasn't possible and the current configuration guide of this repo implies isn't possible. Setting the local private IP directly on the Growatt device makes what we discussed above (private IP in public DNS), completely unnecessary and frankly makes the whole big initial post unnecessary 😅️

@vinyli85 @criticallimit Just for clarification, can you please confirm that on step 4 of the configuration in the field Server domain name/IP on the ShinePhone app you did not use the domain name (*.duckdns.org), but instead set the local private IP address directly (192.168.x.x, 172.x.x.x, or 10.x.x.x)? Can you please also confirm that the domain name (*.duckdns.org) was not specified anywhere outside of the Duck DNS HA addon. So it is not used in a setting on the Growatt device, except perhaps only used as a file name for the certificates on the MQTT broker.

This would mean that the Growatt device does not check the domain of the TLS certificate, which it receives from the MQTT broker when starting the TLS connection. Apparently, it only matters that it is a valid TLS certificate and not what domain it is for and what IP that domain resolves to. Edit: I previously wrote some complete nonsense here without much thinking. Obviously the MQTT broker still requires the private key to the certificate.

There is the possibility of the Growatt device using the MQTT IP address to start the connection, where it receives the certificate and then continues the connection through the domain of the certificate. However, if the Growatt device is blocked from the internet access as mentioned, that should not be possible, especially if the domain resolves to a public IP address and no ports were forwarded.

[vinyli85]

Just for clarification, can you please confirm that on step 4 of the configuration in the field Server domain name/IP on the ShinePhone app you did not use the domain name (*.duckdns.org), but instead set the local private IP address directly

This can be confirmed, exactly that's what I did.

[microraptor]

Thank you letting us know. I suppose, if this is possible with all devices and firmwares, everything of my initial post is useless then, except the last part about renewing certificates. I added an explanation to the beginning of that post.

[oldboys92]

@robertzaage I can confirm that this works without issues. Never the less it looks like the easiest is to just use the IP.

[criticallimit]

same here. Working with local-IP set even with cloud on. No issues

[vandecook]

Working with local IP since month.

[Saentist]

Is anyone try to mirror traffic to cloud also to local ip?

[PixelShober]

@Saentist @criticallimit do you use the Let's Encrypt Addon or how do you get the certificate?
Best regards!

[oldboys92]

I use Let's Encrypt Addon (with DNS challenge using CloudFlare provider) to get certificates:

• for my HA instance
• for my MQTT broker running as HA addon.

[criticallimit]

I'm using duckdns add-on in home assistant where the lets encrypt is included.