blog-contributions/opsec/xmpp2024/index.html
2024-09-21 23:22:03 +02:00

482 lines
17 KiB
HTML

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
<title>XMPP Chat Server Setup (Clearnet + Onion + OMEMO E2EE)</title>
<!-- Bootstrap core CSS -->
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
<link href="../../assets/css/xt256.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="../../assets/css/main.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
<![endif]-->
</head>
<body>
<!-- Static navbar -->
<div class="navbar navbar-inverse-anon navbar-static-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand-anon" href="\index.html">nihilist`s Blog</a>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="/about.html">About</a></li>
<li><a href="/blog.html">Categories</a></li>
<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
<li><a href="/contact.html">Contact</a></li>
</ul>
</div><!--/.nav-collapse -->
</div>
</div>
<!-- +++++ Posts Lists +++++ -->
<!-- +++++ First Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist@mainpc - 2024-08-05</ba></p>
<h1>XMPP Chat Server Setup (Clearnet + Onion + OMEMO E2EE)</h1>
<p>In this tutorial, we're going to check out how to setup a XMPP chat server, that is accessible over Tor, as a hidden service, using Prosody. We'll also cover how to have a Clearnet XMPP server, and how to have OMEMO End to End encryption using the Gajim XMPP client.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>XMPP Onion Server Setup </b></h2>
<p>Before starting, check out <a href="../torwebsite/index.html">this</a> tutorial on how to create your first hidden service.</p>
<pre><code class="nim">
root@ANON-home:~# apt install prosody prosody-modules lua-unbound -y
root@ANON-home:~# prosodyctl about
/var/lib/prosody/custom_plugins - not a directory!
/usr/local/lib/prosody/modules - not a directory!
/var/lib/prosody/custom_plugins/share/lua/5.4/?.lua
/var/lib/prosody/custom_plugins/share/lua/5.4/?/init.lua
root@ANON-home:~# mkdir /var/lib/prosody/custom_plugins
root@ANON-home:~# mkdir /usr/local/lib/prosody/modules -p
</code></pre>
<p>Then, we make sure that the tor hidden service includes the XMPP ports:</p>
<pre><code class="nim">
root@ANON-home:# vim /etc/tor/torrc
root@ANON-home:# cat /etc/tor/torrc
HiddenServiceDir /var/lib/tor/onions/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion/
[...]
HiddenServicePort 5222 127.0.0.1:5222
HiddenServicePort 5269 127.0.0.1:5269
HiddenServicePort 5280 127.0.0.1:5280
HiddenServicePort 5281 127.0.0.1:5281
root@ANON-home:# systemctl restart tor@default
</code></pre>
<p>Here, my hidden service is aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion, let's check that the mod_onions module is installed and configure the prosody.cfg.lua file:</p>
<pre><code class="nim">
root@ANON-home:~# ls /usr/lib/prosody/modules/mod_onions
mod_onions.lua
root@ANON-home:~# vim /etc/prosody/prosody.cfg.lua
root@ANON-home:~# cat /etc/prosody/prosody.cfg.lua
[...]
VirtualHost "localhost"
-- Prosody requires at least one enabled VirtualHost to function. You can
-- safely remove or disable 'localhost' once you have added another.
VirtualHost "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion"
modules_enabled = {"onions"};
onions_only = true;
disco_items = {
{"conference.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion","Public Chatroom"},
{"upload.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion","Public Chatroom"}
}
Component "conference.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion" "muc"
modules_enabled = { "onions" };
onions_only = true;
Component "upload.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion" "http_file_share"
modules_enabled = { "onions" };
onions_only = true;
[...]
</code></pre>
<p></p>
<pre><code class="nim">
root@ANON-home:~# prosodyctl cert generate aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion
Choose key size (2048):
<b>Key written to /var/lib/prosody/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion.key</b>
Please provide details to include in the certificate config file.
Leave the field empty to use the default value or '.' to exclude the field.
countryName (GB):
localityName (The Internet):
organizationName (Your Organisation):
organizationalUnitName (XMPP Department):
commonName (aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion):
emailAddress (xmpp@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion):
<b>Config written to /var/lib/prosody/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion.cnf
Certificate written to /var/lib/prosody/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion.crt</b>
root@ANON-home:~# prosodyctl check
[...]
Checking certificates...
Checking certificate for conference.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion
certmanager info No certificate present in SSL/TLS configuration for conference.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion. SNI will be required.
No 'certificate' found for conference.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion
Checking certificate for localhost
certmanager info No certificate present in SSL/TLS configuration for localhost. SNI will be required.
No 'certificate' found for localhost
Checking certificate for upload.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion
certmanager info No certificate present in SSL/TLS configuration for upload.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion. SNI will be required.
No 'certificate' found for upload.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion
Checking certificate for aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion
certmanager info No certificate present in SSL/TLS configuration for aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion. SNI will be required.
No 'certificate' found for aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion
For more information about certificates please see https://prosody.im/doc/certificates
Problems found, see above.
root@ANON-home:# mv /var/lib/prosody/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion.* /etc/prosody/certs/
</code></pre>
<p></p>
<pre><code class="nim">
root@ANON-home:/etc/prosody/certs# prosodyctl adduser nihilist@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion
Enter new password:
Retype new password:
#if you want to create users in batch:
root@ANON-home:/etc/prosody/certs# prosodyctl adduser testuser aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion p4ssw0rd
root@ANON-home:/etc/prosody/certs# systemctl restart prosody
root@ANON-home:/etc/prosody/certs# systemctl status prosody
● prosody.service - Prosody XMPP Server
Loaded: loaded (/lib/systemd/system/prosody.service; enabled; preset: enabled)
Active: active (running) since Mon 2024-08-05 22:02:47 CEST; 4s ago
Docs: https://prosody.im/doc
Main PID: 3419 (lua5.4)
Tasks: 1 (limit: 4653)
Memory: 7.8M
CPU: 139ms
CGroup: /system.slice/prosody.service
└─3419 lua5.4 /usr/bin/prosody -F
Aug 05 22:02:47 ANON-home systemd[1]: Started prosody.service - Prosody XMPP Server.
</code></pre>
<p>all good now, now let's connect to it using pidgin:</p>
<pre><code class="nim">
[ mainpc ] [ /dev/pts/9 ] [~/Nextcloud/blog]
→ apt install pidgin -y
[ mainpc ] [ /dev/pts/9 ] [~/Nextcloud/blog]
→ pidgin
</code></pre>
<p>Then, create your account on the XMPP server:</p>
<img src="1.png" class="imgRz">
<img src="2.png" class="imgRz">
<img src="3.png" class="imgRz">
<img src="4.png" class="imgRz">
<img src="6.png" class="imgRz">
<img src="5.png" class="imgRz">
<p>Next, we can start chatting with Alice, who is another user on that XMPP server like so:</p>
<img src="7.png" class="imgRz">
<p>Then from Alice's XMPP client, we accept nihilist's buddy request:</p>
<img src="8.png" class="imgRz">
<img src="9.png" class="imgRz">
<img src="10.png" class="imgRz">
<img src="11.png" class="imgRz">
<p></p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Optional XMPP server options:</b></h2> </br> </br>
<p>if you want to enable message archiving, enable the "mam" module by uncommenting it:</p>
<pre><code class="nim">
root@ANON-home:~# vim /etc/prosody/prosody.cfg.lua
root@ANON-home:~# cat /etc/prosody/prosody.cfg.lua
[...]
modules_enabled = {
"mam"; -- Store recent messages to allow multi-device synchronization
}
[...]
</code></pre>
<p>and then you can mention the expiration time of messages like so:</p>
<pre><code class="nim">
root@ANON-home:~# vim /etc/prosody/prosody.cfg.lua
root@ANON-home:~# cat /etc/prosody/prosody.cfg.lua
archive_expires_after = "1w" -- remove archived messages after 1 week
</code></pre>
<p>you can choose to limit the bandwidth usage of your server too, using the mod_limits module:</p>
<pre><code class="nim">
root@ANON-home:~# vim /etc/prosody/prosody.cfg.lua
root@ANON-home:~# cat /etc/prosody/prosody.cfg.lua
limits = {
c2s = {
rate = "10kb/s";
}
s2sin = {
rate = "30kb/s";
}
}
</code></pre>
<p>You can also enable archiving on the multi-user chats like so :</p>
<pre><code class="nim">
root@ANON-home:~# vim /etc/prosody/prosody.cfg.lua
root@ANON-home:~# cat /etc/prosody/prosody.cfg.lua
Component "conference.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion" "muc"
modules_enabled = { "onions", "muc_mam" };
onions_only = true;
</code></pre>
<p>And just like in mod_mam, you can set the expiration time of the messages in MUCs:</p>
<pre><code class="nim">
root@ANON-home:~# vim /etc/prosody/prosody.cfg.lua
root@ANON-home:~# cat /etc/prosody/prosody.cfg.lua
Component "conference.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion" "muc"
modules_enabled = { "onions", "muc_mam" };
onions_only = true;
muc_log_expires_after = "1w"
</code></pre>
<p>Then, you can also enable file archiving using mod_http_file_share:</p>
<pre><code class="nim">
root@ANON-home:~# vim /etc/prosody/prosody.cfg.lua
root@ANON-home:~# cat /etc/prosody/prosody.cfg.lua
Component "upload.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion" "http_file_share"
modules_enabled = { "onions" };
onions_only = true;
http_file_share_daily_quota = 100*1024*1024; -- 100 MiB
http_file_share_after = 7*86400; -- One week in seconds
http_file_share_size_limit = 10*1024*1024 -- 10 Mib
</code></pre>
<p>Then, as you're going to have a multi user chat, you'll most likely need the mod_muc_moderation module:</p>
<pre><code class="nim">
root@ANON-home:~# vim /etc/prosody/prosody.cfg.lua
root@ANON-home:~# cat /etc/prosody/prosody.cfg.lua
Component "conference.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion" "muc"
modules_enabled = { "onions", "muc_mam", "muc_moderation" };
onions_only = true;
muc_log_expires_after = "1w"
</code></pre>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon1">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>XMPP Clearnet Server Setup</b></h2> </br> </br>
<p>First edit prosody.cfg.lua like so :</p>
<pre><code class="nim">
[ Datura ] [ /dev/pts/3 ] [~]
→ vim /etc/prosody/prosody.cfg.lua
[...]
VirtualHost "nowhere.moe"
ssl = {
certificate = "/etc/ssl/nowhere.moe/fullchain.cer";
key = "/etc/ssl/nowhere.moe/nowhere.moe.key";
}
VirtualHost "nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion"
[...]
</code></pre>
<p>Then copy the existing acme.sh certificates for nowhere.moe into another non-root directory, otherwise prosody wont be able to read them:</p>
<pre><code class="nim">
[ Datura ] [ /dev/pts/4 ] [/etc/ssl/nowhere.moe]
→ mkdir -p /etc/ssl/nowhere.moe/
[ Datura ] [ /dev/pts/4 ] [/etc/ssl/nowhere.moe]
→ cp -r /root/.acme.sh/nowhere.moe/* /etc/ssl/nowhere.moe
[ Datura ] [ /dev/pts/4 ] [/etc/ssl/nowhere.moe]
→ sudo setfacl -R -m u:prosody:rx /etc/ssl/nowhere.moe/
[ Datura ] [ /dev/pts/4 ] [/etc/ssl/nowhere.moe]
→ sudo -u prosody cat /etc/ssl/nowhere.moe/nowhere.moe.cer
-----BEGIN CERTIFICATE-----
MIIF5zCCBM+gAwIBAgISBCVaPZeC38+C4bWEm3yPX1LMMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTAwHhcNMjQwODExMjAyMjI5WhcNMjQxMTA5MjAyMjI4WjAWMRQwEgYDVQQD
Ewtub3doZXJlLm1vZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJPO
[...]
-----END CERTIFICATE-----
</code></pre>
<p>to copy it once a day to the correct folder, you can do it via cronjob:</p>
<pre><code class="nim">
[ Datura ] [ /dev/pts/7 ] [~]
→ crontab -e
0 0 * * * cp -r /root/.acme.sh/nowhere.moe/* /etc/ssl/nowhere.moe ; setfacl -R -m u:prosody:rx /etc/ssl/nowhere.moe ; systemctl restart prosody
</code></pre>
<p>Then, don't forget to create the clearnet user:</p>
<pre><code class="nim">
[ Datura ] [ /dev/pts/7 ] [~]
→ prosodyctl adduser usertest usertestpwd
[ Datura ] [ /dev/pts/7 ] [~]
→ prosodyctl passwd usertest@nowhere.moe
</code></pre>
<p>Then you can just connect to the XMPP server over clearnet aswell, but one thing to note is that pidgin is limited when it comes to encrypting chats, so let's use Gajim instead as it comes with OMEMO encryption out of the box:</p>
<pre><code class="nim">
user@laptop: apt install gajim -y
</pre></code>
<img src="12.png" class="imgRz">
<img src="13.png" class="imgRz">
<img src="14.png" class="imgRz">
<img src="15.png" class="imgRz">
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>XMPP OMEMO End to End Encryption (E2EE)</b></h2> </br> </br>
<img src="16.png" class="imgRz">
<img src="17.png" class="imgRz">
<img src="18.png" class="imgRz">
<img src="19.png" class="imgRz">
<img src="20.png" class="imgRz">
<img src="21.png" class="imgRz">
<img src="22.png" class="imgRz">
<p>Now here, you need to tell the other peer (if they don't have OMEMO enabled) to install a XMPP client like gajim, just like you, to use OMEMO encryption just like you, to have end to end encryption.</p>
<img src="23.png" class="imgRz">
<img src="25.png" class="imgRz">
<img src="26.png" class="imgRz">
<img src="27.png" class="imgRz">
<img src="28.png" class="imgRz">
<img src="29.png" class="imgRz">
<img src="30.png" class="imgRz">
<p>And that's it! you now have a XMPP server working over both Clearnet, and Tor, with end to end encryption.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Footer Section +++++ -->
<div id="anonb">
<div class="container">
<div class="row">
<div class="col-lg-4">
<h4>Nihilism</h4>
<p>
Until there is Nothing left.
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>My Links</h4>
<p>
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="https://matrix.to/#/#nowheremoe:nowhere.moe">Matrix Chat</a><br/>
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>About nihilist</h4>
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8</p></br><p><u>Contact:</u> nihilist@contact.nowhere.moe (<a href="https://nowhere.moe/nihilist.pubkey">PGP</a>)</p>
</div><!-- /col-lg-4 -->
</div>
</div>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
</body>
</html>