sorenpoulsen.com header

IRC through SSH tunnel

IRC servers happily share our IP address with other users on the server. To retain a bit of privacy we can tunnel IRC though SSH, thus only exposing the IP address of the machine running the SSH daemon.

The setup is depicted in the following diagram. We have a SSH tunnel from a PC to a Virtual Private Server (VPS) running a SSH daemon. The SSH daemon forwards traffic coming through the tunnel to the IRC server over a regular connection. From the point of view of the IRC server, the incoming connection originates from the VPS - it cannot tell that the connection is being forwarded from a SSH tunnel.

Diagram depicting IRC over a SSH tunnel

Pre-requisites

In this post I'm going to assume you already have access to a VPS (or some other remote system) running the OpenSSH daemon on port 22 henceforth known as ssh-host.

I'm also going to assume that the OpenSSH client is installed on your PC. It comes pre-installed on pretty much any Linux distribution.

Open a SSH tunnel

Open a secure SSH tunnel from localhost:6667 to ssh-host:22 where the SSH daemon is running:

$ ssh -L localhost:6667:<irc-host>:6667 <user>@<ssh-host> -N -v

Replace <user> with your Linux user account on the ssh-host and replace <ssh-host> with the actual host name. The SSH daemon on ssh-host will connect any traffic coming through the secure tunnel to <irc-host> on port 6667. Replace the <irc-host> with the actual IRC server. For instance if you want the SSH daemon to connect you to irc.freenode.net:6667 then the command is:

$ ssh -L localhost:6667:irc.freenode.net:6667 <user>@<ssh-host> -N -v

Connect the IRC client

Configure the IRC client to connect to the secure SSH tunnel on localhost:6667 rather than directly to irc.freenode.net. The following screenshot shows the configuration panel of the Pidgin IRC client.

Screenshot of Pidgin IRC client configured to connect to the SSH tunnel on localhost

Thats it really, but if it bothers you that the connection from the VPS to the IRC server is un-encrypted then keep reading.

Using TLS to encrypt IRC traffic all the way

The SSH tunnel encrypts the first leg of the IRC connection from the PC to the remote SSH host. The last leg of the connection can be encrypted with TLS as supported by most IRC servers these days.

The setup now looks like this:

Diagram depicting IRC over a SSH tunnel with TLS encryption for the last leg of the connection

First close the currently open SSH tunnel:

$ ps ax | grep ssh
29462 pts/2 S 0:00 ssh -L localhost:6667:irc.freenode.net:6667 ...
$ kill -9 29462

Finding the process ID of SSH and then killing the process using the ID is a little cumbersome. We will create a script to automate open and close of the SSH tunnel in the last section of the post.

Change the SSH tunnel to connect to IRC on port 6697 instead of 6667:

$ ssh -L localhost:6697:irc.freenode.net:6697 <user>@<ssh-host> -N -v

Notice we also changed the local port of the SSH tunnel to 6697 as to mirror the port of the IRC server. The local port could be any random port really, it's just easier to remember which port to connect the IRC client to this way.

Next configure the client to connect to port 6697 on localhost and enable TLS. The following screenshot is from the configuration of the Pidgin IRC client, that still names the secure socket option "SSL", although it uses TLS when enabled.

Screenshot of Pidgin IRC client configured to use TLS

Scripts to open and close the SSH tunnel

Create a script named open-tunnel.sh in the home folder:

$ vim ~/open-tunnel.sh

Enter insert mode by pressing i. Then paste this content to the file:

#!/bin/bash
ssh -L localhost:6697:irc.freenode.net:6697 <user>@<ssh-host> -N -v &
echo $! > ~/tunnel.pid

Insert your actual <user> and <ssh-host> above. Then save and quit by pressing ESC and typing :wq.

Make the script runnable:

$ chmod u+x ~/open-tunnel.sh

Create a script named close-tunnel.sh in the home folder:

$ vim ~/close-tunnel.sh

Enter insert mode by pressing i. Then paste the following content to the file:

#!/bin/bash
if [ -e ~/tunnel.pid ] 
then
        kill `cat ~/tunnel.pid`
        rm ~/tunnel.pid
fi

Save and quit by pressing ESC and typing :wq.

Make the script runnable:

$ chmod u+x ~/close-tunnel.sh

To open the SSH tunnel run this command in the home folder:

$ ./open-tunnel.sh

You can now connect the IRC client through the SSH tunnel.

To close the SSH tunnel run this command:

$ ./close-tunnel.sh
Block IP addresses on Apache HTTP Server 2.4
JAX-WS SOAP Web Service Client For Java 11 With Maven
Set up SLF4J with logback's AsyncAppender

{{model.usr.name}}
{{cmt.user.name}}
{{cmt.user.name}}
{{childcmt.user.name}}
{{childcmt.user.name}}
Photo of Søren Poulsen

 Søren Poulsen

 Feed
 Twitter
 Public key

Copyright © 2014-2021 Søren Poulsen. All rights reserved | Terms of use | Privacy policy