In this tutorial I will explain how to track your devices through Owntracks, and send the MQTT message via the Mosquitto MQTT Broker to Home Assistant through an Nginx Reverse Proxy and an SSH tunnel .

Ok that was a lot, but dont worry. Its not that hard, I will try to explain everything in detail.

1. Install Mosquitto

Mosquitto is an open-source MQTT broker, It is more performant than the included MQTT broker in Home Assistant and can easily be the replaced by Mosquitto.

  1. In Home Assistant go to the Hass.io tab -> Add-on Store
  2. Click the Mosquitto broker, and Install the add-on
  3. In the Config, disable anonymous by putting the flag to false
  4. Enable plain_websockets by putting the flag to true
  5. Add logins for Home Assistant, and every device you want to track

Your configuration should look like this:

{
  "plain": true,
  "plain_websockets": true,
  "ssl": false,
  "ssl_websockets": false,
  "anonymous": false,
  "logins": [
    {
      "username": "Device1",
      "password": "a-strong-password"
    },
    {
      "username": "Device2",
      "password": "a-strong-password"
    },
    {
      "username": "homeassistant",
      "password": "a-strong-password"
    }
  ],
  "customize": {
    "active": false,
    "folder": "mosquitto"
  },
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

You can leave ssl and ssl_websockets to false, as home assistant will not handle the SSL certificate. This will be done by Nginx in front of the SSH Tunnel.

2. Configure Home Assistant to use Mosquitto

In your configuration.yaml add this line.

mqtt:
  broker: core-mosquitto
  username: 'homeassistant'
  password: 'a-strong-password'

This will let Home Assistant know to use Mosquitto as the MQTT broker, instead of the build-in broker.

Restart Home Assistant

3. SSH Tunnel + Nginx Reverse Proxy

For this step, you should set-up your SSH-tunnel and Nginx Reverse proxy. Please follow my earlier blogpost to set-up the SSH-tunnel.

In case you do not want to expose Home Assistant to the internet, and only your MQTT broker. Do steps 1 and 2 of the earlier blogpost

Make sure to point a new domain or subdomain to your server. I will use mqtt.home-assistant-tunnel.example.com in this example.

Add a new site file to nginx with the following configuration:

server {
  listen 80;
  server_name mqtt.home-assistant-tunnel.example.com;
  return 301 https://mqtt.home-assistant-tunnel.example.com$request_uri;
}

server {
    # Secure HTTP (HTTPS)
    listen 443 ssl;
    server_name mqtt.home-assistant-tunnel.example.com;

    # Certificate Information
    ssl_certificate /etc/letsencrypt/live/mqtt.home-assistant-tunnel.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mqtt.home-assistant-tunnel.example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/mqtt.home-assistant-tunnel.example.com/fullchain.pem;

    include /etc/nginx/snippets/ssl.conf;
    include /etc/nginx/snippets/letsencrypt.conf;

    location / {
        proxy_pass http://localhost:44401;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

Make sure to use a free port on your Nginx server and a different port than the one for Home Assistant.

The example above uses an SSL certificate provided by Let's Encrypt. To properly configure your server with Let's Encrypt, you can follow this tutorial

Make sure to symlink your new file in the folder /etc/nginx/sites-enabled, and restart the nginx service.

4. Configure the Hass.io add-on

  1. Go back to your home assistant, Hass.io -> Dashboard -> HASS Tunnel
  2. In the config of the addon add a line to remote_forwarding. So it looks like this:
{
  "hostname": "home-assistant-tunnel.example.com",
  "ssh_port": 22,
  "username": "homeassistant",
  "remote_forwarding": [
    "44400:localhost:8123",
    "44401:localhost:1884"
  ],
  "local_forwarding": [
    ""
  ],
  "other_ssh_options": "-v",
  "monitor_port": 0
}

In case you only want to expose Mosquitto, remove the line tunneling port 8123.

3. Start or Restart the add-on.

5. Configure Owntracks

  1. On the devices you want to track, download the owntracks application.
  2. In owntracks go to Preferences -> Connection
  3. Set the following configuration Host variables
Mode: Private MQTT
Host: mqtt.home-assistant-tunnel.example.com
Port: 443
Use Websockets: true

4. Set the identification variables (with a different login per device you set in step 1

Authentication: true
Username: Device1
Password: a-strong-password

DeviceID and TrackerID can be anything you want

5. Set the Security variables

TLS: true

In your known_devices.yaml and in the device_tracker entities within Home Assistant you should now see your different devices appearing. And the status of the device will be automatically updated based on the configured zones. In case the device is not within the bounds of a zone, the status will be away