Ergo IRC Guide

• Part 1: Setting the Scene
• Part 2: Establishing the Server
• Part 3: Testing the Server
• Part 4: Getting Your Server Online
• Pi-Roject: Ergo IRC (Hello World)
• IRC Privacy Guide

Introduction

This is a guide to IRC, known in full as the Internet Relay Chat. IRC predates the World Wide Web and has been around since 1988, making it one of the oldest chat protocols still in use today. For this guide I am exploring the Ergo IRC server (also called an IRC daemon or IRCd), for the Dell-shaped prison I call Windows 11.

This page serves as my personal guide for all things IRC, as well as for any of you who want to join me.

Part 1: Setting the Scene

Step 1: Downloading your Daemon

1. Go to: https://github.com/ergochat/ergo/releases/latest
   Under "Assets", download the Windows build. It will be named something like: ergo-2.17.0-windows-x86_64.zip

2. Extract the ZIP into your folder of choice.

3. Ergo ships with a default config called default.yaml. A YAML file is an easy-to-read configuration format used in various programs. You need to copy this file and name it ircd.yaml. Leave default.yaml alone, it is there as a guide in case you get stuck with the formatting. YAML files can be quite picky; even one mis-spacing is enough to throw things off.

Part 2: Establishing the Server

Step 1: Creating an Operator Account

1. Open PowerShell in your Ergo folder and run: ./ergo.exe genpasswd

2. It will ask you to create a password, which it will then ask you to confirm. Both entries must match, though this is complicated by the fact that terminals do not show passwords. Make sure it is strong, but not too much of a pain to type.

3. Once you have confirmed your password, you will be given a long hash starting with $2a$. Hold onto this hash and treat it like you would any other password.

4. Open your ircd.yaml file in your plaintext editor of choice, preferably Notepad.

5. Using your program's find-tools, look for the opers block. The oper is named "admin" by default. Find the line: password: "PASTE_YOUR_HASH_HERE"

6. Replace PASTE_YOUR_HASH_HERE with the hash you just generated, keeping the quotes.

You now have a password for your IRC server. You can change it any time by repeating the process above.

Step 3: Changing the Firewalls

1. Open PowerShell as Administrator, otherwise it will not let you do this step.

2. Copy-paste these commands into the terminal:

   New-NetFirewallRule -DisplayName "IRC 6667"
     -Direction Inbound -Protocol TCP
     -LocalPort 6667 -Action Allow
     -Profile Any -Enabled True
   
   New-NetFirewallRule -DisplayName "IRC 6697"
     -Direction Inbound -Protocol TCP
     -LocalPort 6697 -Action Allow
     -Profile Any -Enabled True

3. Set your Wi-Fi network to Private by running:

   Set-NetConnectionProfile
     -InterfaceAlias "Wi-Fi"
     -NetworkCategory Private

   This is important: if Windows thinks you are on a Public network, it will block incoming connections even with firewall rules in place.

4. To check your network's firewall profile, run: Get-NetConnectionProfile

Part 3: Testing the Server

To use an IRC server, you need a client. This guide will be using HexChat, a free and widely-used IRC client for Windows. Note that HexChat is no longer actively maintained, but it is perfectly safe and has plenty of forks. If you would rather use a different client, the general steps are roughly the same.

Step 1: Installing HexChat

1. Download HexChat from https://hexchat.github.io and run the installer. The defaults are fine.

2. On every launch, HexChat will show a Network List. Fill in a nickname at the top, then click Add to create a new network entry. Name it whatever you like, e.g. My IRC Server.

3. Click Edit on your new network.

4. Under the Servers tab, remove the placeholder entry and add your server address. Since you are only connecting locally for now, use your machine's local IP followed by port 6697. If you do not know your IP address, run ipconfig in PowerShell and look for the IPv4 Address in the Wi-Fi section.

Step 3: Connecting with HexChat

1. With Ergo running, go back to HexChat and click Connect. You will be met with Ergo's default Message-Of-The-Day and the chat interface itself.

2. Type /join #general (or any channel name you like) in the text box and press Enter. If the channel does not exist yet, Ergo will create it on the spot.

3. You can join multiple channels at once, just repeat the /join command. Each channel will open as a new tab in HexChat, just like a web browser.

