So as many of you may know by now, the NSA has this little thing called “PRISM“, in which it can allegedly not only monitor and capture meta data, it may also have the ability to monitor our communications in real-time. Knowing that, and recently attending Defcon 21, it opened my eyes the land of encrypted communication, and especially OTR. So, after leaving Defcon I wanted to do something to help provide people with an encrypted way to chat. I also wanted this to be a very cost effective way to set up your “own” encrypted chat server, and this is why I decided to use the ever-so-cheap Raspberry Pi.
For this tutorial we’re just going to use the stock Raspbian image provided on raspberrypi.org. Personally I would suggest using something like Arch Linux if you’re comfortable with Linux and the command line. So first thing first, install your freshly downloaded Raspbian image to an SD card (at least 2gb in size). After that let’s boot up the Pi. In my case I just have the Pi connected to my router via ethernet. By default my router assigns an IP address of 10.0.0.123 via DHCP. After seeing this I wanted to assign my Pi an static IP address of 10.0.0.122. This is in case I need to reboot the Pi at some point it will always grab 10.0.0.122 from the router. So now I’ve got my Raspberry Pi setup with a static IP address let’s SSH into it. By default the Raspbian image has an openssh server running on port 22, and a default user: pi and password: raspberry. So now all we need to do is connect to it. To do this from windows you could use a client like PuTTY, on Mac or Linux you simply open up a terminal session.
chz@bacon ~ $ ssh firstname.lastname@example.org
You should now be prompted to run raspi-config, to do so run sudo raspi-config. Go through the settings and adjust them to your location, time, hostname, and don’t forget to CHANGE YOUR PASSWORD. After you’re done and you exit raspi-config you’ll be asked if you want to reboot. Go ahead and do so, so that our changes (partition table) will be setup correctly. Once your Raspberry Pi has rebooted just SSH back into your box with the NEW PASSWORD you created. Then we’ll want to update the Raspberry Pi repos and check to see if there are any new packages available. To do this run sudo apt-get update && sudo apt-get upgrade. Next we’ll go ahead and setup our Jabber server. To do this run sudo apt-get install ejabberd (as seen in the screenshot below).
Alright so now we’ve got a new Jabber server install, but it’s not exactly ready to take any connections. We’ll need to configure the jabber server to fit our local settings. First off I would suggest you head to noip.com and set up an account with them. They will provide you with a hostname to use in your ejabberd.cfg file. So, now you’ve got your own domain setup to run your server on. Let’s configure ejabberd.cfg file and change it’s settings to reflect our new hostname. To do this run sudo nano /etc/ejabberd/ejabberd.cfg, this will open up the config file with nano and allow us to make the changes we need. If you look at the screenshot below you’ll notice the areas I’ve changed. Under %%Admin user I’ve added my user chz between the “” and my hostname where “hostname” use to be. On the next line %%Hostname I added , “crypto.sytes.net”. This allows our users to connect to our newly created dynamic DNS hostname.
Alright moving on. Now we need to get some users created for our new ejabber server. To do this it’s pretty simple. Just run the command sudo ejabberdctl register username hostname.noip.com topsecretpassord. As the screenshot below depicts.
So now we’ve created a couple of accounts on our ejabber server. Let’s restart the ejabberd service it so all our ejabberd.cfg modifications will be used. To do this simply run sudo service ejabberd restart. As depicted by the screenshot below your ejabber server should restart without any errors. If you do encounter an error, it’s like to do with something in the /etc/ejabberd/ejabberd.cfg file.
We’re almost done. Now we need to go to our router page and port forward two ports for our ejabber server to allow connections from outside our network. In my case I forwarded both port 5222 and 5223 to 10.0.0.122. If you don’t do this then you’re not going to be able to connect from outside of your local network. Which is perfectly fine if you just plan on running the server internally. Let’s say your company needs a small internal chat server, then you could have users connect directly to 10.0.0.122 with their assigned username and password.
So where is this OTR encryption you speak of? Well, it’s built into several chat clients already, either natively or via a plugin. Including pidgin, empathy, xabber, and a slew of other clients. For a list of clients you can use check out the OTR site and find the client that’s right for you. Once you’ve got your client up and running and you’re connected to the server, and chatting with a friend, choose “Off the record”. You’ll be prompted to create a secret question only your friend would know, exchange keys, etc. Once this is done you’ll be chatting off-the-record through an encrypted server running on your very own Raspberry Pi. Well, that pretty much sums it up, if you have any questions about this article feel free to post a comment or click the chat tab above and message me on IRC.