SASL+TOR+FREENODE How to

[soakes]

This is a quick walkthrough on how to setup TOR support with SASL on freenode network as I was asked by kline from the #freenode channel as I set mine up earlier this evening.

I was going to type out the full walkthrough but I thought it probably would be easier for most people if I made a quick simple script which gives the process.

This script has only been tested using Debain 8 but it will install and configure tor with proxychains support so that it can be used to connect to freenode IRC.

It should work with other versions but thats untested. I have added in a few simple checks to make sure its not run twice or if tor is already installed. It also does a very quick simple check to see if its debian based.

Please note, that you MUST configure SASL certs manually for whatever client your using, but the steps below are what you generally will need to create SASL certs no matter what distro you use.

1. Generate NEW SASL cert and fill in details as it prompts you. I do suggest you use your nickname that you use on freenode when it prompts you for your hostname to use. Please make sure you backup the cert/key somewhere safe after its been completed as it will have FULL access to your NickServ account once your finished all steps. Note, that also means making sure its permissions are tight i.e. 600 or 640.

openssl req -x509 -new -newkey rsa:4096 -sha256 -days 1000 -nodes -out freenode.pem -keyout freenode.pem

2. Extract the fingerprint from the NEW generated cert by using the following command and then type the output into IRC.

echo "/msg NickServ CERT ADD $(openssl x509 -in freenode.pem -outform der | sha1sum -b | cut -d' ' -f1)"

3. Once you have typed in the above command into IRC, disconnect and then make sure you can connect to IRC with the SASL CERT instead of your password WITHOUT USING TOR still. This is just to make sure that the SASL setup is correct as TOR connection wont connect without SASL.

The easiest way I found was to use IRSSI client and that was to use the following command(s) to test SASL connectivity..

Type the following into your shell which runs IRSSI...

mkdir ~/.irssi/certs
mv freenode.pem ~/.irssi/certs 
chown username:username -R ~/.irssi/certs
chmod 600 ~/.irssi/certs/freenode.pem 

Type the following into IRC client window (IRSSI): /server add -auto -ssl -ssl_cert ~/.irssi/certs/freenode.pem -network freenode chat.freenode.net 6697

Please replace username with your username which runs your IRSSI client

Beware if you hit the BUG and it wont connect due to SSL error with IRSSI, make sure the PORT is set to 6697 not 6667 as some versions seems to ignore what you type in.

See references links to find the exact BUG/FIX for more help.

Once/If SASL is now connecting with your IRC client, its time to run this script which will setup and configure tor and proxychains for you. Please remember that this script is designed to be used on Debian systems and has only been tested on Debian 8 due to its what my ZNC VM was already running.

I have setup the script to BIND the onion TOR hidden service address to be 127.0.0.2, this shouldn't need adjusting but your network may very.

On your IRC client, after this setup has been completed, you will need to change the connecting server address for IRC from chat.freenode.org to 127.0.0.2 +7000

This above address is what proxychains is using/redirecting though TOR. If you don't use this address, you wont be using TOR. So if your connection still shows that your not connecting via TOR, please make sure you have updated your clients server connection info.

Please take note that even if your not running Debian 8, no matter what your distro is, the steps are mostly the same.

1. install tor and proxychains
2. append torrc config to map the freenode onion address to IPv4
3. restart tor service to reload config
4. update your IRC client to use the new TOR connection info i.e 127.0.0.2 +7000

Final note, it will take a few minutes to get a connection as some TOR nodes don't seem to allow IRC, just wait, it will connect as long as SASL is working.

References: https://wiki.znc.in/Tor https://freenode.net/news/tor-online https://freenode.net/kb/answer/certfp https://bbs.archlinux.org/viewtopic.php?id=210315

OUTPUT SAMPLE

20170724-022305: [install] adding offical tor repo ..
20170724-022305: [install] adding gpg keys ..
20170724-022305: [install] exporting gpg keys for apt use ..
20170724-022305: [install] running apt-get update to refresh cache..
20170724-022308: [install] installing tor package from offical repo..
20170724-022313: [install] installing proxychains ..
20170724-022314: [update] Updating torrc ..
20170724-022314: [restart] tor service
20170724-022314: [finish] don't forget you need to configure your IRC client to use 127.0.0.2 +7000 instead of chat.freenode.org and use SASL!

