In this tutorial we're going to see how to setup a chat application for Anonymous use. This is especially important in a world where mass-surveillance is nearly-omnipresent. It has become the end users' responsibility to uphold their privacy and anonymity while communicating online.
Sidenote: Help us improve this tutorial by letting us know if there's anything missing or incorrect on this git issue directly!
In order to choose the most appropriate messaging app for our intended use (Anonymity), we have the following requirements:
Privacy:
The application must be free and open source (FOSS)
The application must have End to End Encryption by default (E2EE)
The application must allow us to run and use our own servers (Decentralisation)
Anonymity:
The application must support Tor .onion servers out of the box
The application must allow you to chat without requiring any information (no emails, no usernames, no phone numbers)
The application must have the ability for us to join chatrooms without revealing our identity (Incognito Mode)
Deniability:
The application must have disappearing messages (Deniability)
You'd be suprised to see that as of right now (November 2024) there is only SimpleX that actually fits all of these criterias. therefore that's what we'll use for Anonymous chats.
Hardware : Google Pixel Phone
Host OS: GrapheneOS
Graphene Profile: Anonymous Use
Applications: Orbot and SimpleX
Hardware : (Personal Computer / Laptop)
Host OS: Linux
Hypervisor: libvirtd QEMU/KVM
Application: Tor (if not on Whonix or Tails), and SimpleX
We will be going through how to set up your own SimpleX server through Tor, and how to configure your Android client to route your traffic through it.
First, update your package list and install Tor by running the following commands in your terminal:
sudo apt update
sudo apt install tor
Once installed, start the Tor service:
sudo systemctl start tor@default
Next you'll need to download SimpleX AppImage which can be found here on SimpleX website.
Open a terminal in the directory of your downloaded AppImage. Make the AppImage executable, then launch it:
[ mainpc ] [ /dev/pts/26 ] [~]
→ chmod +x simplex-desktop-x86_64.AppImage
[ mainpc ] [ /dev/pts/26 ] [~]
→ ./simplex-desktop-x86_64.AppImage
Download and install the Orbot .apk from the GitHub repository.
Open Orbot, and in the bottom-right corner, tap on More, then Settings to enter the settings.
In the settings menu, scroll down and enable the Power User Mode.
After enabling Power User Mode, go back to the More section and press Choose apps and select SimpleX in the list. Go back to Connect in the bottom navigation menu and press Connect.
Download and install SimpleX using F-Droid
Navigate through the setup process, select your username, and press Create. The screenshots showcase the process for Android, but the steps are identical for Linux/GNU as well.
Once you've created your profile, open the kebab menu on the bottom left and open Settings > Network and servers and activate SOCKS Proxy. Press SOCKS proxy settings and set your port to 9050, then save.
It's important to note that in theory, it doesn't matter which SimpleX server you connect to, as all communications are end-to-end encrypted. When you connect via Tor, it further ensures that the server itself won't be able to trace your connection back to you. Your anonymity is maintained through the use of Tor, and your conversations are protected by SimpleX's encryption.
We're going to make use of HackLiberty's tutorial on how to install and configure a SimpleX server using Docker.
First we're going to create the docker-compose.yml file and the .env file as follows:
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ cat docker-compose.yml
version: '3.7' #this version is obsolete, change me
networks:
tor-test:
driver: bridge
ipam:
config:
- subnet: 10.6.0.0/24
gateway: 10.6.0.1
services:
simplex-smp-server:
image: simplexchat/smp-server:latest
container_name: simplex-smp
restart: always
user: "1000:1000" #user uid - change if necessary
ports:
- "127.0.0.1:5223:5223" #this will expose port 5223 to internet
volumes:
- ./smp/config:/etc/opt/simplex:Z
- ./smp/logs:/var/opt/simplex:Z
environment:
- ADDR=${SIMPLEX_ADDR}
# - PASS=${SIMPLEX_PASSWORD} #for non public servers
networks:
tor-test:
ipv4_address: 10.6.0.5
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
simplex-xftp-server:
image: simplexchat/xftp-server:latest
container_name: simplex-xftp
user: "1000:1000" #user uid - change if necessary
ports:
- "127.0.0.1:5233:5233" #port mapping to expose xftp to internet on port 5233
restart: always
volumes:
- ./xftp/config:/etc/opt/simplex-xftp:Z
- ./xftp/logs:/var/opt/simplex-xftp:Z
- ./xftp/files:/srv/xftp
environment:
- ADDR=${XFTP_ADDR}
- QUOTA=150gb #change to set your own quota
networks:
tor-test:
ipv4_address: 10.6.0.6
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
tor:
image: osminogin/tor-simple
container_name: tor-simplex
volumes:
- ./tor-data:/var/lib/tor
- ./tor-data/torrc:/etc/tor
networks:
tor-test:
ipv4_address: 10.6.0.4
[ Wonderland ] [ /dev/pts/15 ] [/srv/simplex]
→ cat .env
SIMPLEX_ADDR="nowhere" #If using FDQN, make sure to set DNS record
SIMPLEX_PASSWORD="dawiuhwaihyawy4129y89u0u1"
XFTP_ADDR="nowhere" #If using FDQN, make sure to set DNS record
#yes no clearnet at all
Then we're going to create the folders as follows:
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ mkdir -p {xftp,smp}/{config,logs}
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ tree .