Your server is now working on a basic LAN connection. Anyone on your local network can connect the same way you just did. If you are only using IRC for immediate friends, family or roommates, you can theoretically stop here. However, you will not be able to connect your server to any web-based clients, which we will be going over in Part 4.

Step 1: Setting up No-IP Dynamic DNS

This gives your server a stable hostname (e.g. yourserver.ddns.net) regardless of changes your home IP address might experience. WinACME needs this hostname to issue a real TLS certificate, and your web client uses it to connect.

1. Go to https://www.noip.com and sign up for a free account. Once logged in, go to Dynamic DNS, No-IP Hostnames and create a new hostname such as yourserver.ddns.net. Write this down and treat it like a password.

2. Download the No-IP DUC (Dynamic Update Client) from https://www.noip.com/download?page=win. This is a small background app that watches your public IP address and automatically updates No-IP whenever it changes. Without it, your hostname will point to the wrong IP after a router restart.

Step 2: Generating Certificates with WinACME

Self-signed certs from mkcerts work for HexChat on your LAN, but browsers will outright refuse a WebSocket connection to a self-signed cert. To use Kiwi IRC from the internet you need a real, trusted certificate. This is where WinACME comes in, it gets you a free Let's Encrypt certificate to go with your No-IP hostname.

Before you start: make sure Ergo is not running, port 80 is forwarded on your router, and opened in your firewall. Opening port 80 is a temporary measure, WinACME needs to answer a challenge on this port to prove you control the domain.

1. Download WinACME from https://www.win-acme.com. Extract the ZIP somewhere convenient, e.g. C:\Users\YourName\Downloads\win-acme\

2. Open PowerShell as Administrator in the WinACME folder and run: ./wacs.exe

3. If everything executed correctly, WinACME will save PEM files to your chosen folder. Look for files ending in -chain.pem and -key.pem.

4. Open ircd.yaml and update the cert paths in two places, the 6697 TLS listener and the 8097 WebSocket listener. Make sure both point to the same folder:

   ":6697":
     tls:
       cert: C:\...\certs\yourserver-chain.pem
       key:  C:\...\certs\yourserver-key.pem
   ":8097":
     tls:
       cert: C:\...\certs\yourserver-chain.pem
       key:  C:\...\certs\yourserver-key.pem
     websocket: true

Step 3: Port Forwarding on your Router

For anyone outside your home network to reach your server, your router needs to forward the right ports to your machine.

1. Find your router's admin page. Usually this involves entering a specific IP address into your browser, though this may vary between ISPs.

2. Log in with your router's admin credentials. These should be visible on the back of the router alongside your Wi-Fi password.

3. Find your PC's local IP by running ipconfig and looking for the IPv4 Address in the Wi-Fi section, something like 192.168.1.XXX. It is worth assigning this as a static IP in your router's DHCP settings (look for "DHCP reservation" or "static lease") so it never changes and breaks your forwarding rules.

Step 4: Connecting from Kiwi IRC

Kiwi IRC is a browser-based IRC client, no installation needed. It connects to your server over WebSocket Secure (WSS) on port 8097, which is why the real TLS cert from WinACME was necessary.

1. On any device, open a browser and go to: https://kiwiirc.com/nextclient/

2. Fill in the connection screen: Server address: yourserver.ddns.net / Port: 8097 / SSL/TLS: ON / Channel: #general / Nick: YourName

3. Hit Connect. You should see the server welcome message and land in your channel. This works from any network, your phone on mobile data, a friend's house, anywhere, as long as Ergo is running at home.

"Unable to connect": check that Ergo is running and port 8097 is forwarded. "Certificate error": check the cert files still exist and run /rehash. "Connection closed immediately": SSL must be ON for port 8097.

Pi-Roject: Ergo IRC (Hello World)

This section covers setting up Hello World, the same Ergo IRC server moved to a Raspberry Pi for permanent self-hosted use. It goes from a bare Pi to a fully working setup: a domain that tracks your home IP, a real TLS certificate, Ergo running as a systemd service, and connections working via both HexChat and KiwiIRC. Written based on the actual setup session, mistakes and all.

This is not a beginner guide, it assumes you have already got your Pi set up and can SSH into it comfortably.

Overview

Ergo IRC: version ergo-2.14.0-linux-arm64, running on the Pi.

