The following ports have to be opened in your firewall:

6697/tcp  # IRC SSL

ZNC is an IRC network bouncer or BNC. It can detach the client from the actual IRC server, and also from selected channels. Multiple clients from different locations can connect to a single ZNC account simultaneously and therefore appear under the same nickname on IRC.


sudo apt install znc

Creating a user account

sudo useradd --create-home -d /var/lib/znc --system --shell /bin/false --comment "ZNC IRC Bouncer" --user-group znc

Creating a systemd unit file

Description=ZNC, an advanced IRC bouncer
ExecStart=/usr/bin/znc -f --datadir=/var/lib/znc


sudo -u znc /usr/bin/znc --datadir=/var/lib/znc --makeconf
[ ?? ] Listen on port (1025 to 65534): 6697
[ ?? ] Listen using SSL (yes/no) [no]: yes
[ ?? ] Listen using both IPv4 and IPv6 (yes/no) [yes]: yes
[ ?? ] Username (alphanumeric): user1
[ ?? ] Enter password: ******
[ ?? ] Confirm password: *****
[ ?? ] Nick [admin]: user1
[ ?? ] Alternate nick [admin_]: user1_
[ ?? ] Ident [admin]: user1
[ ?? ] Real name [Got ZNC?]: User One
[ ?? ] Set up a network? (yes/no) [yes]: yes
[ ?? ] Name [freenode]: freenode
[ ?? ] Server host []:
[ ?? ] Server uses SSL? (yes/no) [yes]: yes
[ ?? ] Server port (1 to 65535) [6697]: 6697
[ ?? ] Server password (probably empty):
[ ?? ] Launch ZNC now? (yes/no) [yes]: no

SSL certificates

The znc.pem is a concatination of the private key and the full certficate chain. In case you use Let's Encrypt:

sudo su -c 'cat /etc/letsencrypt/live/{privkey,fullchain}.pem > /var/lib/znc/znc.pem'
Strong ciphers
SSLCertFile = /var/lib/znc/znc.pem
SSLProtocols = -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2

Enabling and starting the daemon

sudo systemctl enable znc.service
sudo systemctl start znc.service

sudo apt install hexchat

HexChat > Network List > Add >

Edit >
        [x] Connect to this network automatically
        [x] Use SSL for all the servers on this network
        Login method: Default
        Password: <ZNC user password>
        Character set: UTF-8 (Unicode)
Close > Connect

Enabling SASL for NickServ authentication

From the Freenode menu, run:

/znc LoadMod sasl
/query *sasl

From the SASL menu, run:

set $username $password

(Use your Freenode NickServ credentials.)

Unlike Apache, nginx, Dovecot and Postfix, ZNC does not shortly run as root when started in order to read from /etc/ssl/ or /etc/letsencrypt/. So certificates have to be copied to the /var/lib/znc directory. If you use Let's Encrypt, this means that you have to renew those copies every three months.

This can be automated with a script you run as root:

cat /etc/letsencrypt/live/{privkey,fullchain}.pem > /var/lib/znc/znc.pem
chown znc:znc /var/lib/znc/znc.pem
chmod 600 /var/lib/znc/znc.pem
systemctl restart znc.service