[tor-talk] irc clients and Tor

Jacob Appelbaum jacob at appelbaum.net
Thu Feb 9 11:15:09 UTC 2012


Recently my main IRC bounce went down and I decided to redo things. I'd
like to help save people some time and also to give some advice for
people who want to use irssi or similar clients to connect to the Tor
development channels.

Basically using Tor and irssi is intolerable - it doesn't work with
privoxy chained to Tor if you want to use SSL/TLS. As far as I can tell,
it's not possible to use any SOCKS proxy safely if at all without major
pain. torsocks doesn't work for reasons that I can't easily debug and so
I took the kernel filter path...

I've found that the best thing to do on Gnu/Linux like platforms for use
with irssi is as follows:

# install Tor and configure it to have a TransPort and a DNSPort
# add this to /etc/tor/torrc
TransPort 9040
DNSPort 5353

# Add a user
adduser --system --disable-login ircuser

# https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
# Add a firewall rule for Transparent proxy

iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner ircuser -m tcp
--syn -j REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner ircuser -m udp
--dport 53 -j REDIRECT --to-ports 5353
iptables -t nat -A OUTPUT -m owner --uid-owner ircuser -j DROP

# You may want to use a different set of rules depending on iptables
versions, etc

# Now add this to your /home/ircuser/.irrsi/config file:
servers = (
    address = "irc.oftc.net";
    chatnet = "OFTC";
    port = "6697";
    use_ssl = "yes";
    ssl_verify = "yes";
    ssl_cafile = "~/.irssi/certs/CAs.pem";
    autoconnect = "yes";
    autosendcmd = "/msg NickServ IDENTIFY you-user-name-here PASSWORD";

chatnets = {
  OFTC = {
    type = "IRC";
    max_kicks = "1";
    max_msgs = "3";
    max_whois = "30";

channels = (
  { name = "#tor-dev"; chatnet = "OFTC"; autojoin = "Yes"; },
  { name = "#tor"; chatnet = "OFTC"; autojoin = "Yes"; },
  { name = "#nottor"; chatnet = "OFTC"; autojoin = "Yes"; }

settings = {
  core = {
    real_name = "you-user-name-here";
    user_name = "you-user-name-here";
    nick = "you-user-name-here";
  "fe-text" = { actlist_sort = "refnum"; };
ignores = ( { level = "CTCPS"; } );

Now ensure you have the right SSL CA by following these directions:

You should be good to go - just switch to your irc user and you'll have
a torified irc client with SSL/TLS support.

All the best,

More information about the tor-talk mailing list