Weechat

Weechat is a powerful, secure, advanced irc chat client application that runs on linux, BSD, OS X and windows.

Installation

GNU Gentoo, Pentoo, Sabayon, Funtoo Linux and based on:

echo net-irc/weechat ~amd64 >> /etc/portage/package.keywords
emerge weechat otr 

GNU Debian, Ubuntu, Mint, Kali Linux and based on:

apt-get install weechat python-potr 

GNU Arch Linux and based on:

sudo pacman -S weechat python2-potr

GNU Fedora Linux and based on:

yum install weechat weechat-otr

Although required for wirelesspt.net, irc chat network, the following setup can and should be used on any decent irc network.

Configuration

Once installed, in order to make weechat experience more practical, useful and secure, a few scripts and plugins are needed:

Start weechat from a terminal command line follow the following instructions:

Looks and feel

The following parameters will enhance and help with a much better experience with weechat.

• Important

/set irc.server_default.capabilities "account-notify,away-notify,cap-notify,extended-join,invite-notify,multi-prefix,server-time,userhost-in-names"

• Generic

/set charset.default.encode UTF-8
/set charset.default.decode iso-8859-15
/set irc.network.send_unknown_commands on 
/set weechat.startup.display_logo off
/set weechat.startup.display_version off
/set irc.look.part_closes_buffer on
/set buffers.look.whitelist_buffers wirelesspt
/set irc.look.buffer_open_before_autojoin off
/set irc.look.server_buffer independent

/set aspell.check.default_dict en_US
/set weechat.look.mouse on

• Wider nicklist width:

/set irc.look.color_nicks_in_nicklist on
/set weechat.bar.nicklist.size_max 15

• Hide join, part and quits

/set irc.look.smart_filter on
/filter add irc_smart * irc_smart_filter *
/filter add joinquit * irc_join,irc_part,irc_quit *

• Change where you want to receive your notices (server/current/private/weechat)

/set irc.msgbuffer.error weechat
/set irc.msgbuffer.invite current
/set irc.msgbuffer.kill current
/set irc.msgbuffer.list current
/set irc.msgbuffer.names current
/set irc.msgbuffer.notice current                     
/set irc.msgbuffer.status current
/set irc.msgbuffer.wallops current
/set irc.msgbuffer.who current
/set irc.msgbuffer.whois current
/set irc.msgbuffer.whowas current
/set irc.msgbuffer.xfer current

Plugins

• Basic plugins:

/plugin autoload scripts
/plugin autoload relay
/plugin autoload spell
/plugin autoload perl
/plugin autoload python
/plugin autoload buflist

Scritps

• Generic scripts:

/script install autosort.py
/script install autoauth.py
/script install buffer_autoset.py
/script install country.py
/script install grep.py
/script install irssi_awaylog.py
/script install keepnick.py
/script install screen_away.py
/script install whois_on_query.py
/script install xfer_setip.py
/script install xfer_scp.py

• Anti spam scripts:

/script install query_blocker.pl
/script install mass_hl_blocker.pl

• Security scripts:

/script install otr.py
/script install crypt.py
/script install ircrypt.py
/script install fish.py

To find information about a script, simply type:

/script show script_name

For general information, type:

/help script

Anonymity

In order to prevent weechat to reveal information to the server and to other users about itself and it’s location, the following settings are recommended:

/set irc.ctcp.version ""
/set irc.ctcp.ping ""
/set irc.ctcp.finger ""
/set irc.ctcp.time ""
/set irc.ctcp.source ""
/set irc.ctcp.userinfo ""
/set irc.ctcp.clientinfo ""
/set irc.ctcp.download ""
/set irc.ctcp.action ""
/set irc.ctcp.dcc ""

/set irc.look.display_ctcp_blocked on
/set irc.look.display_ctcp_reply off
/set irc.look.display_ctcp_unknown on

/set irc.server_default.msg_part ""
/set irc.server_default.msg_quit ""

Weechat setup

You should use only cryptographic security certificates to connect and authenticate to any network. In case you do not use certFP, you should at least add a password to weechat and secure and encrypt your nickname password whether using nickserv or sasl.