SCRIPT

#!/bin/bash

TORRC_PATH="/etc/tor/torrc"
DEBUG_LOG="debug.log"
DEBUG=0

if [ "$1" = "-d" ] || [ "$1" = "--debug" ]; then
    DEBUG=1
fi

if [ $UID -gt 0 ]; then
    echo "requires root to run, exiting."
    exit 1
fi  

if [ ! -f /etc/debian_version ]; then
    echo "debian is only supported, exiting."
    exit 1
fi  

if [ -f /etc/tor/torrc ]; then
    echo "tor looks like its already installed, this is designed for a fresh machine, exiting."
    exit 1
fi  

_debug() {
    [ "${DEBUG}" -eq 1 ] && echo "${*}" 1>&2
    echo "$(date +"%Y%m%d-%H%M%S"): ${*}" 
    echo "$(date +"%Y%m%d-%H%M%S"): ${*}" >> ${DEBUG_LOG} 2>&1
}

_install() {
    if [[ $1 = tor ]]; then
        _debug "[install] adding offical ${1} repo .."
        echo -e "deb http://deb.torproject.org/torproject.org $(/usr/bin/lsb_release -cs) main" | tee -a /etc/apt/sources.list.d/tor.list > /dev/null 
        _debug "[install] adding gpg keys .."
        gpg --keyserver keys.gnupg.net --recv 886DDD89 >> ${DEBUG_LOG} 2>&1 
        _debug "[install] exporting gpg keys for apt use .."
        gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add - >> ${DEBUG_LOG} 2>&1 
        _debug "[install] running apt-get update to refresh cache.."
        apt-get update >> ${DEBUG_LOG} 2>&1
        _debug "[install] installing tor package from offical repo.."
        apt-get -y install deb.torproject.org-keyring ${1} >> ${DEBUG_LOG} 2>&1
    fi

    if [[ $1 = proxychains ]]; then
        _debug "[install] installing ${1} .."
        apt-get -y install ${1} >> ${DEBUG_LOG} 2>&1
    fi 
}

_update() {

    if [[ $1 = torrc ]]; then  
        _debug "[update] Updating ${1} .."
        cat << EOF >> ${TORRC_PATH}

## Tweaks
ExitNodes {de},{fr},{gb},{nl}

# IP address to .onion mappings that proxychains uses to connect to  
# freenode hidden IRC services
mapaddress      127.0.0.2      freenodeok2gncmy.onion # freenode 
EOF
    fi

}

_restart() {
    if [[ ${1} = tor ]]; then
        _debug "[restart] ${1} service"
        service tor restart >> ${DEBUG_LOG} 2>&1
    fi
}

_finish() {
    _debug "[finish] don't forget you need to configure your IRC client to use 127.0.0.2 +7000 instead of chat.freenode.org and use SASL!"
}

_install tor
_install proxychains 
_update torrc
_restart tor
_finish

Everyone is welcome to use/adapt/improve the script. I have not added any license to it as I really have little clue what to use, so use whatever you wish. If you wish you credit me, just stick it as majestic on freenode IRC.

p.s. when I get more time, will improve script and or switch the script to ansible and support multi distos which would be better.

[swantzter]

@christeld we should potentially look at making this mergeable?

[ethieda]

On OpenBSD the second command needs to changed from "sha1sum" to "sha1" because there is no "sha1sum" package/port.

echo "/msg NickServ CERT ADD $(openssl x509 -in freenode.pem -outform der | sha1 -b | cut -d' ' -f1)"

Reference: https://man.openbsd.org/sha1#b

Also: chown username:username -R ~/.irssi/certs needs to be changed to: chown -R username:username ~/.irssi/certs

I have not tested/adopted/modified anything beyond the /server command as I came here for the SASL configuration hints! :-)

I will report with more updates if I test TOR and convert the bash script to ksh for OpenBSD compatibility.

[ilbelkyr]

It's probably easier to just connect with the certificate and run /msg NickServ CERT ADD, which defaults to the certificate fingerprint currently used, fwiw. That also ensures the certificate is properly used by the client.

[soakes]

I created a docker version a few months ago which I forgot to add here. This might be helpful to some people. This is heavily optimized with compiled versions of tor for added speed.

https://hub.docker.com/r/netspeedy/tor-znc/

Sources will be sorted/online when I get a few minutes as its all in my private repos right now.

[grawity]

and fill in details as it prompts you

-subj "/CN=yournicknamehere" is all you need

On OpenBSD the second command needs to changed from "sha1sum" to "sha1" because there is no "sha1sum" package/port.

Why not use openssl sha1, or in fact openssl x509 ... -noout -fingerprint -sha1?

[christeld]

@svbeon Agreed! Would you or @soakes like to make a PR to that effect? :)

[soakes]

By all means :) and adjust it to suite. The main reason why I did this originally was that of the lack of information (in one place) to build a successful config. I'm glad others have found it useful.