Version 3 (modified by proper, 8 years ago) (diff)

added warning

Read first!!!

Also read General Instructions for IRC frist!!!

WARNING: The following instructions explain how to torify. They lack information on how to block leaks:

  • DCC
  • quit, leave and away messages


There are (at least) three methods to connect to an IRC server through Tor in irssi: using transparent proxying, socat or usewithtor.

Transparent Proxying and irssi

This method has been described by Jacob Appelbaum on tor-talk on 9.2.2012 to connect to the OFTC irc network.

Install Tor and configure it to have a TransPort and a DNSPort:

# add this to /etc/torrc or to /path/to/tor-browser-bundle/Data/Tor/torrc (if using the Tor browser bundle)
TransPort 9040
DNSPort 5353
AutomapHostsOnResolve 1

Add a user:

adduser --system --disabled-login ircuser
  • On others (e.g. Fedora, CentOS, Gentoo):
    useradd -rm ircuser

and then follow this guide to disable GDM/KDM login.

Based on doc/TransparentProxy, add firewall rules for that user:

  • If NOT using system-config-firewall
    # You may want to use a different set of rules depending on iptables versions, etc
    # This does NOT COVER IPV6!!!
    iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner ircuser -m tcp --syn -j REDIRECT --to-ports 9040
    iptables -t nat -A OUTPUT -p udp -m owner --uid-owner ircuser -m udp --dport 53 -j REDIRECT --to-ports 5353
    iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner ircuser -m tcp --dport 9040 -j ACCEPT
    iptables -t filter -A OUTPUT -p udp -m owner --uid-owner ircuser -m udp --dport 5353 -j ACCEPT
    iptables -t filter -A OUTPUT ! -o lo -m owner --uid-owner ircuser -j DROP
  • If using system-config-firewall
    • Create a file called myiptables-nat in /etc/sysconfig containing
      -A OUTPUT -p tcp -m owner --uid-owner ircuser -m tcp --syn -j REDIRECT --to-ports 9040
      -A OUTPUT -p udp -m owner --uid-owner ircuser -m udp --dport 53 -j REDIRECT --to-ports 5353
    • Create a file called myiptables-filter in /etc/sysconfig containing
      -A OUTPUT -p tcp -m owner --uid-owner ircuser -m tcp --dport 9040 -j ACCEPT
      -A OUTPUT -p udp -m owner --uid-owner ircuser -m udp --dport 5353 -j ACCEPT
      -A OUTPUT ! -o lo -m owner --uid-owner ircuser -j DROP
    • Then execute the following commands
      chown root:root /etc/sysconfig/myiptables-*
      chmod 600 /etc/sysconfig/myiptables-*
      chcon -u system_u -t system_conf_t /etc/sysconfig/myiptables-*
    • Start your system-config-firewall, go to tab custom rules, add the two files (Protocol type: ipv4, Firewall table: nat, File: /etc/sysconfig/myiptables-nat and Protocol type: ipv4, Firewall table: filter, File: /etc/sysconfig/myiptables-filter), then press Apply

To check whether this worked you can use

iptables -t nat -L
iptables -t filter -L

which should list your newly added rules.

Now add this to your /home/ircuser/.irssi/config file:

servers = (
    address = "";
    chatnet = "OFTC";
    port = "6697";
    use_ssl = "yes";
    ssl_verify = "yes";
    ssl_cafile = "~/.irssi/certs/CAs.pem";
    autoconnect = "yes";
    autosendcmd = "/msg NickServ IDENTIFY you-user-name-here PASSWORD";

chatnets = {
  OFTC = {
    type = "IRC";
    max_kicks = "1";
    max_msgs = "3";
    max_whois = "30";

channels = (
  { name = "#tor-dev"; chatnet = "OFTC"; autojoin = "Yes"; },
  { name = "#nottor"; chatnet = "OFTC"; autojoin = "Yes"; }

settings = {
  core = {
    real_name = "you-user-name-here";
    user_name = "you-user-name-here";
    nick = "you-user-name-here";
  "fe-text" = { actlist_sort = "refnum"; };
ignores = ( { level = "CTCPS"; } );

Now ensure you have the right SSL CA by following these directions:

You should be good to go - just switch to your irc user and you'll have a torified irc client with SSL/TLS support.

