IRC servers happily share our IP address with other users on the server. To retain a bit of privacy we can tunnel IRC though SSH, thus only exposing the IP address of the machine running the SSH daemon.
The setup is depicted in the following diagram. We have a SSH tunnel from a PC to a Virtual Private Server (VPS) running a SSH daemon. The SSH daemon forwards traffic coming through the tunnel to the IRC server over a regular connection. From the point of view of the IRC server, the incoming connection originates from the VPS - it cannot tell that the connection is being forwarded from a SSH tunnel.
In this post I'm going to assume you already have access to a VPS (or some other remote system) running the OpenSSH daemon on port 22 henceforth known as ssh-host.
I'm also going to assume that the OpenSSH client is installed on your PC. It comes pre-installed on pretty much any Linux distribution.
Open a secure SSH tunnel from localhost:6667 to ssh-host:22 where the SSH daemon is running:
$ ssh -L localhost:6667:<irc-host>:6667 <user>@<ssh-host> -N -v
Replace <user> with your Linux user account on the ssh-host and replace <ssh-host> with the actual host name. The SSH daemon on ssh-host will connect any traffic coming through the secure tunnel to <irc-host> on port 6667. Replace the <irc-host> with the actual IRC server. For instance if you want the SSH daemon to connect you to irc.freenode.net:6667 then the command is:
$ ssh -L localhost:6667:irc.freenode.net:6667 <user>@<ssh-host> -N -v
Configure the IRC client to connect to the secure SSH tunnel on localhost:6667 rather than directly to irc.freenode.net. The following screenshot shows the configuration panel of the Pidgin IRC client.
Thats it really, but if it bothers you that the connection from the VPS to the IRC server is un-encrypted then keep reading.
The SSH tunnel encrypts the first leg of the IRC connection from the PC to the remote SSH host. The last leg of the connection can be encrypted with TLS as supported by most IRC servers these days.
The setup now looks like this:
First close the currently open SSH tunnel:
$ ps ax | grep ssh
29462 pts/2 S 0:00 ssh -L localhost:6667:irc.freenode.net:6667 ...
$ kill -9 29462
Finding the process ID of SSH and then killing the process using the ID is a little cumbersome. We will create a script to automate open and close of the SSH tunnel in the last section of the post.
Change the SSH tunnel to connect to IRC on port 6697 instead of 6667:
$ ssh -L localhost:6697:irc.freenode.net:6697 <user>@<ssh-host> -N -v
Notice we also changed the local port of the SSH tunnel to 6697 as to mirror the port of the IRC server. The local port could be any random port really, it's just easier to remember which port to connect the IRC client to this way.
Next configure the client to connect to port 6697 on localhost and enable TLS. The following screenshot is from the configuration of the Pidgin IRC client, that still names the secure socket option "SSL", although it uses TLS when enabled.
Create a script named open-tunnel.sh in the home folder:
$ vim ~/open-tunnel.sh
Enter insert mode by pressing i. Then paste this content to the file:
#!/bin/bash ssh -L localhost:6697:irc.freenode.net:6697 <user>@<ssh-host> -N -v & echo $! > ~/tunnel.pid
Insert your actual <user> and <ssh-host> above. Then save and quit by pressing ESC and typing :wq.
Make the script runnable:
$ chmod u+x ~/open-tunnel.sh
Create a script named close-tunnel.sh in the home folder:
$ vim ~/close-tunnel.sh
Enter insert mode by pressing i. Then paste the following content to the file:
#!/bin/bash if [ -e ~/tunnel.pid ] then kill `cat ~/tunnel.pid` rm ~/tunnel.pid fi
Save and quit by pressing ESC and typing :wq.
Make the script runnable:
$ chmod u+x ~/close-tunnel.sh
To open the SSH tunnel run this command in the home folder:
You can now connect the IRC client through the SSH tunnel.
To close the SSH tunnel run this command: