AEREEnet: Using a low-cost, light-weight, scalable, anonymous, secure social network – A Short Tutorial for IRC Users

1. Introduction

Here, I show various options to use the AEREEnet IRC server with various IRC clients from beginner to expert level. To use end-to-end encryption (E2EE) there are multiple options in terms of software and encryption algorithms which are not compatible with each other, therefore, users have to agree on which software and algorithm to use for end-to-end encryption.

IRC Server (Demo):

The following list contains all tutorials in the AEREEnet tutorial series:

2. IRC clients for various experience levels

2.1 Beginner (Clearnet without End-To-End Encryption)

Here, I show the configuration of the TheLounge IRC web client. A demo of this webclient is available at the clearnet and darknet addresses (for example, see IRC Server Demo above) and does not require any additional configuration or installation. However, it does also not allow any more advanced configuration except setting the various names. Therefore, a user only has to follow the link & click on the “Connect” button to join the AEREEnet network:

Important! Using TheLounge web client is an easy-acces interface to the AEREEnet, however, requires additional server resources per user relative to connecting to the IRC network with a locally installed IRC client. This means while a small server with 2GB of memory may be handle around 50,000 simultaneous users connected via local IRC client on their laptops, the same server will only be able to handle about 1,000 simultaneous users connecting via the TheLounge client on the same server.

Figure 1: Configuring and Connecting the TheLounge Client to the IRC server

2.2 Advanced (Graphical UI, Clearnet/Darknet with End-To-End Encryption)

Here, I show the configuration of the HexChat IRC client to connect to an IRC server via the Tor network using the Tor browser, which is running in parallel, as a proxy server. Hexchat is available for MS Windows, Linux, and MacOS (via MacPorts).

2.2.1 Clearnet

Figure 2a: Configuring and Connecting the HexChat Client to an IRC server via the Clearnet using standard browser on Linux Pop! OS

2.2.2 Darknet

Figure 2b: Configuring and Connecting the HexChat Client to an IRC server via the Tor network using the Tor Browser as a proxy on Linux Pop! OS

Important! Certificate Authorities (eg, Let’s Encrypt) do not issue CA-signed TLS/SSL certificates for “Darknet” Tor (.onion) addresses and, therefore, the admin of the AERREEnet server needs to create a self-signed TLS certificate to enable TLS/SSL encryption (on top of Tor encryption), which is, however, considered as “invalid”/”untrusted” because the certificate issuer is unknown. Therefore, IRC clients need to configured to accept “invalid”/”untrusted” TLS/SSL certificates. The encryption of the client-server connection will not be compromised by this, however, it highlights the issue that encryption may not be useful if you are connecting to an unknown server, ie like sending a sealed letter to an unknown address. Therefore, you have be sure that you are using the .onion address for the targeted server.

2.2.3 End-to-End Encryption (E2EE)

To use end-to-end (E2E) encryption based on the FiSHLim plugin, one can  join a group or private message channel and set a secret password, which should be shared securely via another method [22]:

If a user sets an E2E encryption key in a group channel, his messages will be encrypted and only readable by other users who have set the same E2E encryption key. Other users joining the same channel, who have not set the E2E encryption key, will see who is chatting, but the content of the messages of the users, who have set the E2E encryption key, will a seemingly random letter code. Messages of the users which have not set an E2E encryption key will be not end-to-end encrypted. For all users the client-server connection will still be encrypted.

If a user sets an E2E encryption key in a private message, his messages will be encrypted and only readable to the other user if he has also set the same E2E encryption key. Other users cannot join the private message and cannot see who is chatting. This means a private message on an IRC network as a hidden service in the Tor network, will be anonymous and encrypted (client-server encryption via Tor  and (!) end-to-end encryption via FiSHLIM).

Example:

#MyIRCchannel>This is NO secret message!
#MyIRCchannel>/setkey yoursecretkey123
#MyIRCchannel>This is a secret message!
#MyIRCchannel>/delkey #MyIRCchannel
#MyIRCchannel>This is NO secret message!

Note: You can create a dummy user to join an encrypted channel without (!) setting the key to check whether other users see the plain text or the encrypted text.