SASL (irssi)

If the IRC server you are wishing to connect to requires SASL authentication (e.g. freenode,) you will need to install the SASL plugin to add SASL supprt to irssi. If not, feel free to skip this section.

These instructions assume that you already have a registered nick with the server you are wishing to connect to.

First you will need to exit Irssi and download the SASL plugin which can be found here. Note: This plugin is from and may or may not work with other servers.

The plugin should be named and should moved into the ~/.irssi/scripts directory.

First we'll launch irssi. Here we've done so inside screen out of habit.

screen irssi

If you are missing any libraries required by the SASL plugin, Irssi will issue a few warnings. Make sure to install them before continuing.

Once you have the SASL plugin loaded, you must add your nickserv registration and encryption method into the SASL plugin. The plugin can take one of two values for encryption method: PLAIN or DH-BLOWFISH. We are going to use DH-BLOWFISH.

/sasl set localhost [username] [password] DH-BLOWFISH

Check to make sure your info was saved properly

/sasl show

If it looks correct save it.

/sasl save

This will append your info to ~/.irssi/sasl.auth. Once your info has been saved, this file should be loaded automatically each time you start Irssi. If not just type:

/sasl load

Now, connect using one of the methods described below (Socat or usewithtor).

Socat (irssi)

Using Socat has been described previously in the TorifyHowTO.

Since many irssi users already run their client in screen add a new "window" in screen (Ctrl+A C) for easy control.

Assuming that Tor is listening on 9050 and you want to connect to foo.onion:

socat TCP4-LISTEN:4242,fork SOCKS4A:localhost:foo.onion:6667,socksport=9050  

This one liner might make the above process easier:

# ./socatchk remote-host remote-port
# crudely shutsdown socat (if running) and then restarts it for new host/port
[ "$(pidof socat >/dev/null 2>&1 && echo $?)" = 0 ] && kill $(pidof socat); [ "$(pidof socat && echo $?)" != 0 ] && socat TCP4-LISTEN:4242,fork SOCKS4A:$orlisadr:$1:$2,socksport=$orport &
./socatchk hiddenIRCservice port

Now go back to irssi (Ctrl+A A) and type:

/connect localhost 4242

Or if using SSL -- Remember: to make sure that you started Socat with the correct SSL port!

/connect -ssl localhost 4242

irssi should now connect to the server.

usewithtor method (irssi)

The usewithtor method is similar to the socat method above, but it does not require you to reroute your traffic through socat and allows you to connect directly through irssi.

  • The usewithtor method requires that you have torsocks installed.

If the IRC server you are wishing to connect to requires SASL authentication, you will need to install the SASL plugin to add SASL supprt to irssi (see above).

To use usewithtor start irssi like so:

usewithtor irssi

From here you can connect to a server directly (if the exit node you're using isn't blocked) or connect to a hidden service. If you need help setting up SASL (for freenode, for example) see above directions.

Prevent Leakage (irssi)

To minimize information leakage from irssi add to irssi config (if irssi isn't running!)

ignores = ( { level = "CTCPS"; } );

or type (if irssi is running!) in your status window

/ignore * CTCPS

and then


If you run irssi without user_name and nick set to the empty string, irssi will automatically rewrite the config file to contain your user name, then it will continue to run. This may leak your username to any servers and rooms to which irssi automatically connects:

$ whoami
$ cp ~/.irssi/config ./config_before_running_irssi 
$ torify irssi
 <quit irssi>
$ diff -u ./config_before_running_irssi ~/.irssi/config 
--- ./config_before_running_irssi       2012-02-13 20:36:03.057787378 -0800
+++ /home/example_user/.irssi/config    2012-02-13 20:36:42.630898407 -0800
@@ -259,8 +259,8 @@
 settings = {
   core = {
     real_name = "";
-    user_name = "";
-    nick = "";
+    user_name = "example_user";
+    nick = "example_user";
   "fe-text" = { actlist_sort = "refnum"; };