Running Tor Onion service with UnrealIRCd

This guide will show you how to setup UnrealIRCd and Tor, where your IRC server will get an  address so it can be used as a hidden service / Onion Service. This guide will put the Tor users on their own IP address (127.0.0.2) and disable some ban checks. Then we setup Tor as a hidden service, with correct settings for UnrealIRCd. Finally, it shows you how to limit Tor access only to users with a services account (optional).

Configure UnrealIRCd
By default if you run an onion service, Tor will connect to the IRCd at 127.0.0.1 using IP 127.0.0.1. This is not what we want as then you cannot separate Tor traffic from other traffic, it even makes Tor users unbanable, which is bad. So instead of connecting Tor over 127.0.0.1 we will create a listen block so Tor can connect over a file to UnrealIRCd.

Add this to your  file: listen { file "/tmp/tor_ircd.socket"; mode 0777; spoof-ip 127.0.0.2; options { tls; } }

/* Some ban checking should be turned off, otherwise all Tor * users could be banned by one user misbehaving. * * This also sets maxperip to unlimited. The alternative is to remove * 'maxperip' here and either change the generic allow block to allow * more users, or add a specific allow block specially for 127.0.0.2 * with its own limit in allow::maxperip, so you can set a hard * limit on Tor users (eg: 100) instead of 'unlimited'. */ except ban { mask { ip 127.0.0.2; } type { blacklist; connect-flood; maxperip; handshake-data-flood; } }

And then REHASH.

This will make any client that connects to /tmp/tor_ircd.socket come up with an IP of 127.0.0.2 and exempt them from some ban checking.

Install Tor
This is explained in https://support.torproject.org/apt/tor-deb-repo/ but in short, if you run Ubuntu/Debian, then:
 * 1) Add the repository, see https://support.torproject.org/apt/tor-deb-repo/
 * 2) Then

Configure Tor
Open  and add at the bottom of the file: HiddenServiceDir /var/lib/tor/ircd HiddenServicePort 6697 unix:/tmp/tor_ircd.socket

Restart Tor: systemctl restart tor.service

Get your onion address
Grab your .onion address: cat /var/lib/tor/ircd/hostname

Decide on your server name
Is this server going to accept connections from both the Internet and from Tor? Then it is not really a "hidden" service, and you may want to go for Option 2: keep your normal server name.

Is the server going to ONLY accept connections from Tor and not from the regular Internet? Then see Option 1: set your server name as .onion

Option 1: set your server name as .onion
Do you really want to run as a hidden service? Like, you want to hide the name of your server, not reveal its location, and it should only reachable over Tor? Then this is the me::name that you want to use in UnrealIRCd.

Update the Me block in your unrealircd.conf, like: me { name xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.onion; --etc--

When you change the Me block you will have to restart the server. A rehash is not enough!

Option 2: keep your normal server name
If you don't want to run a "hidden" service and your server is reachable both from the Internet and Tor, then you could also keep your me::name as normal (eg: irc1.example.net) and tell your users to edit their  file and add something like: MapAddress irc1.example.net xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.onion
 * 1) torrc entry for irc1.example.net

And then tell your users to connect to. This is what Libera does for instance. A benefit of this is that you can regular internet-issued valid TLS certificates.

Let users connect via Tor
People should now be able to connect to your Onion server. Depending on the choice you made above, users either need to connect to your .onion address directly (if you went for option 1), or to like irc1.example.net which with the help of MapAddress maps to your onion address (if you went for option 2).

TLS
If you went for option 1 (users connect directly to your .onion), then here are some pointers:
 * Get a TLS certificate for your onion site - The Tor Project
 * A specific guide someone wrote when using the HARICA CA

If you went for option 2 (with MapAddress) then you can use general internet-issued certificates, and can follow the Let's Encrypt with UnrealIRCd guide.

Optional: require authentication
Since people are anonymous on Tor, there may be more abuse than usual. You may optionally require all Tor users to have a services account and use SASL.

To do so, add this to your unrealircd.conf: require authentication { mask *@127.0.0.2; reason "Tor users need to authenticate to their services account using SASL"; };