Network configuration

/server add wirelesspt irc.wirelesspt.net/6697
/set irc.server.wirelesspt.autojoin #wirelesspt,#newspt,#linux,#vuln,#portugal
/set irc.server.wirelesspt.autorejoin_delay 15
/set irc.server.wirelesspt.autoreconnect on 
/set irc.server.wirelesspt.autoreconnect_delay 60
/set irc.server.wirelesspt.nicks nickname1,nickname2,nickname3
/set irc.server.wirelesspt.realname OTR_enabled
/set irc.server.wirelesspt.username nickname
/set irc.server.wirelesspt.ssl on
/set irc.server_default.ssl_priorities SECURE256:-VERS-TLS-ALL:+VERS-TLS1.3
/set irc.server.wirelesspt.ssl_priorities SECURE256:-VERS-TLS-ALL:+VERS-TLS1.3
/set irc.server_wirelesspt.msg_part ""
/set irc.server_wirelesspt.msg_quit ""

Nickserv

Secure access to weechat and prevent your passwords to be read:

/secure passphrase weechat_password
/secure set wirelesspt nickname_password
/set irc.server.wirelesspt.command /msg nickserv identify ${sec.data.wirelesspt}

(Using nickserv for authentication is depreciated. Use it if you are still living in the 90’s)

Sasl

Sasl mechanism can be used as PLAIN or EXTERNAL

If it uses certfp it should be configured as EXTERNAL. (recommended) Using DH-AES or DH-BLOWFISH is depreciated and potentially insecure.

/set irc.server.wirelesspt.sasl_username nickname
/set irc.server.wirelesspt.sasl_password nickname_password
/set irc.server.wirelesspt.sasl_mechanism PLAIN
/set irc.server.wirelesspt.ssl_dhkey_size = 4096

Secure access to weechat and prevent your passwords to be read:

/secure passphrase weechat_password
/secure set wirelesspt nickname_password
/set irc.server.wirelesspt.sasl_password ${sec.data.wirelesspt}

Although using sasl is much better than nickserv, it is also depreciated when used with a password. Use it with certfp.

Security

In order to prevent attackers to fake or spoof your identity, M.I.T.M attacks and or cracking your passwords on the servers you should use only cryptographic security certificates for any and all communication and or authentication.

This practice will ensure that you are in full control of your connection. Where you connect, how you connect and who with you talk with secure confirmation and anonymity.

Keep in mind that this will be as secure as the access to the cryptographic security certificates are accessible to and by others. These certificates should be only known to you.

Weechat CertFP

Change sasl mechanism to EXTERNAL

/set irc.server.wirelesspt.sasl_mechanism EXTERNAL

Generate cryptographic security certificates with ssl. During this process, some questions may be asked to you. Answer as you please.

Example:

openssl req -x509 -nodes -days <days> -utf8 -newkey <type>:<bits>-sha512 -keyout nick.key -out nick.crt -subj /CN=nick

Execute:

openssl req -x509 -nodes -days 1825 -utf8 -newkey rsa:4096-sha512 -keyout nick.key -out nick.crt -subj /CN=nick
cat *.crt *.key > nick.pem
chmod 400 '*.{key,crt,pem}

Confirm your [ssl]] security fingerprint by typing:

openssl x509 -noout -fingerprint -text < nick.pem -sha256 | grep Fingerprint

Under weechat directory, create a new directory to store the cryptographic security certificates:

mkdir -p ~/.weechat/ssl
mv nick.{key,crt,pem} ~/.weechat/ssl

Add it to weechat:
/set irc.server.wirelesspt.ssl_cert ~/.weechat/ssl/nick.pem

In case you have your irc nickname registered on the network, you should add the certFP it to your nickname account. You can obtain your fingerprint by typing the following in your terminal command line:

openssl x509 -sha256 -noout -fingerprint -in nick.pem | sed -e 's/^.*=//;s/://g;y/ABCDEF/abcdef/'

Then, when connected to irc, type on your irc client:

/msg nickserv cert add fingerprint_nick.pem

Irc CertFP

To obtain the irc server security certificate fingerprint simply type the following in your terminal command line:

openssl s_client -connect irc.wirelesspt.net:6697 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin -sha512

• You can use this fingerprint_script.sh script to obtain the fingerprintss and confirm them here.

