ChirpStack v4 Encryption Setup

RileyMS · May 22, 2024, 7:45am

Hey everyone!

I am working with my team to get a new ChirpStack instance spun up and we are trying to decide the best way to move forward with our new instance before we begin to migrate anything from our existing v3 instance. One topic that always comes up and one we would like to address is the security of our data transmissions. We would like to encrypt the communication between the gateway and ChirpStack. We were not doing this in our v3 instance (just using the Semtech UDP Packet Forwarder) and we feel it is time to increase our levels of security.

This being said, after I dug into it today, I was thinking about setting up our gateways (RAK7268’s) with the Basics Station configuration and using TLS authentication but we are confused on just how to have this properly setup to ensure we can manage our fleet of gateways as it grows. One hurdle we have encountered is ensuring the gateways receive new certificates or stay up to date, etc. as certificates expire. Manually putting new certs on the gateways is labour intensive, and sometimes not possible depending on our clients network security setup. I have done some reading about CUPS servers but don’t fully understand how this would be done in a practical sense.

Long story short, has anyone done this kind of setup before or have any tips or recommendations on how to set it up since I haven’t seen a lot online for getting this setup with ChirpStack, whereas there seems to be a bit more for TTN.

Any help is appreciated!

brocaar · May 22, 2024, 7:58am

ChirpStack does not provide a CUPS server, it could be that the RAK WisDM service (WisDM – Remote IoT Fleet LoRaWAN Gateway Management System - RAKwireless - IoT Made Easy) provide this or something similar.

An other approach would be to install the ChirpStack MQTT Forwarder and configure a command for updating the certificates. The ChirpStack MQTT Forwarder provides a framework for executing commands on the gateway (up to your implementation):

See this config section in https://www.chirpstack.io/docs/chirpstack-mqtt-forwarder/configuration.html:

# Executable commands.
[commands]

  # Example:
  # reboot=["/usr/bin/reboot"]

This is the message format that you need to send to your gateway to execute a command (over MQTT):

github.com

chirpstack/chirpstack/blob/master/api/proto/gw/gw.proto#L658


      
            // Deprecated: use bandwidth.
            uint32 bandwidth_legacy = 1;
          
            // Bandwidth (Hz).
            uint32 bandwidth = 3;
          
            // Bitrate.
            uint32 bitrate = 2;
          }
          
          message GatewayCommandExecRequest {
            // Gateway ID.
            // Deprecated: use gateway_id.
            bytes gateway_id_legacy = 1;
          
            // Gateway ID.
            string gateway_id = 6;
          
            // Command to execute.
            // This command must be pre-configured in the LoRa Gateway Bridge
            // configuration.

system · August 20, 2024, 7:58am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.