Prepare MQTT services & settings for VictronConnect

mpvader commented 5 years ago

Status (updated by MVA on 2020-01-29)

All changes in naming of feature on/off switching in Venus OS, as well as what services they enable and disable, and ports that they open and close, are completed, and implemented per v2.40. Also that completes everything when connecting to Venus OS with VictronConnect over MQTT via VRM, ie. remotely.

Remaining todo list

[ ] Verify that below design works with VictronConnect and MQTT over SSL on the local LAN with self made certificate.
[ ] gui: display (self-generated) certificate fingerprint
[ ] Decide and implement password handling when connecting to MQTT on LAN
[x] fix mosquitto certification expire date, and make the expired ones to be replaced (Mans)

See also below section 3, security details and passwords, for details.

Details

0. Requirements of the change

Allow a user to enable mqtt on his local LAN, without immediately also enabling it for VRM.
Make the existing VRM Two Way communication not only enable/disable mqtt-rpc, but also dbus-mqtt (VictronConnect requires both of them). And not only that, also make it open/close that (bridge-) connection to VRM only. For local network there is a separate setting:
Split enabling MQTT on LAN in two: have one setting open it up on the plain text variants: port 1883, used by some tinkerers and some special applications/customers. and port 9001, used for websockets by the Victron MFD HTML5 App. And a separate setting that opens it up on port 8883 (ssl), to be used in future by VictronConnect on local LAN/WiFi.

1. End result of the settings and their functionality

There will be three settings relating to MQTT:

VRM Two Way Communication - enable/disable
MQTT on LAN (ssl) - enable/disable
MQTT on LAN (plaintext) - enable/disable (can only be enabled if its secure variant is also enabled)

Functionality:

If either of them is enabled, start dbus-mqtt & mqtt-rpc & mosquitto. So technically all is available.

And then open/close ports using iptables and enable/disable the bridge configs to our cloud brokers to control the individual features:

The VRM Two Way Communication setting controls both the bridge configs in mosquitto; put them in place when enabled, and other remove/disable those bridges to our cloud mqtt servers.
If on MQTT on LAN (ssl) is enabled: open the inbound port (8883)
MQTT on LAN (plaintext) controls iptables inbound port 1883, and the websockets port. This setting is for people that use MQTT themselves, ie. the tinkerers.

2. Migration:

To not break any existing systems:

If the current Services -> MQTT setting is enabled then enable MQTT on LAN and MQTT on VRM; and also enable MQTT on LAN insecure, since that is how that works now and its used, for example, on certain externally managed ESS type installations.
If the current VRM Two Way Communication setting is enabled, then enable only MQTT on VRM.

3. Security and passwords

Everything via VRM, is already secured. The connection between the local broker and the VRM broker is MQTT over SSL, using a Victron root CA certificate and pre-shared token. The connection between the client and the VRM-broker is also over SSL, and uses the VRM system for authentication.

We also want to secure local connections that use MQTT. The idea is to self generate a SSL certificate and private key pair on the Venus device at boot. And every new VictronConnect install that connects to that device, locally, will ask the user once to accept the certificate, showing its hash (aka finger print). On Remote Console, the same is visible, for cautious people to go and check before they accept it. If and how its possible to that in VictronConnect, needs to be looked into.

Also there will be a password on MQTT. But then preferably make a general password; instead of adding yet another one to the list (Remote Console & WiFi Access point). One option is to re-use the WiFi password for that on the Venus GX-es; in other words, promoting that to a general access password. Note that the CCGX does not have a factory installed password. Also note that the WiFi Password is currently not changeable on the Venus GX. But, with the planned new feature to have a reset button, that is easily over come.

On the topic of passwords and such, note that there is another one coming: the bluetooth pin code.

mpvader commented 5 years ago

Implemention details for the MQTT on LAN (insecure) setting

the gui needs a new setting, Settings/System/MqttOnLanInsecure named MQTT on LAN (insecure). Implemented just like the local ssh port was done [1], but then controlling 1883 rather than port 22.
add another migration to localsettings, just like [2]. But then it needs to check status of /Settings/Services/Mqtt; and when thats enabled, also enable MqttOnLanInsecure.

[1] https://github.com/victronenergy/gui/commit/972a978374e7ab13b56bb72d28a856e9490c30ee [2] https://github.com/victronenergy/localsettings/commit/c23cbd49e4e73fddf720a9e284adbc114c4826f4

mpvader commented 5 years ago

1 - Testing migration:

only MQTT enabled -> mqtt on LAN, VRM Two Way and MQTT on LAN insecure all three enabled: PASS
only VRM Two Way enabled -> only VRM Two Way enabled: PASS
both enabled -> all three enabled: PASS

(after downgrading, remember to remove the newly made settings)

2 - Testing ip tables and bindings:

2.1 - Only MQTT on LAN enabled

Only VRM two-way enabled:

1883, 8883 and 9001 must all be disallowed.

root@beaglebone:~# iptables -nvL 
Chain INPUT (policy ACCEPT 45 packets, 9456 bytes)
 pkts bytes target     prot opt in     out     source               destination         
18053 3811K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 1234  415K new-conn   all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 290 packets, 135K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain new-conn (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   128 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1883 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9001 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8883 reject-with icmp-port-unreachable

PASS

2.2 - Enabling MQTT on LAN

Allow 8883:

root@beaglebone:~# iptables -nvL 
Chain INPUT (policy ACCEPT 45 packets, 8360 bytes)
 pkts bytes target     prot opt in     out     source               destination         
26784 4763K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 1840  596K new-conn   all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 123 packets, 173K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain new-conn (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   128 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1883 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9001 reject-with icmp-port-unreachable
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8883

Allows 8883: PASS.

2.3 - Enable MQTT on LAN (insecure)

oot@beaglebone:~# iptables -nvL 
Chain INPUT (policy ACCEPT 74 packets, 26998 bytes)
 pkts bytes target     prot opt in     out     source               destination         
26835 4814K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 2114  684K new-conn   all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 29 packets, 28016 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain new-conn (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   128 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8883
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1883
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9001
root@beaglebone:~#

Allows all three: PASS

2.4 - Disable all again

root@beaglebone:~# iptables -nvL 
Chain INPUT (policy ACCEPT 38 packets, 8032 bytes)
 pkts bytes target     prot opt in     out     source               destination         
26890 4899K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 2158  693K new-conn   all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 95 packets, 99223 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain new-conn (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   128 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8883 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1883 reject-with icmp-port-unreachable
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9001 reject-with icmp-port-unreachable

PASS.

2.5 - Checking that all ports are actually closed

netcat -v 192.168.178.122 9001 -w 5 and similar: all PASS.

3 - Testing functionality

3.1 - dbus-mqtt, mosquitto & mqtt-rpc are either all running or all not running.

PASS for all switch combinations.

3.2 - mqtt-rpc works on VRM when VRM two-way communication is enabled.

PASS

3.3 - VRM two-way communication

PASS (both for enabled and disabled).

3.4 - dbus-mqtt.. ??

skipped; I don't know how to easily test this.

3.5 - Start without settings aka default settings:

svc -d /service/localsettings
rm /data/conf/settings.xml
rm -rf /data/conf/mosquitto.d
rm /data/conf/mqtt_password.txt

generation of mqtt bridge auth: PASS (triggers the vrm portal to ask for a reset which is OK)
all mqtt services default off: PASS

victronenergy / venus