You will obtain something like:

SHA512 Fingerprint=5B:DC:8D:A9:80:F4:81:72:B9:E5:83:48:B5:62:E0:47:6C:F5:E6:67:7C:83:A7:83:AE:FE:24:03:5A:D8:E1:D4:8A:9C:44:4D:91:2B:33:F2:EE:66:1C:37:92:3F:B9:78:24:0F:76:53:6A:83:F7:5A:C5:81:66:48:CA:00:7B:EE

The following command line will get you the fingerprint in the format that you will need to add to weechat:

openssl s_client -connect irc.wirelesspt.net:6697 < /dev/null 2>/dev/null | openssl x509 -sha512 -fingerprint -noout | tr -d ':' | tr 'A-Z' 'a-z' | cut -d = -f 2

For greater security and prevention of MITM attacks you must add all the fingerprints to weechat like in the following example and separate them by commas:

/set irc.server.wirelesspt.ssl_fingerprint 0BED9834B194367E25D5A7A9FDD3837F8F338F6743049F43B54512358ED536EEF550F37AF2882453C0CE52308C08D1D80C236868D46D0FA074C5F9DDBAA50ACC

• Set weechat to, upon connection, confirm the fingerprint:

/set irc.server.wirelesspt.ssl_verify on

• In case you find connection errors in regards to previously added fingerprints, you must notify the administration immediately.

• Keep in mind that when using the irc roundrobin address, several [servers may have different fingerprints which also need to be added to match the remaining servers.

When and if the fingerprint changes, you can and should confirm the fingerprints here.

Root trusted CAs

In case weechat is not able to recognize the validity of certificates like from lets encrypt or self signed security certificates, we can and should configure weechat in order to recognize them.

Option 1:

Default weechat general configuration setup:

/set weechat.network.gnutls_ca_file /etc/ssl/certs/ca-certificates.crt

Customizing and changing (if needed) the default configuration:

/set weechat.network.gnutls_ca_file ~/.weechat/ssl/ca-certificates.crt

If weechat cannot read ca-certificates.crt, you can link the default root trusted CAs bundle by typing the following in your terminal command line:

ln -s /etc/ssl/certs/ca-certificates.crt /home/your_username/.weechat/ssl/ca-certificates.crt

Option 2:

Using our own self-signed ROOT CA. This option at moments, may or may not be supported by the network.

wget https://wirelesspt.net/arquivos/ssl_certs/wirelesspt_trusted_CAs.crt
cat wirelesspt_trusted_CAs.crt >> ~/.weechat/ssl/ca-certificates.crt

Note: Option 2, requires manual update, every time new certificates are issued.

Network connection

You have 3 ways to enter the irc network.

Clear web

• Although depreciated, the above setup will work by default:

/connect wirelesspt

Dark web

• Better option, is to use tor as a proxy on the clear web:

/server copy wirelesspt wirelesspt-tor
/proxy add tor socks5 127.0.0.1 9050
/set irc.server.wirelesspt-tor.proxy tor

/connect wirelesspt-tor

• Recommended to use Tor with hidden services for full anonymity and security improvement:

/proxy add tor socks5 127.0.0.1 9050
/server copy wirelesspt wirelesspt-hidden
/set irc.server.wirelesspt-tor.addresses t2hcksjupcscbqx425fwdffl6nlqo2cb3tl3c5ohcq6or7m2nq2c4mqd.onion/6697,3ex3z46isjih3pjgaeepnsjjpekyuxfos7utueehcv2y2ddjoupkp5qd.onion/6697

/connect wirelesspt-hidden

End2End chat encryption

• Mandatory for person to person chat: OTR
• Recommended for channel chats: openpgp with key pair cryptographic security certificates. Optionally with the use of a shared passwords which is less advisable.
• Depreciated: Blowfish which is known to be potentially insecure

It is mandatory to use one of the following methods bellow or better.

