Firewall

The following ports have to be opened in your firewall:

6697/tcp  # IRC SSL


ZNC

ZNC is an IRC network bouncer or BNC. It can detach the client from the actual IRC server, and also from selected channels. Multiple clients from different locations can connect to a single ZNC account simultaneously and therefore appear under the same nickname on IRC.


Installation

sudo apt install znc


Creating a user account

sudo useradd --create-home -d /var/lib/znc --system --shell /bin/false --comment "ZNC IRC Bouncer" --user-group znc


Creating a systemd unit file

/etc/systemd/system/znc.service
[Unit]
Description=ZNC, an advanced IRC bouncer
After=network-online.target
 
[Service]
ExecStart=/usr/bin/znc -f --datadir=/var/lib/znc
User=znc
 
[Install]
WantedBy=multi-user.target


Configuration

sudo -u znc /usr/bin/znc --datadir=/var/lib/znc --makeconf
[ ?? ] Listen on port (1025 to 65534): 6697
[ ?? ] Listen using SSL (yes/no) [no]: yes
[ ?? ] Listen using both IPv4 and IPv6 (yes/no) [yes]: yes
 
 
[ ?? ] Username (alphanumeric): user1
[ ?? ] Enter password: ******
[ ?? ] Confirm password: *****
[ ?? ] Nick [admin]: user1
[ ?? ] Alternate nick [admin_]: user1_
[ ?? ] Ident [admin]: user1
[ ?? ] Real name [Got ZNC?]: User One
 
 
[ ?? ] Set up a network? (yes/no) [yes]: yes
[ ?? ] Name [freenode]: freenode
[ ?? ] Server host [chat.freenode.net]: chat.freenode.net
[ ?? ] Server uses SSL? (yes/no) [yes]: yes
[ ?? ] Server port (1 to 65535) [6697]: 6697
[ ?? ] Server password (probably empty):
 
 
[ ?? ] Launch ZNC now? (yes/no) [yes]: no


SSL certificates

The znc.pem is a concatination of the private key and the full certficate chain. In case you use Let's Encrypt:

sudo su -c 'cat /etc/letsencrypt/live/quietlife.nl/{privkey,fullchain}.pem > /var/lib/znc/znc.pem'
Strong ciphers
/var/lib/znc/configs/znc.conf
SSLCertFile = /var/lib/znc/znc.pem
SSLProtocols = -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCiphers = AES384+EECDH:AES384+EDH:AES256+EECDH:AES256+EDH


Enabling and starting the daemon

sudo systemctl enable znc.service
sudo systemctl start znc.service


Client configuration

sudo apt install hexchat


HexChat > Network List > Add > quietlife.nl

Edit >
        Servers: quietlife.nl/+6697
        [x] Connect to this network automatically
        [x] Use SSL for all the servers on this network
        Login method: Default
        Password: <ZNC user password>
        Character set: UTF-8 (Unicode)
        
Close > Connect


Enabling SASL for NickServ authentication

From the Freenode menu, run:

/znc LoadMod sasl
/query *sasl

From the SASL menu, run:

set $username $password

(Use your Freenode NickServ credentials.)



SSL certificate renewal

Unlike Apache, nginx, Dovecot and Postfix, ZNC does not shortly run as root when started in order to read from /etc/ssl/ or /etc/letsencrypt/. So certificates have to be copied to the /var/lib/znc directory. If you use Let's Encrypt, this means that you have to renew those copies every three months.

This can be automated with a script you run as root:

#!/bin/bash
 
cat /etc/letsencrypt/live/quietlife.nl/{privkey,fullchain}.pem > /var/lib/znc/znc.pem
 
chown znc:znc /var/lib/znc/znc.pem
chmod 600 /var/lib/znc/znc.pem
 
systemctl restart znc.service