After my setup is running, just some words about securing the whole setup.
The web gui of FHEM was already setup with SSL/HTTPS but the MQTT server is listening for all ips.
The easiest way to get this secure is change the listener to localhost, so that no connections from outside can be made. Just change in /opt/fhem/fhem.cfg:
Just a checklist, if we secured everything:
define MQTT2_FHEM_Server MQTT2_SERVER 1883 127.0.0.1
- WebGUI: shown here
- MQTT: s. above
- add permit_join: false to configuration.yaml