InspIRCd IRC Server With TLS

Posted on In Views: Disqus:

InspIRCd IRC Server With TLS

This note records a minimal InspIRCd configuration for running a small IRC server with TLS support. The example exposes a plain client port on 6667 and a TLS client port on 6697.

The TLS setup uses the ssl_gnutls module and certificate files stored under /etc/inspircd/cert/.

Requirements

Install InspIRCd and make sure the GnuTLS SSL module is available:

1
sudo pacman -S inspircd

On Debian/Ubuntu-style systems, the package name may differ:

1
sudo apt install inspircd

You also need a certificate and private key. For a public domain, use Let's Encrypt or another ACME client. The config below expects:

1
2
/etc/inspircd/cert/fullchain.pem
/etc/inspircd/cert/privkey.pem

TLS Configuration

Add or adapt the following server, module, TLS profile, bind, admin, class, type, and oper blocks in your InspIRCd config.

Do not publish a real oper password. Generate a strong password or use InspIRCd's password hashing support if available in your setup.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<server
  name="irc.example.com"
  description="Example IRC Server"
  network="ExampleNet"
>

<module name="ssl_gnutls">

<sslprofile
  name="DefaultTLS"
  provider="gnutls"
  certfile="/etc/inspircd/cert/fullchain.pem"
  keyfile="/etc/inspircd/cert/privkey.pem"
>

<bind address="" port="6667" type="clients">
<bind address="" port="6697" type="clients" ssl="DefaultTLS">

<admin
  name="Example Admin"
  nick="ExampleAdmin"
  email="admin@example.com"
>

<class name="Class" commands="*" privs="*">
<type name="NetAdmin" classes="Class" modes="+s +c">

<oper
  name="admin"
  password="REPLACE_WITH_A_STRONG_PASSWORD_OR_HASH"
  host="*@*"
  type="NetAdmin"
>
</oper>

</type>
</class>
</admin>
</bind>
</bind>
</sslprofile>
</module>
</server>

Check The Config

Before restarting the service, run InspIRCd's config test if your package provides it:

1
sudo inspircd --configtest

If your package uses a different wrapper, check the service logs after restart:

1
2
3
sudo systemctl restart inspircd
sudo systemctl status inspircd
journalctl -u inspircd -e

Connect

Plain IRC:

1
2
3
server: irc.example.com
port: 6667
TLS: off

TLS IRC:

1
2
3
server: irc.example.com
port: 6697
TLS: on

With WeeChat:

1
2
/server add examplenet irc.example.com/6697 -ssl
/connect examplenet

With irssi:

1
/connect -ssl irc.example.com 6697

Oper Login

After connecting as a normal user, authenticate as an IRC operator:

1
/OPER admin <password>

If login succeeds, the user receives the privileges from the configured NetAdmin type.

Notes

  • Use port 6697 for TLS clients. This is the common IRC-over-TLS port.
  • Keep 6667 only if you intentionally want to allow plaintext clients.
  • Restrict host="*@*" for real deployments. A narrower host mask is safer.
  • Avoid committing real passwords into blog posts, git repositories, or public config examples.
  • Prefer hashed oper passwords if your InspIRCd version and modules support them.