I was wondering if there is a way to configure Mosquitto to require TLS and client certificates if it is connecting to an external clients and not to require TLS and client certificate for internal clients. Should I do anything with the CA(Certficiate Authority) or .conf files? What would I need to do to configure it properly to accomplish this? Any help on this would be greatly appreciated.
If you want to use the same port (1883) for both internal and external then you will probably need the broker machine to have 2 network interfaces (one internal, one external) so you can bind the listeners to different IP addresses (e.g. not doing port forwarding).
If you are doing port forwarding then you will have to use different ports for internal/external.
Assuming 2 interfaces:
# internal
port 1883
bind_address <internal-ip>
#external
listener <external-ip>:1883
cafile /path/to/ca/cert
keyfile /path/to/key
certfiel /path/to/cert
require_certificate true
This should allow anonymous none ssl connections internally and SSL + Client certificates from outside.
If you are doing port forwarding remove the external ip address and change the port number it listens on, you can still forward 1883 from the router.