Written: 2018-06-05 (Jaruga)

Torifying Irssi

Irssi is a free and open-source Internet Relay Chat client originally released in 1999. It is intended to be lightweight, and offers fine-grained control over security and extensions. Irssi is primarily for *NIX based operating systems (GNU/Linux, BSD, MacOS), though it is also available for use on Windows.

Official site:

Connection setup

Below we have generic instructions for torifying Irssi using torsocks (the recommended methodology) and adding servers as mapaddresses to your torrc file (for when torsocks is not available). This is followed up by additonal steps that can be performed to enhance the clients security.

Option 1: Using Torsocks

While these instructions show a .onion address as an example, they will also apply to clearnet-based servers.

  1. Launch Irssi with Torsocks by issuing the command torsocks irssi
  1. Add the server with the following commands:
    /NETWORK ADD Server1
    /SERVER ADD -network Server1 examplesite.onion 6667
    Note: Server1 is generic, and can be changed to your preferences.
  1. Connect to the server with /connect Server1.

Option 2: Without Torsocks

If Torsocks is not available for you, it is also possible to add desired servers as a mapaddress to the /etc/tor/torrc file. This will allow you to connect to the local 10.10.x address directly, and Tor will translate it to the desired address.

  1. Open up /etc/tor/torrc in your favourite text editor and add the following line:
    mapaddress examplesite.onion
    Note: The map address is generic, though it must be one not in use on your local network.
  1. Launch Irssi by simply issuing the comand irssi
  1. Add your server preferences as done in the option 1 example. Note that the server name can be omitted with the 10.10.x address defined in your torrc.

Note that tor could look for the torrc file in a different location, like /usr/local/etc/tor/torrc, so check man tor to be sure.

Additional steps

(Recommended) Disable CTCP / DCC

  1. Turn off CTCP and DCC replies with the following command in Irssi:
    /ignore * CTCPS
    /ignore * DCC

(Optional) Enabling SASL

If you already have a registered account on the server and would like to authenticate using SASL, this can be done by issuing the following command in Irssi:

/NETWORK ADD -sasl_username yourname -sasl_password yourpassword -sasl_mechanism PLAIN Server1

(Optional) Generating a client certificate

Below are instructions on generating a client certificate and configuring Irssi to recognise it.

  1. Generate a client certificate. From the terminal, issue the command:
    $ openssl req -x509 -sha256 -new -newkey rsa:4096 -days 1000 -nodes \
                  -out Server1.pem -keyout Server1.pem
    Note: the --days option is the number of days before the certificate expires, and can also be changed depending on your needs.

Once the generation is complete, you will see:

Common Name (e.g. server FQDN or YOUR name) []: user

Note: The name is generic. Set this to your desired username on the server.

  1. To make the directory where Irssi will find your certificates and to move your newly generated one there, issue the commands:
    $ mkdir -p ~/.irssi/certs
    $ mv Server1.pem ~/.irssi/certs/
  1. Print and record the certs fingerprint:
    $ openssl x509 -in ~/.irssi/certs/Server1.pem -outform der \
      | sha256sum -b | cut -d' ' -f1
  1. Add the server information to your ~/.irssi/config file:
    servers = (
        address = "";
        chatnet = "Server1";
        port = "6697"; 
        use_tls = "yes";
        tls_cert = "~/.irssi/certs/Server1.pem";
        tls_verify = "no";
        autoconnect = "no";
    chatnets = {
      Server1 = {  
        type = "IRC";  
        max_kicks = "1";
        max_msgs = "4";
        max_whois = "1";
        sasl_mechanism = "external";
        sasl_username = "user";
        sasl_password = "p455w0rd";
    settings = {
      core = { real_name = "user"; user_name = "user"; nick = "user"; };
    ignores = ( { level = "CTCPS"; } );

Of course, modify it to your needs.

  1. Launch Irssi. To configure it to recognise your newly generated certificate, issue the following commands:
    /network add -sasl_username user -sasl_password p455w0rd -sasl_mechanism EXTERNAL Server1
    /server add -ssl -ssl_cert ~/.irssi/certs/Server1.pem -net Server1 6697
Last modified 13 months ago Last modified on Oct 5, 2019, 2:25:45 PM