Can I use any other port than the default for MQTT with TLS-authentication?

Question

I have set up a mosquitto-broker on my raspberry pi which I have running on my local network. I've tested this locally using the paho-mqtt package in python which is working, however I want to access this broker remotely (outside my local network).

From what I understand, the safest way to do this is to use TLS-authentication and configure mosquitto to listen on port 8883, rather than opening the un-encrypted 1883 port, where login credentials can be sniffed. This is where my problems start, as I suspect my ISP doesn't allow forwarding port 8883 to the (static) IP-address of my RPi. (Port wont open no matter what I try, and I've tried googling this specific issue.)

So my question is: Is it possible to use another port than the default 1883 or 8883 (which my ISP hopefully allows to be opened) for accessing my locally hosted mosquitto-broker? For example one of the higher-valued ports, which I understand is not reserved for anything. I'm imagining connecting to the broker by using my external IP-address with this port (xxx.xxx.xxx.xxx:yyyyy) and either tunneling this data to the 8883-port on the local network, or configuring mosquitto to listen on the selected port. Any tips on how I can solve this issue?

EDIT

Thanks for your answers! I just got off the phone with my ISP, and unfortunately they don't allow opening ANY ports because I live in a university dorm, so opening a different port won't work either. I guess using a cloud broker is the only option.

Answer 1

You can use any ports you want (or that your operating system will permit). MQTT uses certain ports by convention but is not restricted to using those ports. You're even welcome to encrypt on port 1883 if you want.

You'll need to do four things:

1. write the listener configuration directive correctly to use the port you want to use and make sure that you're listening on 0.0.0.0 in order to listen on all network interfaces, or the IP address of a specific network interface to listen on.
2. correctly configure encryption after the listener directive
3. ensure that the port you chose is accessible through any firewall your server may be running
4. properly configure any clients to use the port you configured and work with the encryption you configured

If you want to make it accessible over the Internet you'll need to open a port on your router as well.

If you do make it accessible over the Internet, please require authentication. Encryption won't stop strangers from connecting to your broker, it will just stop eavesdropping on them. Turn off allow_anonymous and set up some Mosquitto accounts.