General documentation on Torifying applications.

Also see General Instructions for IRC.

WARNING: The following instructions explain how to Torify. They lack information on how to block leaks:

  • DCC
  • quit, leave and away messages


There are (at least) three methods to connect to an IRC server through Tor in irssi: using transparent proxying, socat or usewithtor.

Transparent Proxying and irssi


  1. Tor must be installed, or you must have the Tor Browser Bundle
  2. You must be able to edit your torrc file


  1. Open your torrc file with a text editor.
  2. If running Tor>=2.3.x, the new stream isolation configuration setting can be used. To configure the Transport and DNSPort, add the following to your torrc file:
##  _______________________
##  |______________________|
## IsolateClientAddr     = (on by default) Separate connecting clients by 
##                         address
## IsolateSOCKSAuth      = (on by default) Separate streams with different 
##                         SOCKS authentications
## IsolateClientProtocol = SOCKS4, SOCKS5, TransPort connections, NATDPort
##                         connections, and DNSPort requests are all 
##                         considered different protocols
## IsolateDestPort       = Separate by destination port
## IsolateDestAddr       = Separate by destination address 

TransPort IsolateClientAddr IsolateClientProtocol IsolateDestAddr

VirtualAddrNetwork    ## maps an IP address from localhost/10
AutomapHostsOnResolve 1              ## to each connection to a new host which
AutomapHostsSuffixes .exit,.onion    ## ends in '.exit' or '.onion'

This method has been described by Jacob Appelbaum on tor-talk on 9.2.2012 to connect to the OFTC irc network.

To configure Tor<2.3.x to have a TransPort and a DNSPort, add the following to your torrc:

TransPort 9040
DNSPort 5353
AutomapHostsOnResolve 1

Add a user:

adduser --system --disabled-login ircuser
  • On others (e.g. Fedora, CentOS, Gentoo):
    useradd -rm ircuser

and then follow this guide to disable GDM/KDM login.


  • Don't forget to SAVE your iptables rules!
  • Failure to do so can be disastrous when your box is rebooted!
  • Don't just copy and paste these rules individually to a terminal without ALSO saving them!
  • Do a web search for "iptables-save" and learn how to use it properly, Test it BEFORE going into battle!

Based on doc/TransparentProxy, add firewall rules for that user:

  • If NOT using system-config-firewall
    # You may want to use a different set of rules depending on iptables versions, etc
    # This does NOT COVER IPV6!!!
    # WARNING!
    # DONT forget to save your iptables rules!!
    # Not doing so could UNMASK/EXPOSE your real IP address WHEN your Linux box reboots!
    iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner ircuser -m tcp --syn -j REDIRECT --to-ports 9040
    iptables -t nat -A OUTPUT -p udp -m owner --uid-owner ircuser -m udp --dport 53 -j REDIRECT --to-ports 5353
    iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner ircuser -m tcp --dport 9040 -j ACCEPT
    iptables -t filter -A OUTPUT -p udp -m owner --uid-owner ircuser -m udp --dport 5353 -j ACCEPT
    iptables -t filter -A OUTPUT ! -o lo -m owner --uid-owner ircuser -j DROP
  • If using system-config-firewall
    • Create a file called myiptables-nat in /etc/sysconfig containing
      -A OUTPUT -p tcp -m owner --uid-owner ircuser -m tcp --syn -j REDIRECT --to-ports 9040
      -A OUTPUT -p udp -m owner --uid-owner ircuser -m udp --dport 53 -j REDIRECT --to-ports 5353
    • Create a file called myiptables-filter in /etc/sysconfig containing
      -A OUTPUT -p tcp -m owner --uid-owner ircuser -m tcp --dport 9040 -j ACCEPT
      -A OUTPUT -p udp -m owner --uid-owner ircuser -m udp --dport 5353 -j ACCEPT
      -A OUTPUT ! -o lo -m owner --uid-owner ircuser -j DROP
    • Then execute the following commands
      chown root:root /etc/sysconfig/myiptables-*
      chmod 600 /etc/sysconfig/myiptables-*
      chcon -u system_u -t system_conf_t /etc/sysconfig/myiptables-*
    • Start your system-config-firewall, go to tab custom rules, add the two files (Protocol type: ipv4, Firewall table: nat, File: /etc/sysconfig/myiptables-nat and Protocol type: ipv4, Firewall table: filter, File: /etc/sysconfig/myiptables-filter), then press Apply

To check whether this worked you can use

iptables -t nat -L
iptables -t filter -L

which should list your newly added rules.