.
├── docker-compose.yml
├── notes.txt
├── smp
│ ├── config
│ └── logs
└── xftp
├── config
└── logs
7 directories, 2 files
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ mkdir -p xftp/files
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ ls
docker-compose.yml notes.txt smp xftp
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ cd xftp
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex/xftp]
→ ls
config files logs
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex/xftp]
→ cd ..
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ ls
docker-compose.yml notes.txt smp xftp
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ mkdir -p tor-data/torrc
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ mkdir -p tor-data/{simplex-xftp,simplex-smp}
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ mkdir -p {xftp,smp}/{config,logs}
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ chmod 700 tor-data/simplex-xftp
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ chmod 700 tor-data/simplex-smp
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ sudo chown 100:65533 tor-data/simplex-xftp
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ sudo chown 100:65533 tor-data/simplex-smp
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ chown -R 100:65533 tor-data/
chmod 777 -R smp
chmod 777 -R xftp
Be aware that SimpleX's documentation doesn't recommend by default that the servers be anonymous, they only care about the users being anonymous, that's why they recommend these 3 lines in the torrc configuration:
SOCKSPort 0
HiddenServiceNonAnonymousMode 1
HiddenServiceSingleHopMode 1
DO NOT USE THESE, otherwise your servers' location will be known. You need to use the following instead:
[ Wonderland ] [ /dev/pts/15 ] [/srv/simplex]
→ vim tor-data/torrc/torrc
[ Wonderland ] [ /dev/pts/15 ] [/srv/simplex]
→ cat tor-data/torrc/torrc
SOCKSPort 0.0.0.0:9050
HiddenServiceDir /var/lib/tor/simplex-smp
HiddenServicePort 5223 simplex-smp:5223
HiddenServicePort 80 simplex-smp:80
HiddenServiceDir /var/lib/tor/simplex-xftp
HiddenServicePort 5233 simplex-xftp:5233
Then we're going to run the docker containers so that it creates the tor hostnames for both the smp and xftp services, so that we can use both in the .env file:
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ docker-compose up
[ Wonderland ] [ /dev/pts/15 ] [/srv/simplex]
→ tree tor-data
tor-data
├── simplex-smp
│ ├── authorized_clients
│ ├── hostname
│ ├── hs_ed25519_public_key
│ └── hs_ed25519_secret_key
├── simplex-xftp
│ ├── authorized_clients
│ ├── hostname
│ ├── hs_ed25519_public_key
│ └── hs_ed25519_secret_key
└── torrc
└── torrc
[ Wonderland ] [ /dev/pts/15 ] [/srv/simplex]
→ cat tor-data/simplex-smp/hostname
b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion
[ Wonderland ] [ /dev/pts/15 ] [/srv/simplex]
→ cat tor-data/simplex-xftp/hostname
wg54vc6p3dscshywvt2wninachqoarrodtunapds7t7p47sn5e3qonid.onion
[ Wonderland ] [ /dev/pts/15 ] [/srv/simplex]
→ vim .env
[ Wonderland ] [ /dev/pts/15 ] [/srv/simplex]
→ cat .env
SIMPLEX_ADDR="b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion" #If using FDQN, make sure to set DNS record
SIMPLEX_PASSWORD="dawiuhwaihyawy4129y89u0u1"
XFTP_ADDR="wg54vc6p3dscshywvt2wninachqoarrodtunapds7t7p47sn5e3qonid.onion" #If using FDQN, make sure to set DNS record
Then we'll save both the private keys in our keepass and then shred them:
#save both the private keys it in your keepass and then shred it
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ cat smp/config/ca.key
-----BEGIN PRIVATE KEY-----
REDACTED
-----END PRIVATE KEY-----
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ shred -u smp/config/ca.key
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ cat xftp/config/ca.key
-----BEGIN PRIVATE KEY-----
REDACTED
-----END PRIVATE KEY-----
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ shred -u xftp/config/ca.key
Then we edit the smp config correctly as we will NOT use the clearnet at all, the config parts regarding port 443 https are to be commented.