Otr

Setting up weechat to use OTR with your contacts is the default recommendation:

/script install otr.py

Check options:

/help otr

Set default policy for everyone you talk to:

/otr policy default require_encryption on

Start or finish conversation with another person:

/otr start nickname
/otr finish nickname

Check your OTR fingerprint:

/otr fingerprint

Crypt

Using crypt.py in the same fashion as blowfish is used for channels or nicknames is a much better option than blowfish.

/script install crypt.py

You need to generate an encryption key. This just needs to be named with the channel you want to use the key with (I use #crypto as an example) or for someone (I use MisterJenkins). For example:

• Basic usage (depreciated)

openssl genrsa -out cryptkey.#crypto 4096 openssl genrsa -out cryptkey.MrJenkins 4096

• Improved security (recommended). Use elliptic curve private keys

openssl ecparam -name secp521r1 -genkey -noout -out cryptkey.#crypto
openssl ecparam -name secp521r1 -genkey -noout -out cryptkey.MrJenkins 

• Secure the generated key:

chmod 600 cryptkey.*

• On the terminal command line move the key to weechat root directory.

mv cryptkey.* ~/.weechat

After installation, typing any text in #crytpo or to your friend, will automatically be encrypted. You should use a second client if you'd like to verify it.

The next step is to distribute the key to the other people for chat decryption. Take a minute to consider the best way to do this as the chat will only be as secure as this key. Use openpgp to send it.

You can optionally add an indicator to the status bar by adding encrypted to weechat.bar.status.items. This command will tell you your current value:

/set weechat.bar.status.items

Copy all the values you have there, and then add the word encrypted

/set weechat.bar.status.items ...............................,encrypted

Ircrypt

The process to use ircrypt.py is exactly the same as blowfish is used with channels or nicknames, but it is a much better option than blowfish cryptography. The setup process is just like blowfish.

The next step is to distribute the key to the other people for chat decryption. Take a minute to consider the best way to do this as the chat will only be as secure as this key. Use openpgp to send it.

/script install ircrypt.py
/ircrypt
/help ircrypt 

note that with ircrypt, your security password will be stored by weechat in plain text!!!

Xsalsa20

<under development for irc>

• README

Blowfish

Blowfish is old and depreciated both for private chats we well as for channel chats. Do not use it for sensitive conversations. This will no longer offer the security that once did.

/script install fish.py
/help blowkey 

• README

Rot13

This offers NO SECURITY and should only be used for study reasons and character manual human decryption games.

• README

Addons

Weechat can be used as a multi-chat, multi-account client application replacing the need for many other heavy, bloated, insecure applications.

Bellow are some examples:

Bitlbee

Although weechat provides a jabber/xmpp plugin it is much better to use bitlbee gateway which will allow you to connect to even more and other chat platforms.

This configuration example will use bitlbee with tor hidden services and has bitlbee compiled with OTR:

/set irc.server.BitlBee.addresses address.of.the.onion/port
/set irc.server.BitlBee.nicks nickname
/set irc.server.BitlBee.username nickname_username
/set irc.server.BitlBee.realname BitlBee 
/set irc.server.BitlBee.command = /msg &bitlbee identify nickname_password

Connect to:

/connect Bitlbee

Register account:

register password

To add accounts:

help account
account add jabber name_to_use_in_account

Matrix

Using matrix.org federated servers without a third party client such as riot.

Make sure you install required dependencies on your operating system:

• For debian based distros: lua-cjson
• For gentoo based distros: dev-lua/lua-cjson and have weechat compiled with lua support

Inside your /home/user shell :

git clone https://github.com/torhve/weechat-matrix-protocol-script.git

Copy the required script to weechat

mkdir ~/.weechat/lua
cp weechat-matrix-protocol-script/matrix.lua ~/.weechat/lua

Auto load it by default autoload.

ln -s ~/.weechat/lua/matrix.lua ~/.weechat/lua/autoload

Load/unload it manually:

/lua load matrix.lua
/lua unload matrix.lua

Obtain help:

/help plugins.var.lua.matrix.local_echo

Setup weechat matrix options:

/set plugins.var.lua.matrix.*

/set plugins.var.lua.matrix.user account_user_name
/set plugins.var.lua.matrix.password password

