diff --git a/opsec/index.html b/opsec/index.html index ed7a2bc..18a7be0 100644 --- a/opsec/index.html +++ b/opsec/index.html @@ -227,7 +227,7 @@
In this tutorial, we're going to check out how to setup a XMPP chat server, that is accessible over Tor, as a hidden service, using Prosody and Pidgin.
+In this tutorial, we're going to check out how to setup a XMPP chat server, that is accessible over Tor, as a hidden service, using Prosody. We'll also cover how to have a Clearnet XMPP server, and how to have OMEO End to End encryption using the Gajim XMPP client.
Before starting, check out this tutorial on how to create your first hidden service.
root@ANON-home:~# apt install prosody prosody-modules lua-unbound -y
@@ -328,9 +328,114 @@ Component "conference.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.o
muc_log_expires_after = "1w"
+ First edit prosody.cfg.lua like so :
+
+[ Datura ] [ /dev/pts/3 ] [~]
+→ vim /etc/prosody/prosody.cfg.lua
+
+[...]
+
+VirtualHost "nowhere.moe"
+ssl = {
+ certificate = "/etc/ssl/nowhere.moe/fullchain.cer";
+ key = "/etc/ssl/nowhere.moe/nowhere.moe.key";
+}
+
+VirtualHost "nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion"
+
+[...]
+
+
+Then copy the existing acme.sh certificates for nowhere.moe into another non-root directory, otherwise prosody wont be able to read them:
+
+[ Datura ] [ /dev/pts/4 ] [/etc/ssl/nowhere.moe]
+→ mkdir -p /etc/ssl/nowhere.moe/
+
+[ Datura ] [ /dev/pts/4 ] [/etc/ssl/nowhere.moe]
+→ cp -r /root/.acme.sh/nowhere.moe/* /etc/ssl/nowhere.moe
+
+[ Datura ] [ /dev/pts/4 ] [/etc/ssl/nowhere.moe]
+→ sudo setfacl -R -m u:prosody:rx /etc/ssl/nowhere.moe/
+
+[ Datura ] [ /dev/pts/4 ] [/etc/ssl/nowhere.moe]
+→ sudo -u prosody cat /etc/ssl/nowhere.moe/nowhere.moe.cer
+-----BEGIN CERTIFICATE-----
+MIIF5zCCBM+gAwIBAgISBCVaPZeC38+C4bWEm3yPX1LMMA0GCSqGSIb3DQEBCwUA
+MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
+EwNSMTAwHhcNMjQwODExMjAyMjI5WhcNMjQxMTA5MjAyMjI4WjAWMRQwEgYDVQQD
+Ewtub3doZXJlLm1vZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJPO
+[...]
+-----END CERTIFICATE-----
+
+
+
+to copy it once a day to the correct folder, you can do it via cronjob:
+
+[ Datura ] [ /dev/pts/7 ] [~]
+→ crontab -e
+
+0 0 * * * cp -r /root/.acme.sh/nowhere.moe/* /etc/ssl/nowhere.moe ; setfacl -R -m u:prosody:rx /root/.acme.sh/nowhere.moe ; systemctl restart prosody
+
+
+Then, don't forget to create the clearnet user:
+
+[ Datura ] [ /dev/pts/7 ] [~]
+→ prosodyctl adduser usertest usertestpwd
+
+[ Datura ] [ /dev/pts/7 ] [~]
+→ prosodyctl passwd usertest@nowhere.moe
+
+
+Then you can just connect to the XMPP server over clearnet aswell, but one thing to note is that pidgin is limited when it comes to encrypting chats, so let's use Gajim instead as it comes with OMEO encryption out of the box:
+
+user@laptop: apt install gajim -y
+
+
+
+
+
+
+
+ Now here, you need to tell the other peer (if they don't have OMEO enabled) to install a XMPP client like gajim, just like you, to use OMEO encryption just like you, to have end to end encryption.
+ + + + + + + + +And that's it! you now have a XMPP server working over both Clearnet, and Tor, with end to end encryption.
-TODO: showcase a multi-user chat with 3 users
-TODO: showcase XMPP onion federation between server A <-> and B