IRC over Tor hidden services: client/server tutorial

Last thursday I set up access to one of the Telecomix chat servers via the Tor hidden services. Since I tend to forget stuff very easily, I'll just scribble down here how I did it.

So, the server which I'm running one out of several IRC-servers on is called solarworks and is on the picture above. It is an old sparc-machine, which means that the version of the Tor software is a bit outdated.

Anyways, Tor is in the standard repositories of Debian Linux, so just do an apt-get install tor tor-geoipdb and it is up and running. On other distributions and operating systems, install is almost as easy. See Tor Project.

Then you want to create a hidden service inside the Tor darknet and make it point to the irc servers. As root, edit the /etc/tor/torrc file. Under the section for location-hidden services you add:

HiddenServiceDir /var/lib/tor/hidden_service/

HiddenServicePort 6667 127.0.0.1:6667

What you did here was basically to specify one directory (the default one) where the private encryption keys go, then you tell the tunnel to go from port 6667 (default irc) to your local machine on port 6667 (where my IRC-server is listening). A hidden service never leaves the encrypted network, so you don't actually need SSL. But, it works fine with an SSL enabled port as well (double encryption is double fun).

Then you save and restart Tor with /etc/init.d/tor restart and browse over to /var/lib/tor/hidden_service and run cat on the file hostname.

root@solarworks:/var/lib/tor/hidden_service# cat hostname

~~hsctwsqfsl7ejbh7.onion~~* weoq7a4exzcyaasj.onion

There you have the .onion address for the tunnel! Now, other Tor users can go straight to my IRC-server without ever leaving the darknet (thus without exposing oneself to an exit node on vanilla internet). It works similar as the "local destinations" in the i2p darknet, which of course Telecomix also supports.

Client configuration

As a client you will also need to create a "client tunnel". This is equally easy. On the client machine, edit /etc/tor/torrc and under location-hidden services you just add something like:

mapaddress 10.40.40.42 weoq7a4exzcyaasj.onion

This instructs the client machine to connect to the .onion destination via a randomly selected IP-number (choosing 10.40.40.42 is a good way of avoiding conflicts with home routers, which usually use 192.168.x.x-series).

Restart Tor, and then you are done. Just torify you IRC-client of choice, for example torify irssi or torify pidgin and have them connect to an IRC-server on 10.40.40.42 on port 6667, and you will end up on the solarworks machine of the Telecomix network. Once in a channel, you will appear to be coming from localhost, since the tunnel leads from your machine to my machine. Encrypted all the way, and made anonymous through the onion routing of Tor.

Pretty smooth, I would say!

Footnote: Since the time of publication of this post I moved everything to a new server and thus had to create a new hidden service (I'm sure you can export the keys if necessary though). This is why the .onion address has been updated to weoq7a4exzcyaasj.onion (with SSL on 6697). See chat.telecomix.org for a list of servers in the TCX network.