Setup chosen matrix server:

/set plugins.var.lua.matrix.homeserver_url https://matrix_elitist_bloated_server/

You can optionally add an indicator to the status bar by adding encrypted to weechat.bar.status.items. This command will tell you your current value:

/set weechat.bar.status.items

Copy all the values you have there, and then add the words matrix_typing_notice

/set weechat.bar.status.items ...............................,matrix_typing_notice

Connect to the matrix server:

/matrix connect

Disconnect from the matrix server:

/lua unload matrix.lua

Slack

If you use slack, you should use the OTR plugin and other cryptographic methods with your contacts.

/script install slack.py
/slack
/help slack

Whatsapp

Do you really want to use this? Whatsapp is not secure as advertised. Please, use Signal app instead or better!

If you use whatsapp, you should use the OTR plugin and other cryptographic methods with your contacts.

/script install whatsapp.py 
/help whatsapp

Interfaces

WeeChat provides two executables:

• The curses interface, see weechat(1)
• The headless version, see weechat-headless(1)

In order to use a weechat interface, you will need to create a relay.

• You can use graphical interfaces with weechat such as weechat-android for your smartphone to running screen session.
• You can use another weechat to connect to a remote weechat too.

/help relay 

Create relay

Create the cryptographic security certificates:

openssl req -x509 -nodes -days 1825 -utf8 -newkey rsa:4096-sha512 -keyout relay.key -out nick.crt -subj /CN=nick
cat *.crt *.key > relay.pem
chmod 400 '*.{key,crt,pem}
mkdir ~/.weechat/ssl/
mv *.{key,crt,pem} ~/.weechat/ssl/relay.pem

/set relay.network.ssl_priorities SECURE256:-VERS-TLS-ALL:+VERS-TLS1.2
/relay add ssl.weechat 33033
/set relay.network.allowed_ips allowed_ips_or_leave_blank_for_all
/set relay.network.max_client 1 max of 5
/set relay.network.password relay_password
/set relay.network.ssl_cert_key ~/.weechat/ssl/relay.pem

Add relay

In order to use a graphical interface, you need to add the created relay to the weechat client.

/relay add weechat + port/33033
/set relay.network.password relay_password

Establish connection:

/connect relay_name

Note: With the use of weechat-android you should use a ssh with a public key connection from your smartphone to the shell where the relay is running!! Once in the shell, you will connect with ssh locally to the relay.

Weechat graphical interface clients:

• HTML5 GUI (depreciated. Do not use a third party service!)
• Qt GUI
• JavaScript GUI
• Android GUI (available on f-droid).

Systemd

• With archlinux systemd user service

Tmux

• With archlinux Tmux

Headless

• With archlinux headless

Screen

Easy method:

• Type this in your shell. It will run weechat inside a screen session to have weechat running in the background:

screen -S chat -aAOU weechat 

• Detach and or attach to the session when you wish:

screen -D
screen -Dr chat

Add it as if it was a startup service to your local or remote computer user login session:

• If you are using fluxbox:

echo 'screen -St chat -aAOdmU weechat &' >> ~/.fluxbox/startup

• xinitrc with whatever you decide to use:

echo 'exec screen -S chat -aAOdmU weechat &' >> ~/.xinitrc

man screen

See also

Other irc clients, you may be interested in checking out:

• IRC
• Irssi (best option after weechat
• Hexchat (easy for the newbies and does OTR)
• Pidgin (multi-protocol and does OTR)
• Kvirc (enhanced irc client but not as secure)
• Adiirc (mirc clone)
• mIRC (please do not use)
• Chatzilla (stay away)
• Znc (run it only at your home server)
• Eggdrop (powerful irc robot)

Links

• Weechat documentation
• Weechat setup guide
• User setup guide
• Scripting guide
• Plugin development references
• Weechat relay protocol
• Programer guide
• Weechat matrix protocol script
• GnuTLS priority strings for TLS session’s handshake algorithms
• FiXato's guide to WeeChat
• Generating_keys_using_OpenSSL
• Command Line Elliptic Curve Operations

Editor

Cmsv