Last updated: March 15, 2026

To set up anonymous IRC over Tor, install the Tor daemon, configure your IRC client (like WeeChat or Irssi) to connect through SOCKS5 on localhost:9050, then connect to Tor-hidden IRC networks that operate as .onion services for near-complete anonymity. Standard IRC exposes your IP address to all network observers, while running IRC over Tor hides your IP and adds multiple layers of routing obfuscation, protecting you from traffic analysis and deanonymization.

Why Standard IRC Leaks Your Identity

Before looking at configuration, it helps to understand exactly what IRC exposes. When you connect to a standard IRC server, every person in every channel can see your hostmask. typically a string that includes your IP address or your ISP’s reverse DNS. Network operators and IRC staff see your full IP. Many IRC networks log connection data for months.

Even if you use a VPN, the VPN provider sees your traffic and can be compelled to hand over logs. Tor’s layered encryption with circuit rotation provides meaningfully stronger anonymity because no single node ever sees both who you are and what you’re sending.

Prerequisites

Before you begin, make sure you have the following ready:

Step 1 - Install and Configuring the Tor Daemon

The foundation of anonymous IRC is a properly configured Tor installation. On Linux, install the Tor daemon:

Debian/Ubuntu
sudo apt install tor

macOS
brew install tor

Verify Tor is running
tor --version

Configure Tor for IRC traffic by editing /etc/tor/torrc (Linux) or ~/Library/Application Support/Tor/torrc (macOS):

Enable SOCKS proxy on port 9050
SOCKSPort 9050

Optional - Control port for scripting
ControlPort 9051
CookieAuthentication 1

Exclude certain exits for IRC to improve connectivity
ExcludeExitNodes {us},{gb},{de},{fr}

Set circuit build timeout for IRC
CircuitBuildTimeout 10

Isolate streams by destination to prevent cross-connection correlation
SOCKSPort 9050 IsolateDestAddr IsolateDestPort

The IsolateDestAddr and IsolateDestPort flags are particularly important for IRC: they force Tor to use separate circuits for each destination, preventing a compromised server from correlating your connections to different IRC networks.

Restart Tor to apply changes:

sudo systemctl restart tor
or on macOS:
brew services restart tor

Verify the SOCKS proxy is listening:

netstat -an | grep 9050
Expected - tcp 0.0.0.0:9050 LISTEN

Step 2 - IRC Client Configuration

Several IRC clients support Tor natively. This guide focuses on three popular options: HexChat (GUI), WeeChat (terminal), and Irssi (terminal).

HexChat Configuration

HexChat provides a straightforward GUI for Tor connections:

  1. Open HexChat → Network List → Add a new network
  2. Set the server hostname to a Tor-based IRC network (e.g., irc6.oftc.net.onion)
  3. Navigate to the server and enable “Proxy” with these settings:
    • Proxy type: SOCKS5
    • Proxy host: 127.0.0.1
    • Proxy port: 9050

For OFTC, which maintains an official Tor hidden service:

Server settings
Server/Hostname - irc6.oftc.net.onion
Port - 6697
Use SSL - Yes
Proxy - 127.0.0.1:9050 (SOCKS5)

One critical HexChat setting - disable DNS lookups through the local resolver. If HexChat resolves hostnames before passing them to the SOCKS proxy, it leaks your DNS queries outside Tor. In the Network List, ensure “Use proxy for DNS lookups” is enabled, or better yet, always use .onion addresses that require no DNS resolution.

WeeChat Configuration

WeeChat is highly scriptable and works well for advanced users. Configure Tor support:

Add OFTC with Tor proxy
/server add oftc-tor irc6.oftc.net.onion/6697 -ssl
/set irc.server.oftc-tor.proxy "socks5://127.0.0.1:9050"
/set irc.server.oftc-tor.autoconnect on

Force WeeChat to resolve hostnames through the proxy (prevents DNS leaks)
/proxy add tor socks5 127.0.0.1 9050
/set irc.server.oftc-tor.proxy "tor"

/connect oftc-tor

Verify the connection shows a .onion address:

/server
Should show - oftc-tor [irc6.oftc.net.onion/6697] (connected)

Irssi Configuration

For minimal resource usage, configure Irssi with Tor. Irssi requires the proxy plugin:

Load the proxy plugin
/load proxy

Configure SOCKS5 proxy
/set proxy_host 127.0.0.1
/set proxy_port 9050
/set proxy_type socks5

Add network
/network add -socks_proxy 127.0.0.1 9050 oftc
/server add -net oftc -hostname irc6.oftc.net.onion -port 6697 -ssl
/connect oftc

Irssi’s configuration is stored in ~/.irssi/config. Back this file up securely. it contains your server list, and losing it means reconfiguring all your anonymous connections.

Step 3 - Connecting to Tor-Based IRC Networks

Several IRC networks operate Tor hidden services, providing inherent protection against IP-based attacks.

OFTC (Open and Free Technology Community)

OFTC hosts numerous Linux distribution and open-source project channels. It has operated a Tor hidden service for years and is considered one of the most reliable options:

WeeChat connection
/server add oftc irc6.oftc.net.onion/6697 -ssl
/set irc.server.oftc.proxy "socks5://127.0.0.1:9050"
/connect oftc

OFTC will assign your connection a cloak based on your Tor exit node, displaying something like ~user@tor-exit.example.net rather than your real IP. This is not a substitute for Tor. it is in addition to Tor’s own protections.

Libera.Chat Tor Access

Libera.Chat (the successor to Freenode) supports Tor connections through their hidden service at libera75jm6of4wxpxt4aynol3xjmbtxgfyjpu34ss4d7r7q2v5zrpyd.onion. Connect on port 6667 or 6697 (SSL). You must register a nickname with NickServ using SASL authentication over Tor to bypass the requirement for email verification.

