How to setup ngircd on Debian with SSL (TOR in bonus)

This is a follow up to my latest post about Inspircd, which is another IRC server daemon. I prefer Ngircd because it’s lighter and easier to configure than inspircd.

So let’s start.

Step 1: Building ngircd

Here we’re also going to build the thing from source, because why not? So let’s install the dependencies we’re going to need both for the build and SSL.

sudo apt install letsencrypt gnutls-build autoconf automake build-essential git

Now let’s download the source code:

git clone
cd ngircd/

And now let’s build it:

./configure --with-gnutls
sudo make install

Step 2: Generating and copying the SSL files

Let’s first generate the trusteed Letsencrypt certificate using certbot (included in the letsencrypt package installed earlier. Of course, don’t forget to change YOUR.DOMAIN.TLD into your real domain. Also make sure the DNS of the domain is linked to your server and that the the ports 80, 443, 6667 and 6697 are open.

sudo systemctl stop nginx
sudo certbot certonly --standalone -d YOUR.DOMAIN.TLD
sudo systemctl start nginx

Now let’s move those files to the current directory (ngircd), as well as generating the dhparams.pem file.

sudo cp /etc/letsencrypt/live/YOUR.DOMAIN.TLD/fullchain.pem cert.pem
sudo cp /etc/letsencrypt/live/YOUR.DOMAIN.TLD/privkey.pem key.pem
certtool  --generate-dh-params --bits 4096 --outfile dhparams.pem

Because the Let’s Encrypt certificates have been generated by root, you have to make them readable by the current user:

sudo chown $USER:$USER *.pem

Step 3: Configuring

Now let’s copy and edit the configuration file

cp doc/sample-ngircd.conf.tmpl ngircd.conf
nano ngircd.conf

In that file uncomment the line about the ports 6667 (to enable plaintext and tor connections) as well as the SSL part, which you can replace by the following snippet:

    CertFile = cert.pem
    CipherList = SECURE128:-VERS-SSL3.0
    DHFile = dhparams.pem
    KeyFile = key.pem
    Ports = 6697, 9999

Step 4: Running ngircd

Now that the basic configuration is setup, you can launch ngircd. Let’s just make a test run first to see if it launches:

ngircd -f ngircd.conf -n

If everything is working and you can connect to your server, press CTRL+C and launch the following command to launch the daemon for good:

ngircd -f ngircd.conf

Step 5: Routing the traffic through TOR (optional)

If you want an extra layer of anonymity you can also use TOR to root the traffic. This is also something you can do with any IRCd, but it’s really easy to do:

Just install tor, add a new hidden service in the config file, reload and get the onion link:

sudo apt install tor
sudo echo "HiddenServiceDir /var/lib/tor/hidden_service/" >> /etc/tor/torrc
sudo echo "HiddenServicePort 6667" >> /etc/tor/torrc
sudo systemctl restart tor
sudo cat /var/lib/tor/hidden_service/hostname

Connecting to the server using weechat for plaintext, SSL and TOR

Not all clients can use TOR out of the box in their config file. So I am only going to leave the commands for Weechat:

sudo apt install tor weechat
/proxy add tor socks5 9050
/server add SERVER-NAME ONION-LINK 6667
/set irc.server.SERVER-NAME.proxy "tor"
/connect SERVER-NAME

To connect via SSL (for most users) through weechat:

/server add SERVER-NAME HOSTNAME 6697 -ssl
/connect SERVER-NAME

To connect via unencrypted plaintext (NOT RECOMMENDED) through weechat:

/server add SERVER-NAME HOSTNAME 6667
/connect SERVER-NAME


I’ll soon make a post about how to setup kiwiirc because I know Weechat is not all user’s cup of tea and kiwiirc is really really easy to use (just click on the button).

Please tell me if you have any problem following this guide by asking me the questions on #SnowCodeBlog on Libera.