Now add this to your /home/ircuser/.irssi/config file:

servers = (
    address = "";
    chatnet = "OFTC";
    port = "6697";
    use_ssl = "yes";
    ssl_verify = "yes";
    ssl_cafile = "~/.irssi/certs/CAs.pem";
    autoconnect = "no";
    autosendcmd = "/msg NickServ IDENTIFY you-user-name-here PASSWORD";

chatnets = {
  OFTC = {
    type = "IRC";
    max_kicks = "1";
    max_msgs = "3";
    max_whois = "30";

channels = (
  { name = "#tor-dev"; chatnet = "OFTC"; autojoin = "Yes"; },
  { name = "#nottor"; chatnet = "OFTC"; autojoin = "Yes"; }

settings = {
  core = {
    real_name = "you-user-name-here";
    user_name = "you-user-name-here";
    nick = "you-user-name-here";
  "fe-text" = { actlist_sort = "refnum"; };
ignores = ( { level = "CTCPS"; } );

Now ensure you have the right SSL CA by following these directions:

You should be good to go - just switch to your irc user and you'll have a torified irc client with SSL/TLS support.


I have purposefully turned off autoconnect, to prevent the potentially disastrous event of you the end user not saving your iptables rules and then your box being rebooted during the night and irssi being in your autorun scripts and because it is in your autorun scripts it then automatically reconnects to OFTC and shows everybody your real IP address!, the OFTC IRC network doesn't ghost or hash your IP address unless you authenticate!. To connect to OFTC manually just type "/connect oftc" - Slipstream 05-2014

SASL (irssi)

If the IRC server you are wishing to connect to requires SASL authentication (e.g. freenode,) you will need to install the SASL plugin to add SASL supprt to irssi. If not, feel free to skip this section.

These instructions assume that you already have a registered nick with the server you are wishing to connect to.

First you will need to exit Irssi and download the SASL plugin which can be found here. Note: This plugin is from and may or may not work with other servers.

The plugin should be named and should moved into the ~/.irssi/scripts directory.

First we'll launch irssi. Here we've done so inside screen out of habit.

screen irssi

If you are missing any libraries required by the SASL plugin, Irssi will issue a few warnings. Make sure to install them before continuing.

Once you have the SASL plugin loaded, you must add your nickserv registration and encryption method into the SASL plugin. The plugin can take one of two values for encryption method: PLAIN or DH-BLOWFISH. We are going to use DH-BLOWFISH.

/sasl set localhost [username] [password] DH-BLOWFISH

Check to make sure your info was saved properly

/sasl show

If it looks correct save it.

/sasl save

This will append your info to ~/.irssi/sasl.auth. Once your info has been saved, this file should be loaded automatically each time you start Irssi. If not just type:

/sasl load

Now, connect using one of the methods described below (Socat or usewithtor).

Socat (irssi)

Using Socat has been described previously in the TorifyHowTO.

Since many irssi users already run their client in screen add a new "window" in screen (Ctrl+A C) for easy control.

Assuming that Tor is listening on 9050 and you want to connect to foo.onion:

socat TCP4-LISTEN:4242,bind=localhost,fork SOCKS4A:localhost:foo.onion:6667,socksport=9050  

This one liner might make the above process easier:

# ./socatchk remote-host remote-port
# crudely shutsdown socat (if running) and then restarts it for new host/port
[ "$(pidof socat >/dev/null 2>&1 && echo $?)" = 0 ] && kill $(pidof socat); [ "$(pidof socat && echo $?)" != 0 ] && socat TCP4-LISTEN:4242,bind=localhost,fork SOCKS4A:$orlisadr:$1:$2,socksport=$orport &
./socatchk hiddenIRCservice port

Now go back to irssi (Ctrl+A A) and type:

/connect localhost 4242

Or if using SSL -- Remember: to make sure that you started Socat with the correct SSL port!

/connect -ssl localhost 4242

irssi should now connect to the server.

usewithtor method (irssi)

The usewithtor method is similar to the socat method above, but it does not require you to reroute your traffic through socat and allows you to connect directly through irssi.

  • The usewithtor method requires that you have torsocks installed.

If the IRC server you are wishing to connect to requires SASL authentication, you will need to install the SASL plugin to add SASL supprt to irssi (see above).

To use usewithtor start irssi like so:

usewithtor irssi

From here you can connect to a server directly (if the exit node you're using isn't blocked) or connect to a hidden service. If you need help setting up SASL (for freenode, for example) see above directions.

Prevent Leakage (irssi)

To minimize information leakage from irssi add to irssi config (if irssi isn't running!)

ignores = ( { level = "CTCPS"; } );

or type (if irssi is running!) in your status window

/ignore * CTCPS

and then


If you run irssi without user_name and nick set to the empty string, irssi will automatically rewrite the config file to contain your user name, then it will continue to run. This may leak your username to any servers and rooms to which irssi automatically connects:

$ whoami
$ cp ~/.irssi/config ./config_before_running_irssi 
$ torify irssi
 <quit irssi>
$ diff -u ./config_before_running_irssi ~/.irssi/config 
--- ./config_before_running_irssi       2012-02-13 20:36:03.057787378 -0800
+++ /home/example_user/.irssi/config    2012-02-13 20:36:42.630898407 -0800
@@ -259,8 +259,8 @@
 settings = {
   core = {
     real_name = "";
-    user_name = "";
-    nick = "";
+    user_name = "example_user";
+    nick = "example_user";
   "fe-text" = { actlist_sort = "refnum"; };
Last modified 10 months ago Last modified on Nov 27, 2016, 2:18:44 AM