No-IP DUC: keeps helloworld.ddns.net pointed at your home IP. Lives on the Pi as a systemd service.

Win-ACME: stays on Windows. Handles TLS cert renewal via Let's Encrypt, then copies the renewed certs to the Pi automatically via a batch script.

HexChat: desktop client, port 6697 (TLS). KiwiIRC: browser client, port 8097 (WebSocket over TLS).

Step 3: TLS Certificates (Win-ACME on Windows)

Let's Encrypt certificates are what make TLS connections to the server trustworthy. Win-ACME handles obtaining and automatically renewing them, but there is a catch worth knowing about.

Why cert renewal runs on Windows, not the Pi: When Win-ACME verifies your domain, Let's Encrypt contacts your external IP on port 80. On a UK residential connection, ISPs commonly block inbound port 80. Port 443 and higher ports like 6697 are usually fine. Since Win-ACME was already set up on Windows and working there, the simplest fix is to keep it there and automate pushing the renewed certs to the Pi.

Important: The router rule for port 80 must point to your Windows machine, not the Pi. Check this before the next renewal date.

Setting Up Passwordless SSH (Windows to Pi)

This is needed so the cert copy script can run without a password prompt. Run on Windows as Administrator:

ssh-keygen -t rsa -b 4096
(hit Enter through all prompts, no passphrase)

type C:\Users\black\.ssh\id_rsa.pub | ssh ircuser@192.168.1.XXX "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Enter the Pi password when prompted. Test it by running ssh ircuser@192.168.1.XXX, it should connect with no password.

Step 5: Enable and Start Ergo

sudo systemctl daemon-reload
sudo systemctl enable ergo
sudo systemctl start ergo
sudo systemctl status ergo

You are looking for active (running) in the status output, along with log lines like info : server : Server running. If something goes wrong:

journalctl -u ergo -f

Step 6: Disable Plaintext (TLS Only)

When Ergo first starts, it warns that port 6667 (plaintext IRC) is active. Since we want TLS-only connections, this needs to be commented out.

nano /home/ircuser/ergo/ergo-2.14.0-linux-arm64/ircd.yaml

Find the listeners section and add a # at the very start of the ":6667": line, before the quote mark. Nano may highlight it differently, only an actual # at the start of the line counts:

Wrong:  ":6667":
Right: #":6667":

Save, then restart Ergo:

sudo systemctl restart ergo

Verify port 6667 is no longer listening (this should return nothing):

ss -tlnp | grep 6667

Check the cert expiry while you are at it:

openssl x509 -in /home/ircuser/ergo/certs/fullchain.pem -noout -dates

Step 9: Connect with KiwiIRC

1. Go to kiwiirc.com/nextclient/
2. Set Server: helloworld.ddns.net
3. Set Port: 8097
4. Scroll down to Advanced
5. Tick Direct websocket
6. Set the websocket URL to: wss://helloworld.ddns.net:8097/
7. Click Network

Two things to watch out for. First, the direct websocket field defaults to ws:// (unencrypted), it must be wss://. Second, if it still will not connect, diagnose with:

curl -v https://helloworld.ddns.net:8097 2>&1 | head -30

A timeout here usually means port 8097 is not being forwarded through the router. Fix the port forwarding rule and it will connect immediately.

IRC Privacy Guide

• Introduction
• Part 1, Step 1: Self-Hosting
• Part 1, Step 2: Ergo
• Part 1, Step 3: HexChat
• Part 2, Step 1: ircd.yaml
• Part 2, Step 2: Multi-User Servers
• Part 2, Step 3: Checklists
• Conclusion + Sources

Introduction

In stark contrast to other means of online chat, IRC (Internet Relay Chat) is a protocol, not a product. Control starts and ends with the individual operators, who have sole responsibility over their data. Meanwhile, their chatters are responsible for their own interests, and there is no third party that can intervene in this process.

On mainstream chat platforms, a third party dictates the entire process. The corporate entities that own these programs put themselves between the operator and chatter relationship and demand both parties work by its inefficiencies. They track users with data-retention policies, game-ify their chatting experience with monetisation, and if prompted, will drop these users into the awaiting hands of the law. This is not free communication, this is a system that glorifies convenience and enforces learned helplessness.

