I’ve been familiar w/ IRC for ages now but I haven’t been on IRC consistently for some time until recently and because of this – mainly due to my current job role – I’ve been wanting to connect to my preferred IRC network – FreeNode – behind a TOR proxy. I simply want to be connected to IRC but I don’t want my originating hostname/IP address exposed to the IRC network and its users. I don’t want someone to /whois me and get this information either. So I thought today to finally setup a TOR proxy and tunnel myself through it to FreeNode. I did this on my Fedora 16 system.

I’ve setup an IRC client against FreeNode behind TOR in the past – but ever since FreeNode migrated its entire ircd network to what they call ircd-seven in 2010 there have been some changes to how FreeNode allows connections to its network from TOR proxies and how it enforces the use of SASL authentication . I was surprised how this seemingly simple task became a bit of a pain in the butt – so I wanted to capture here what steps I took to setup my IRC client and get all of this working.

First things first, you will need to install the required packages – so do:

% sudo yum install xchat tor

Now that TOR is installed, we have to modify its system configuration file - /etc/tor/torrc - and add the following to the bottom:

# Tor address for FreeNode
mapaddress 10.40.40.40 p4fsi4ockecnea7l.onion

Now let’s enable TOR to start on system start up, and start it up (in case it’s not running already):

% sudo systemctl enable tor.service && sudo systemctl restart tor.service

At this point you should have TOR running in the background on port 9050 ready to take local connections. We can verify this with nmap (% sudo yum install nmap):

% sudo nmap -sV localhost
…
9050/tcp open tor-socks Tor SOCKS Proxy
…

Seeing the above 9050 port listed out of the nmap command dump is a good sign (an alternative to nmap is: netstat -an | grep -i 9050).

Now we can move to the XChat setup. We’ll first have to go here and download the ‘cap_sasl_xchat.pl‘ file. This is a XChat plugin which will provide the SASL authentication module which we will need to connect over TOR to FreeNode.

I would simply open up a terminal and run the following as my local user:

% cd ~/.xchat2 && wget http://freenode.net/sasl/cap_sasl_xchat.pl

(NOTE: I modified the ‘AUTHENTICATION_TIMEOUT’ value from 5 to 25 in this script – the choice is yours)

Once this script is installed – we can fire up XChat. Run XChat and open the ‘Window->Plugins and Scripts…‘ dialog box. Verify that the ‘CAP SASL‘ plugin is listed. Additionally, run the following command in XChat and ensure you have SASL functionality:

/sasl

You should see the SASL help output.

Now, before we do anything more w/ SASL, let’s open up the ‘Network List‘ in XChat and create a new network connection. We will call it ‘FreeNodeTor‘. Edit this new network and add the following server entry ‘10.40.40.40/6667‘. Save all this info and close the ‘Network List‘ dialog box.

Open XChat’s ‘Preferences‘ and navigate to the ‘Network Setup‘ section. Under ‘Proxy Server‘ we need to enter the following information:

Hostname: localhost
Port: 9050
Type: Socks5
Use proxy for: All Connections

Save all this info and close the ‘Preferences‘ dialog box.

Run the following inside XChat, substituting for username and password.

/sasl set freenodetor <username> <password> PLAIN
/sasl save

NOTE: Make sure the username and password used is your main FreeNode registered user account and not a username that was group’ed into your main account. I couldn’t get TOR-SASL to work unless I did this. If you don’t have an already registered FreeNode user account – login to FreeNode separately and first register with NickServ. The main username you use here for SASL doesn’t have to be the username you use on any FreeNode channel later on.

Once you run the ‘/sasl save‘ command, a ‘sasl.auth‘ file will be created under ~/.xchat2. Additionally, as long as this file exists, it will be loaded up automatically next time you run XChat – you will see something like ‘SASL: auth loaded from /home/username/.xchat2/sasl.auth‘ next time. Currently, only the PLAIN password mechanism is implemented for this XChat SASL plugin – which kinda sucks

You can now finally attempt to connect to FreeNode via the ‘FreeNodeTor‘ network we setup earlier. You don’t need to enter any NickServ password after setting up the SASL authentication above. I personally use another username which is associated with my master FreeNode username when hanging out on FreeNode channels.

Once you get all this working your /whois info will show something similar on the connection lines and no one will see your actual hostname/IP address:

End of /MOTD command.
user1 sets mode +i user1
[user1] ([email protected]/tor-sasl/usermain): user1
[user1] asimov.freenode.net :TX, USA
[user1] is connecting from *@gateway/tor-sasl/usermain 255.255.255.255
[user1] idle 00:00:10, signon: Sun Jun 10 20:14:56
[user1] is logged in as usermain
[user1] End of WHOIS list.

You should now (FINALLY) be connected to FreeNode behind a TOR proxy using SASL authentication successfully. It took me a bit of time to get this working myself since the FreeNode documentation was a bit confusing and even more time writing this up – but hopefully it helps someone out. Let me know if I left anything out.

Cheers!

Reference: