irc_servers.shtml

<!--#set var="page_title" value="About freenode: IRC Servers" -->
<!--#set var="content_title" value="IRC Servers" -->
<!--#include file="include/header-mainlogos.shtml" -->

<p>Our main server rotation is <span class="verbatim-i">chat.freenode.net</span>. Pointers to <span class="freenode">freenode</span> currently include irc.ghostscript.com, irc.gnu.org, irc.handhelds.org, and irc.kde.org. Please see our <a href="acknowledgements.shtml">acknowledgements</a> page for the generous groups and organizations who have helped us to provide this service. The network needs servers on the Pacific Rim and in the Americas. If you think you might be able to help our community in this way, please take a look at the <a href="hosting_ircd.shtml">server hosting page</a> and email us at <b>hosting at freenode dot net</b>. Thanks!</p>

<p>If you're running <a href="http://www.torproject.org/">Tor</a>,
access is available via our <a href="#tor">hidden service.</a></p>

<p> The following table lists <span class="freenode">freenode</span> client servers. Please be aware that the below list is at no time authoritative, and as such our advice is to connect using <span class="verbatim-i">chat.freenode.net</span>. If you are using one of the servers below and it's not working, please check that it's in <span class="verbatim-i">chat.freenode.net</span> and select another server from that list if it's not.</p>

<p>The main rotation, chat.freenode.net, has AAAA records for servers with IPv6 capability, so simply telling your client to connect to chat.freenode.net by IPv6 should work. We do not provide regional rotations, except Asia/Pacific Rim, because we aren't very good at keeping them up-to-date as the main rotation changes.</p>

<p id="ports">All <span class="freenode">freenode</span> servers listen on ports 6665, 6666, 6667, 6697 (SSL only), 7000 (SSL only), 7070 (SSL only), 8000, 8001 and 8002.</p>

<table class="serverlist">
<tr class="sl_header"><td>Asia/Pacific Rim</td><td>chat.au.freenode.net</td><td>IPv4/IPv6</td></tr>
<tr><td>Perth, AU</td><td>banks.freenode.net</td><td>IPv4</td></tr>
<tr><td>Perth, AU</td><td>bradbury.freenode.net</td><td>IPv4</td></tr>
<tr><td>Brisbane, AU</td><td>roddenberry.freenode.net</td><td>IPv4, IPv6</td></tr>

<tr class="sl_header"><td>Europe</td><td>&nbsp;</td><td>IPv4/IPv6</td></tr>
<tr><td>Budapest, HU</td><td>adams.freenode.net</td><td>IPv4, IPv6</td></tr>
<tr><td>Paris, FR</td><td>barjavel.freenode.net</td><td>IPv4</td></tr>
<tr><td>Milan, IT</td><td>calvino.freenode.net</td><td>IPv4, IPv6</td></tr>
<tr><td>Vilnius, LT</td><td>cameron.freenode.net</td><td>IPv4, IPv6</td></tr>
<tr><td>Sofia, BG</td><td>hitchcock.freenode.net</td><td>IPv4</td></tr>
<tr><td>Bucharest, RO</td><td>hobana.freenode.net</td><td>IPv4, IPv6</td></tr>
<tr><td>London, UK</td><td>holmes.freenode.net</td><td>IPv4, IPv6</td></tr>
<tr><td>Frankfurt, DE</td><td>kornbluth.freenode.net</td><td>IPv4</td></tr>
<tr><td>Ume&aring;, SE</td><td>leguin.freenode.net</td><td>IPv4, IPv6</td></tr>
<tr><td>Amsterdam, NL</td><td>orwell.freenode.net</td><td>IPv4</td></tr>
<tr><td>Helsinki, FI</td><td>rajaniemi.freenode.net</td><td>IPv4, IPv6</td></tr>
<tr><td>Vilnius, LT</td><td>sendak.freenode.net</td><td>IPv4</td></tr>
<tr><td>Stockholm, SE</td><td>sinisalo.freenode.net</td><td>IPv4, IPv6</td></tr>
<tr><td>Amsterdam, NL</td><td>verne.freenode.net</td><td>IPv4</td></tr>
<tr><td>Haarlem, NL</td><td>wilhelm.freenode.net</td><td>IPv4, IPv6</td></tr>

<tr class="sl_header"><td>United States</td><td>&nbsp;</td><td>IPv4/IPv6</td></tr>
<tr><td>Dallas, TX</td><td>asimov.freenode.net</td><td>IPv4</td></tr>
<tr><td>Washington, DC</td><td>card.freenode.net</td><td>IPv4</td></tr>
<tr><td>Ashburn, VA</td><td>dickson.freenode.net</td><td>IPv4, IPv6</td></tr>
<tr><td>Chicago, IL</td><td>morgan.freenode.net</td><td>IPv4, IPv6</td></tr>
<tr><td>San Jose, CA</td><td>weber.freenode.net</td><td>IPv4</td></tr>
</table>

<h2 id="ssl">Accessing freenode Via SSL</h2>

<p><span class="freenode">freenode</span> provides SSL client access on all
servers. If your client is not configured to verify SSL certificates, then you
can simply connect, with SSL enabled, on port 6697, 7000 or 7070. Users
connecting over SSL will be given user mode +Z, and
<span class="verbatim-i">is using a secure connection</span> will appear in
WHOIS (a 671 numeric). Webchat users will not appear
with +Z or the 671 numeric, even if they connect to webchat via SSL.</p>

<p>If you wish to verify the server certificates on connection, some additional
work may be required. First, ensure that your system has an up-to-date set of
root CA certificates. On most linux distributions this will be in a package
named something like ca-certificates. Many systems install these by default, but
some do not (such as FreeBSD, on which the package you wish to install is
ca_root_nss, and the cafile to use would be
/usr/local/share/certs/ca-root-nss.crt). For most clients this should be
sufficient. If not, you can download the required intermediate cert from <a
href="http://crt.gandi.net/GandiStandardSSLCA.crt">Gandi</a> and the root
cert from <a href="http://www.instantssl.com/ssl-certificate-support/cert_installation/UTN-USERFirst-Hardware.crt">InstantSSL</a>.</p>

<p>Those of you using irssi will find that it has some oddities in SSL
certificate verification, and will not find the root certificates on its own. To
work around this, use</p>


<p><span class="verbatim-b">/connect -ssl_verify -ssl_capath /etc/ssl/certs chat.freenode.net
6697</span></p>


<p>or on FreeBSD</p>


<p><span class="verbatim-b">/connect -ssl_cafile /usr/local/share/certs/ca-root-nss.crt
chat.freenode.net 6697</span></p>


<p>Once you tell irssi where to find the root certificates, it should be able to
verify the certificate correctly.</p>

<p>Client SSL certificates are also supported, and may be used for identification
to services via <a href="certfp/">CertFP</a>. If you have connected with a client
certificate, <span class="verbatim-i">has client certificate fingerprint
<span class="subst">f1ecf46714198533cda14cccc76e5d7114be4195</span></span> (showing
your certificate's SHA1 fingerprint in place of
<span class="verbatim-i subst">f1ecf46...</span>)
will appear in WHOIS (a 276 numeric).</p>

<h2 id="tor">Accessing freenode Via Tor</h2>

<p><a href="http://www.torproject.org/">Tor</a> provides anonymous access to internet services, including IRC, and protects users' privacy from various forms of traffic analysis. The <span class="freenode">freenode</span> network welcomes Tor users.</p>

<p>The primary Tor hidden service address for <span class="freenode">freenode</span> is <a href="irc://frxleqtzgvwkv7oz.onion">frxleqtzgvwkv7oz.onion</a>. The service listens on ports 6667, 6697 (SSL), 7000 (SSL), and 7070 (SSL). To connect, a NickServ account is needed, and the IRC client must be configured to support SASL. Information on how to register a nick can be found on <a href="faq.shtml#nicksetup">our FAQ page</a>, and <a href="/sasl">our SASL pages</a> describe clients that support SASL and how to configure many of them. Tor's wiki also has a page on <a href="https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc">configuring IRC clients to use Tor</a>.</p>

<p>If your IRC client can handle SOCKS5 with remote DNS, just connect to the .onion address directly, and this is preferred. Otherwise, Tor's "mapaddress" feature can work around the missing remote DNS support. Add a line to your <a href="https://www.torproject.org/docs/faq#torrc">torrc</a>, as in this example:
</p>
<p><span class="verbatim-b">mapaddress 10.40.40.40 frxleqtzgvwkv7oz.onion</span></p>
<p>(Note for irssi users: we do not recommend Privoxy; it's unnecessary. Just use mapaddress and torrify irssi.)</p>

<p>User connections through Tor are assigned a gateway cloak of <span class="verbatim-i">gateway/tor-sasl/</span> followed by the account name of the user (provided during SASL authentication). If the account name contains characters that cannot be represented in a cloak, then the token <span class="verbatim-i">/x-<span class="subst">NNNNNNNN</span></span> is also appended. The <span class="verbatim-i subst">NNNNNNNN</span> is a set of digits which should be consistent for a given account name, but may otherwise be treated as random.</p>

<p>Channel owners are free to deny access to their channels by various gateway users, but please don't limit access to gateways too broadly or completely. In particular, don't ban all gateways or all of Tor by doing something like <span class="verbatim-i">/mode <span class="subst">#channel</span> +b *!*@gateway/*</span>. A quiet instead of a ban can be just as effective, so please use a quiet if at all possible: <span class="verbatim-i">/mode <span class="subst">#channel</span> +q *!*@gateway/tor-sasl/*</span>. If you do something like this, make it temporary, not permanent. Network staff can turn off new gateway connects on a temporary basis and remove abusive users. We're happy to do so; simply contact a staffer whenever your channel experiences abuse. Remember that some users have very little choice about using gateways, and be considerate in your control of access.</p>

<p>Connections to <span class="freenode">freenode</span> directly from Tor exit nodes are not allowed, as it is impossible to distinguish traffic originating on that computer from Tor exit traffic. In addition to providing better protection and location privacy, the hidden service gives end-to-end encryption, providing benefits similar to using SSL (ircs/irc-ssl). If you do want to be a Tor exit node and still use <span class="freenode">freenode</span>, you will have to configure your exit policy to block all of the <a href="#ports">IRC ports</a> we use, in addition to ports 80 and 443 as these are used for webchat. Alternatively, you can allow any ports in your exit policy, and always connect to <span class="freenode">freenode</span> using the hidden service.</p>
<p>We encourage you to consider providing "middleman" bandwidth to the Tor network by <a href="https://www.torproject.org/docs/tor-doc-relay.html.en">setting up your host as a Tor relay</a>. Specify how much bandwidth you want to provide and set your exit policy to <span class="verbatim-i">reject *:*</span>. It will help us make up for the bandwith we use for <span class="freenode">freenode</span>'s hidden service.<p>

<p>Be sure to HUP (reload) Tor if you change your torrc. This applies to both exit policy changes and mapaddress changes. Exit policy changes may take a day or two before the update is reflected and you are able to connect to <span class="freenode">freenode</span> again. Mapaddress changes should be immediate.</p>

<p>If you have trouble connecting to the hidden service, make sure <a href="/sasl">SASL</a> is working correctly, perhaps by connecting normally (not through Tor) and seeing that you're identified. If SASL works, try shutting down and restarting the Tor daemon. There may be a bug in the Tor hidden service limiting the number of long-lived concurrent connections. If you are still unable to connect after restarting the Tor daemon, then try using a secondary address:</p>
<ul><li><a href="irc://p567hbjdstqvg7xw.onion">p567hbjdstqvg7xw.onion</a></li>
<li><a href="irc://2hktdmgt6bg2hjuc.onion">2hktdmgt6bg2hjuc.onion</a></li>
<li><a href="irc://l4wvhvf666nifnpg.onion">l4wvhvf666nifnpg.onion</a></li></ul>

<p>Tor users represent much less than 1% of our total userbase. We appreciate your accessing <span class="freenode">freenode</span> via the Tor hidden service; however, we have a limited amount of staffer time to troubleshoot and resolve issues. If we have to restart the hidden service, that means disconnecting all the currently-connected Tor users, so we prefer to avoid that if possible.</p>

<!--#set var="SPONSOR_LINKS" value="<small>
	</small>"-->
<!--#include file="include/trailer.shtml" -->