IRCnet and Custom Server Connections

Many networks allow connections through Tor exits. Use caution. exit nodes can be monitored for unencrypted traffic. Always use SSL/TLS on port 6697 rather than plaintext port 6667, even when routing through Tor, to protect against malicious exit nodes.

Step 4 - Verify Anonymity

After connecting, verify your anonymity:

In WeeChat, check your hostmask
/whois yournick
The response should show the Tor exit node IP, not your real IP
yournick!~user@<random>.tor-exit.node.net

Check what IP the IRC server sees
/quote USERIP yournick

Test for DNS leaks with tcpdump on your local interface. You should see zero DNS queries when correctly proxied:

sudo tcpdump -i any -n port 53 &
Connect to IRC. any DNS traffic indicates a leak

Operational Security Best Practices

Running IRC over Tor requires additional operational practices beyond the technical setup.

Nickname Consistency and Compartmentalization

Avoid changing nicknames frequently. correlation attacks can link your identities. Choose a single pseudonym for all Tor-based IRC activity and never reuse it on non-Tor connections:

/set irc.server.default.nicks "your_persistent_nick"

Keep separate IRC personas completely isolated. use different machines or separate Tor instances on different ports for each identity.

TLS Certificate Pinning

Record server certificate fingerprints on first connection and configure your client to reject changes:

WeeChat - Display SSL certificate fingerprint
/set irc.server.oftc.tls_verify on
/set irc.server.oftc.tls_fingerprint "SHA256:xxxx..."
/save

Get the fingerprint on first connection:

openssl s_client -connect irc6.oftc.net.onion:6697 2>/dev/null | openssl x509 -fingerprint -sha256 -noout

Automatic Reconnection

Configure reliable reconnection to maintain anonymity during network disruptions:

/set irc.server.oftc.autoreconnect on
/set irc.server.oftc.autoreconnect_delay 30
/set irc.server.oftc.autoreconnect_delay_growing 2

Logging Considerations

Disable logging of sensitive channels, or encrypt logs at rest. Cleartext IRC logs stored on disk are a significant operational risk:

Disable all IRC logging
/set logger.level.irc 0

Or encrypt with GPG using a post-processing script
Pipe WeeChat log output through - gpg --symmetric --cipher-algo AES256

For Irssi, configure autolog with encryption:

~/.irssi/config
settings = {
  autolog = "no";
};

Troubleshooting Common Issues

Connection failures often stem from Tor circuit issues:

Check Tor circuit status
sudo -u debian-tor arm
or use nyx (the modern Tor monitor)
sudo apt install nyx && nyx

Force new circuits
sudo kill -HUP $(pidof tor)

Increase timeout in torrc if circuits take too long to build
CircuitBuildTimeout 30
LearnCircuitBuildTimeout 0

SSL certificate errors typically indicate Tor exit node issues or clock skew:

Verify system clock is accurate (Tor is sensitive to time drift)
timedatectl status
Sync if needed:
sudo ntpdate pool.ntp.org

If you see Connection refused when using .onion addresses, the hidden service may be temporarily unreachable. Wait a few minutes and try again. .onion services sometimes have brief interruptions as their introduction points rotate.

Advanced - Running Your Own Tor-Enabled IRC Server

For complete control and to eliminate exit node exposure entirely, run an IRC daemon with a Tor hidden service:

/etc/tor/torrc additions
HiddenServiceDir /var/lib/tor/irc_server/
HiddenServicePort 6667 127.0.0.1:6667
HiddenServicePort 6697 127.0.0.1:6697

Configure InspIRCd (a modern IRC daemon) on the same host:

<!-- inspircd.conf excerpt -->
<bind address="127.0.0.1" port="6667" type="clients">
<bind address="127.0.0.1" port="6697" type="clients" ssl="gnutls">

<gnutls certfile="cert.pem" keyfile="key.pem" priority="SECURE256">

After starting both Tor and InspIRCd, the .onion address appears in /var/lib/tor/irc_server/hostname. Share this with trusted users. Because connections never leave the Tor network, there is no exit node to monitor. traffic stays end-to-end within Tor’s encrypted overlay.

Security Considerations

IRC over Tor provides strong anonymity but has limits. Correlation attacks by a global passive adversary watching large portions of Tor traffic are theoretically possible, though difficult. The most practical risks are:

Frequently Asked Questions

Can I use Tor Browser for IRC?

Tor Browser does not support IRC natively. You must use a standalone IRC client configured to use Tor’s SOCKS proxy. Some users run Tor Browser alongside a separate Tor daemon, but this is inefficient. a single Tor daemon serving both is the correct approach.

Will IRC operators know I’m using Tor?

Yes. Most networks recognize Tor exit node IP ranges and may assign a Tor-specific cloak or display a generic Tor exit hostname. Some networks ban Tor users entirely; others have dedicated Tor-accessible hidden services precisely to welcome privacy-conscious users.

Is IRC over Tor legal?

In nearly all jurisdictions, using Tor and IRC together is legal. The combination is used by journalists, security researchers, developers, and privacy advocates worldwide. Legal questions arise from what you say or do, not from the communications technology you use.

How does this compare to Matrix or XMPP over Tor?

Matrix (Element) and XMPP both support Tor routing and offer end-to-end encryption, which IRC lacks natively. For high-security communications, Signal or a properly configured XMPP client with OMEMO encryption is preferable. IRC over Tor is best suited for communities that already use IRC and want privacy improvements without switching platforms.

Related Articles

Built by theluckystrike. More at zovo.one