IRC has no central authority, no single server that handles everyone's traffic. It is an open-standard protocol, freer than e-mail, which itself strains under legal pressure no matter how many privacy features are implemented.

Mullvad VPN's encounter with legalities makes the same point from an opposite direction. In April 2023, six members of Sweden's National Operations Department arrived at Mullvad's Gothenburg office with a search warrant and left empty-handed. In Mullvad's own blog post: "In line with our policies such customer data did not exist." This is the crux of the argument: if you have nothing in your server, you have nothing to lose.

As a result, the threat profile of IRC is fundamentally different. The question is not "do you trust this corporation, its lawyers, investors or their capacity to act in your interest." It becomes "do you trust the person running the server?" On a well-configured self-hosted server, that person is you or a close friend. The security of your communications comes down to individuals, not the trajectory of a graph. That is both the freedom and responsibility IRC gives you. You just have to have the initiative to take that responsibility seriously.

Step 1: The Privacy Benefits of Self-Hosting

IRC operates on a client-server model: your client connects to a server (called an IRCd), which routes messages between users. By default, all IRC traffic transmits as plaintext unless TLS encryption is manually configured. The operator of a server can read every message that passes through it, the exact times of logins and logouts, and every other action within its confines. Your ISP can also read every message, as can anyone performing a man-in-the-middle attack, and any server in the relay chain.

TLS (Transport Layer Security) encrypts data in transit between two parties. TLS prevents your ISP and passive network eavesdroppers from reading your messages, but does not prevent the server itself from reading them, because the server must decrypt traffic to route it. TLS is transport encryption, not end-to-end encryption. However, this amount of control lends to a user-mandated log policy, the protocol does not get to decide how long messages last, if at all.

Step 2: Privacy Features in Ergo

Ergo is a modern IRC server daemon written in Go that combines an IRCd, a services framework (NickServ, ChanServ), and a bouncer into a single binary. It supports requiring SASL for all logins, IP cloaking, TLS client certificate authentication, and running as a Tor hidden service.

SASL (Simple Authentication and Security Layer) authenticates to a server as part of the initial connection handshake, before the client is fully registered, more secure than post-connection NickServ identification. SASL EXTERNAL / CertFP authenticates using a TLS client certificate rather than a password, so no password ever transmits over the wire.

For Operators

1. Disable server-side message history. Ergo stores message history in ircd.db by default. Disable it in ircd.yaml:

history:
  enabled: false

If you keep history enabled, set aggressive limits: short retention windows (hours, not days), low message counts. If you have been running Ergo without configuring this, wipe the database.

5. Run Ergo as a non-root user with systemd hardening. A hardened service unit prevents a compromised Ergo process from reading your home directory, escalating privileges, or writing outside its data directory:

NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=yes

6. Treat the database file as sensitive media. ircd.db contains account data and, if history is enabled, message content. On a Raspberry Pi this lives on a microSD card, which you will have to wipe and physically destroy when decommissioning.

7. Bind to LAN or tunnel, not the public internet. For single-device use, bind to 127.0.0.1. For trusted-circle use with other devices, bind to a WireGuard interface IP (e.g. 10.0.0.1). WireGuard is preferable to SSH tunnelling for persistent connections, as it operates at the kernel level, has a significantly smaller attack surface, and handles reconnections more gracefully.

8. Keep Ergo updated. Security fixes ship in point releases. Use the stable branch or release tags, not the master branch.

Step 3: Privacy Features in HexChat

HexChat is a free, open-source IRC client for Windows and Linux with built-in support for TLS, SASL (both PLAIN and EXTERNAL), and TLS client certificates. It remains functional and widely understood, despite being unmaintained since its last release in 2024. Active alternatives include WeeChat and Irssi (both terminal-based, Linux/macOS/Windows).

For Operators

1. Use SASL EXTERNAL (certificate authentication). Generate a combined .pem file containing both the private key and the certificate:

openssl req -x509 -noenc -days 3650 \
  -newkey ed25519 \
  -keyout ~/.config/hexchat/certs/Network.pem \
  -out ~/.config/hexchat/certs/Network.pem

Then: chmod 600 ~/.config/hexchat/certs/Network.pem

Use -noenc (not the deprecated -nodes) and ed25519 (preferred over rsa:4096, ~128 bits of security, NIST FIPS 186-5 approved). Name the file exactly as your network appears in the Network List. Set the Login method to "SASL EXTERNAL (cert)", then register with: /msg NickServ cert add

For Users

1. Disable local logging. This is the single most important client-side step. Settings, Preferences, Logging, uncheck "Enable logging".