2.3 Expert (Terminal UI, Clearnet/Darknet with End-To-End Encryption)

The steps to configure and connect a WEECHAT IRC client with the https://aeree.net server using Tor are conceptually the same as for HexChat, but text commands are used here (see also Tutorial [19]):

2.3.1 Linux OS

1. Start Tor Browser

2. Start weechat (in the terminal) and enter these commands:

#Option 1: CLEARNET
WEECHAT>/server add aereetls aeree.net/6697 -tls
WEECHAT>/connect aereetls
#Option 2: DARKNET
WEECHAT>/proxy add tor socks5 127.0.0.1 9150
WEECHAT>/server add aereetor yi5dvnkqev4gsbcy6wdaa4udhlqhsvcnq3nylxnjfratnlhpu7bz7aid.onion/6697 -tls
WEECHAT>/set irc.server.aereetor.proxy "tor"
WEECHAT>/set irc.server.aereetor.tls_verify off # alternative: /set irc.server.aereetor.ssl_verify off
WEECHAT>/save
WEECHAT>/connect aereetor

Figure 3:  Connecting the WEECHAT Client to an IRC server via the Tor network using the Tor Browser as a proxy on Linux Pop! OS

Important! Certificate Authorities (eg, Let’s Encrypt) do not issue CA-signed TLS/SSL certificates for “Darknet” Tor (.onion) addresses and, therefore, the admin of the AERREEnet server needs to create a self-signed TLS certificate to enable TLS/SSL encryption (on top of Tor encryption), which is, however, considered as “invalid”/”untrusted” because the certificate issuer is unknown. Therefore, IRC clients need to configured to accept “invalid”/”untrusted” TLS/SSL certificates. The encryption of the client-server connection will not be compromised by this, however, it highlights the issue that encryption may not be useful if you are connecting to an unknown server, ie like sending a sealed letter to an unknown address. Therefore, you have be sure that you are using the .onion address for the targeted server.

To use end-to-end (E2E) encryption in Weechat, the FiSH  (fish.py) [16] or OpenPGP (ircrypt.py) [17] encryption can be used. For example, the FiSH algorithm can be used as follows assuming that the password (optionally with an additional keyphrase) have been shared between users “AereeUsr1” and “AereeUsr2” via another medium, where the identity of both users was verified:

AereeUsr1:

# Installation of FiSH extension (fish.py)
WEECHAT/AereeUsr1/ServerWindow>/script enable # enable Weechat Scripts, alternative: /set script.scripts.download_enabled on
WEECHAT/AereeUsr1/ServerWindow>/script # shows plugin window, filter by entering fish.py, navigate with cursors to fish.py script, press ALT+"i" to install script
WEECHAT/AereeUsr1/ScriptWindow>/script install fish.py
WEECHAT/AereeUsr1/ServerWindow>/help blowkey # show help for blowkey commands
# Option 1 "Simple": Self-generated Password (Both users need to use the same password!)
WEECHAT/AereeUsr1/ServerWindow>/blowkey set AereeUsr2 VerySecretStrongPassword
WEECHAT/AereeUsr1/ServerWindow>/query AereeUsr2 # other user will see private message buffer after first message
# Option 2 "Advanced": Self-generated Password+Auto-generated Key (Both users need to use the same password+key!)
WEECHAT/AereeUsr1/ServerWindow>/blowkey genkey # auto-generate very long key, stored in separate file ~/.config/weechat/sec.conf
WEECHAT/AereeUsr1/ServerWindow>/secure # shows secure FiSH keys, press ALT+"v" to view key
WEECHAT/AereeUsr1/ServerWindow>blowkey set AereeUsr2 VerySecretPassword+MYjQS/s148u/Aqy6r1oB9sI0WscdO/xTKSQ04fVxr.slWod1 # Connect password and key with "+" symbol!
WEECHAT/AereeUsr2/ServerWindow>/query AereeUsr2 # other user will see private message buffer after first message

AereeUsr2:

# Installation of FiSH extension (fish.py)
WEECHAT/AereeUsr2/ServerWindow> ... # see AereeUsr1 above
# Option 1 "Simple": Self-generated Password (Both users need to use the same password!)
WEECHAT/AereeUsr2/ServerWindow>/blowkey set AereeUsr1 VerySecretStrongPassword
# Option 2 "Advanced": Self-generated Password+Auto-generated Key (Both users need to use the same password+key!)
WEECHAT/AereeUsr2/ServerWindow>/blowkey set AereeUsr1 VerySecretPassword+MYjQS/s148u/Aqy6r1oB9sI0WscdO/xTKSQ04fVxr.slWod1 # Connect password and key with "+" symbol!

AereeUsr1 & AereeUsr2: Shared Private Message Channel

WEECHAT/AereeUsr1&2/MessageWindow>#Private Message Window will show " O< | Messages to/from this user are encrypted. "
WEECHAT/AereeUsr1&2/MessageWindow>... Encrypted Conversation ...
WEECHAT/AereeUsr1&2/MessageWindow>/close # End Conversation

The automatic exchange of the keys with the “/blowkey exchange” command without manual entering “/blowkey set <nickname> <password>” by both users, is not recommended, because it assumes that the other user has a verified identity. However, the admin or another attacker with access to the server may interfere by a “Man-In-The-Middle” attack and impersonate the other user. Therefore, the exchange of passwords/keys via a separate medium where identities of the communicating users and their nicknames are verified is recommended! As explained above, security requires also verified identity to be sure – to use an analogy – that the sealed letter is the sent to the right John Smith in London!

WEECHAT/AereeUsr1&2/MessageWindow>/blowkey exchange

Note: To familiarize one with end-to-end-encryption, I recommend to create a channel and join with three users, eg, fishusr1, fishusr2, nofishusr3, and set a passphrase for the channel. After fishusr1 and fishusr2 have set the passphrase, but not nofishusr3, fishusr1 and fishusr2 will be able to communicate, while nofishusr3 will only see encrypted text. This exercise is recommended to create a mental model (usability!) how encryption works.

2.3.2 Windows 10/11 (WSL)

Weechat is available on Linux and via the Windows Subsystem for Linux (WSL) on Windows 10/11. [18]

1. Install Windows Subsystem for Linux (WSL)

Windows/Powershell> wsl --install # install Windows Subsytem for Linux (Default: Ubuntu)
Windows/Powershell> wsl # alternative: wsl -u root # start as root to install packages
Linux/WSL>passwd # set user password, store safely
Linux/WSL>pwd # check current working directory, default Windows Home (slower downloads)
Linux/WSL>cd ~ # change to home directory on Linux (faster downloads)
Linux/WSL>sudo apt update
Linux/WSL>sudo apt install weechat tor python3 python3-pip # Linux Packages
Linux/WSL>pip install pycryptodome # required for FiSH encryption
Linux/WSL>sudo nano torsocks.conf # change line "TorAddress 127.0.0.1" to "TorAddress 0.0.0.0"
Linux/WSL>sudo systemctl restart tor
Linux/WSL>weechat

2. Configure WeeChat

Note:  Set the following WEECHAT configs for the AEREEnet Darknet server (.onion) address (Note: Port 9050, not 9150 as for Tor Browser!):

#Option 1: CLEARNET
WEECHAT>/server add aereetls aeree.net/6697 -tls
WEECHAT>/connect aereetls
#Option 2: DARKNET
WEECHAT>/proxy add tor socks5 127.0.0.1 9050 # Note: Port 9050 for Tor system service, not 9150 as for Tor Browser!
WEECHAT>/server add aereetor yi5dvnkqev4gsbcy6wdaa4udhlqhsvcnq3nylxnjfratnlhpu7bz7aid.onion/6697 -tls
WEECHAT>/set irc.server.aereetor.proxy "tor"
WEECHAT>/set irc.server.aereetor.tls_verify off # alternative /set irc.server.aereetor.ssl_verify off for older Weechat versions
WEECHAT>/save
WEECHAT>/connect aereetor

2.3.3 Android OS

Weechat is available on Android-based Smartphones via the Linux Terminal emulator app “Termux”  and the Tor proxy app “Orbot”:

  1. Install “Orbot” App
  2. Configure “Orbot” App
    1. Go to “… More” >Settings >  General> Tick “Power User Mode”
      Note: This will show the default SOCKS port (9050) and HTTP port (8118) used to connect to the Tor Network.
    2. Optional: Go to “… More” > Settings > Debug > Tor Socks
      Note: Default port is 9050. Set the port to 9150 as for the Tor Browser, so you can use exactly the same configuration settings as in section 4.3.1.
  3. Press “Connect” button to connect “Orbot” App with Tor network
  4. Install “Hacker’s Keyboard” App
    Note: This app makes it easier to access special keys (CTRL, ALT, TAB) on the smartphone touch keyboard.
  5. Install “Termux” App
  6. Configure “Termux” App
TERMUX>pkg upgrade # update package repositoryTERMUX>pkg install python # install python to us python scripts in weechat
TERMUX>pkg install weechat-python-plugin # allow using python scripts in weechat
TERMUX>pip install pycryptodome # need to use FiSH encryption in weechat
TERMUX>pkg install weechat # installs weechat
TERMUX>weechat # starts weechat,

Note: The command “termux-setup-storage” will give the termux app complete access to the phone storage, if needed. However, it is not recommended as default.

7. Configure Weechat App (same as in section 4.3.1)

#Option 1: CLEARNET
WEECHAT>/server add aereetls aeree.net/6697 -tls
WEECHAT>/connect aereetls
#Option 2: DARKNET
WEECHAT>/proxy add tor socks5 127.0.0.1 9150
WEECHAT>/server add aereetor yi5dvnkqev4gsbcy6wdaa4udhlqhsvcnq3nylxnjfratnlhpu7bz7aid.onion/6697 -tls
WEECHAT>/set irc.server.aereetor.proxy "tor"
WEECHAT>/set irc.server.aereetor.tls_verify off # alternative /set irc.server.aereetor.ssl_verify off
WEECHAT>/save
WEECHAT>/connect aereetor

References

[1] https://en.wikipedia.org/wiki/IRC
[2] https://en.wikipedia.org/wiki/Docker_(software)
[3] https://en.wikipedia.org/wiki/Tor_(network)
[4] https://en.wikipedia.org/wiki/Transport_Layer_Security
[5] https://en.wikipedia.org/wiki/End-to-end_encryption
[6] https://caddyserver.com
[7] https://ergo.chat
[8] https://thelounge.chat
[9] https://github.com/leplusorg/docker-tor
[10] https://hexchat.github.io
[11] https://weechat.org
[12] Prompt “Assume a server with 2GB of memory and a bandwidth of 150Mbit/second, which runs a minimal Linux operating System, such as Alpine Linux, an IRC server, eg ERGO chat, and an IRC web client, eg TheLounge. All connections use TLS encryption. Questions: 1) How much memory is available for handling Internet Relay Chat (IRC) traffic, if the web client is not used by any users? How many IRC users can simultaneously be active on such a server? 2) How much memory is available for handling Internet Relay Chat (IRC) traffic, if the web client is used by all users? How many IRC users can simultaneously be active on such a server?”, Retrieved 2025-01-28 from https://chatgpt.com.
[13] https://www.gnu.org/licenses/gpl-3.0.en.html
[14] Prompt “Have rendezvous points for hidden services in the Tor network been corrupted since the beginning of the Tor network risking user privacy?”, Retrieved 2015-02-02, from https://chatgpt.com
[15] Igl, W. (2025). Estimation of capacity for IRC users of an IRC server based on memory usage and bandwith using ChatGPT. https://biosphere.wilmarigl.de/en/?p=4705
[16] https://en.wikipedia.org/wiki/Fish_(cryptography)
[17] https://en.wikipedia.org/wiki/Pretty_Good_Privacy
[18] https://learn.microsoft.com/en-us/windows/wsl/install
[19] https://www.otakubox.de/irc/connect/tor/

http://wilmarigl.de

de_DE_formalGerman
de_DE_formalGerman en_USEnglish