2. Use SASL EXTERNAL if the operator supports it. Generate your own client certificate and ask the operator to register its fingerprint against your account. No password travels over the wire and your authentication cannot be replayed if intercepted.

3. Disable DCC. You have no reason to accept direct client connections in a private trusted-circle context. At minimum: /set dcc_auto_recv 0

4. Suppress your version string. Settings, CTCP Replies, delete or blank the VERSION entry.

5. Connect only from a device you control. Shared computers, work machines, and devices with unknown software installed are not appropriate for private IRC use.

6. Disconnect when you are not present. Do not leave an authenticated IRC session open and unattended. If the operator has always-on clients enabled, your nick may persist on the server after you disconnect.

Authentication. Require SASL and disable self-registration together. Ergo's own documentation warns that enabling require-sasl without disabling registration means anyone can still self-register and connect:

accounts:
  require-sasl:
    enabled: true
  registration:
    enabled: false

Create accounts with /msg NickServ SAREGISTER <username> <password> from an oper session. This is Ergo-specific operator syntax and will not work on a standard IRC network.

IP Cloaking. Setting num-bits: 0 produces a cloak entirely unrelated to the user's IP. The enabled-for-always-on: true key ensures always-on clients also receive unique cloaked hostnames:

server:
  ip-cloaking:
    enabled: true
    enabled-for-always-on: true
    netname: "irc"
    cidr-len-ipv4: 32
    cidr-len-ipv6: 64
    num-bits: 0

Step 2: Managing a Multi-User Trusted-Circle Server

The moment a second person connects to your server, the threat model changes. Every device connecting is a potential disclosure vector, regardless of your configuration. The security of the channel is bounded by the least-secure device connecting to it.

1. Create accounts manually; never allow self-registration. With accounts > registration > enabled: false in place, create each user's account yourself via operator commands. No one joins without you explicitly adding them.

2. Configure channel modes for private circles. For a private circle, +si is the minimum. Secret means the channel does not appear in /LIST. Invite-only means users can only join if an existing member invites them with /INVITE. Additional modes: +m for moderated channels; +k <key> for a channel key that acts as a shared password.

3. Use SASL EXTERNAL where possible. Walk each person through generating their own client certificate and registering its fingerprint with NickServ. A user authenticating by password is a weaker link.

Step 3: Minimum Requirements Checklist

Single-User Ergo Server (Raspberry Pi)

Enabled: Non-root execution (systemd hardening); restricted network access (LAN/VPN/tunnel); SASL requirement; TLS on port 6697, no plaintext.

Disabled: Always-on clients; client-side logging (HexChat); DCC; self-registration; server-side message history.

Configurations: SASL authentication method (EXTERNAL preferred); TLS certificate secured; microSD and TLS private key secured; latest version of Ergo.

Chatter (Connecting to Someone Else's Server)

Protocol: SASL authentication (EXTERNAL preferred); TLS certificate pinning; DCC disabled / auto-accept off; client-side logging disabled; CTCP VERSION suppression.

Procedure: Plausible evidence of the server logging status; a trusted, uncompromised device; session lifecycle (disconnect when not present).

Conclusion

Congratulations. You now know how privacy measures work within the IRC protocol. While this guide was made for Ergo users, much of its information is relevant to all sorts of daemons. Enjoy your new technical knowledge and stay safe out there.

Sources

1. Threat Modeling / Digital Security Risk Assessment — privacyguides.org / freedom.press
2. Communicating With Others / Communication Network Types — ssd.eff.org / privacyguides.org
3. Why Metadata Matters / VPN Overview — ssd.eff.org / privacyguides.org
4. HexChat releases — github.com / libera.chat
5. WireGuard documentation — wireguard.com / freedom.press
6. NIST FIPS 186-5 — csrc.nist.gov
7. Ergo MANUAL.md — github.com/ergochat
8. ProtonMail / climate activist arrest — proton.me
9. Mullvad search warrant — mullvad.net
10. Google transparency report — transparencyreport.google.com