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ cat smp/config/smp-server.ini | tail -n3
#https: 443
#cert: /etc/opt/simplex/web.crt
#key: /etc/opt/simplex/web.key
[TRANSPORT]
# Host is only used to print server address on start.
# You can specify multiple server ports.
host: nowhere
#port: 5223,443 ## we dont need 443!
port: 5223
log_tls_errors: off
Then we also configure it so that the simplex smp server goes through the docker tor daemon to connect to other servers:
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ vim smp/config/smp-server.ini
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ cat smp/config/smp-server.ini
[PROXY]
# Network configuration for SMP proxy client.
# `host_mode` can be 'public' (default) or 'onion'.
# It defines prefferred hostname for destination servers with multiple hostnames.
host_mode: onion
required_host_mode: on
# The domain suffixes of the relays you operate (space-separated) to count as separate proxy statistics.
# own_server_domains:
# SOCKS proxy port for forwarding messages to destination servers.
# You may need a separate instance of SOCKS proxy for incoming single-hop requests.
socks_proxy: 10.6.0.4:9050
#socks_proxy: tor-simplex:9050
# `socks_mode` can be 'onion' for SOCKS proxy to be used for .onion destination hosts only (default)
# or 'always' to be used for all destination hosts (can be used if it is an .onion server).
socks_mode: always
# Limit number of threads a client can spawn to process proxy commands in parrallel.
# client_concurrency: 32
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ vim xftp/config/file-server.ini
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ cat xftp/config/file-server.ini
[STORE_LOG]
# The server uses STM memory for persistence,
# that will be lost on restart (e.g., as with redis).
# This option enables saving memory to append only log,
# and restoring it when the server is started.
# Log is compacted on start (deleted objects are removed).
enable: on
# Expire files after the specified number of hours.
expire_files_hours: 48
log_stats: off
[AUTH]
# Set new_files option to off to completely prohibit uploading new files.
# This can be useful when you want to decommission the server, but still allow downloading the existing files.
new_files: on
# Use create_password option to enable basic auth to upload new files.
# The password should be used as part of server address in client configuration:
# xftp://fingerprint:password@host1,host2
# The password will not be shared with file recipients, you must share it only
# with the users who you want to allow uploading files to your server.
# create_password: password to upload files (any printable ASCII characters without whitespace, '@', ':' and '/')
# control_port_admin_password:
# control_port_user_password:
[TRANSPORT]
# host is only used to print server address on start
host: nowhere
port: 5233
log_tls_errors: off
# control_port: 5226
[FILES]
path: /srv/xftp
storage_quota: 10gb
[INACTIVE_CLIENTS]
# TTL and interval to check inactive clients
disconnect: off
# ttl: 21600
# check_interval: 3600
Then we simply run the docker containers again:
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ docker-compose down ; docker-compose up -d
Starting simplex-xftp ... done
Starting simplex-smp ... done
Starting tor-simplex ... done
simplex-smp | Server address: smp://BD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI=@nowhere
simplex-xftp | Server address: xftp://emX7ForsbdpIscNiDZ6b0HTbfFUayn00C1wmeVTofYA=@nowhere
#need to manually change the @nowhere to be the onion urls:
smp://BD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI=@b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion
xftp://emX7ForsbdpIscNiDZ6b0HTbfFUayn00C1wmeVTofYA=@wg54vc6p3dscshywvt2wninachqoarrodtunapds7t7p47sn5e3qonid.onion:5233
Sidenote: One important thing to note though is that you shouldn't be the only one to use your own simplex servers as if you are the only one to use that one simplex server, people may figure out that you're the same person when trying to use different profiles. This is why you should list your simplex servers publicly somewhere, either in your own community like i did here:
Or you can list your simplex servers on public lists like this one:
Optional but recommended: Since you are using docker containers, you can easily automate keeping them updated with a simple cronjob:
[ Wonderland ] [ /dev/pts/4 ] [~]
→ crontab -e
#daily simplex containers update
0 0 * * * docker-compose -f /srv/simplex/docker-compose.yml pull ; docker-compose -f /srv/simplex/docker-compose.yml down; docker-compose -f /srv/simplex/docker-compose.yml up -d
Once that's done, we can go ahead and add the servers in our simplex client:
Now from our simplex client we need to make sure that we are using our own simplex servers, which have the following URL:
SMP server:
smp://BD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI=@b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion
XFTP server:
xftp://emX7ForsbdpIscNiDZ6b0HTbfFUayn00C1wmeVTofYA=@wg54vc6p3dscshywvt2wninachqoarrodtunapds7t7p47sn5e3qonid.onion:5233
And now that our simplex client is ONLY using our onion-only simplex servers, we can create our own chatrooms:
Now that we are using our own simplex servers, we can create a chatrooms in incognito mode (meaning that our username will simply be a random noun and adjective):
Enter a name for your group. You can also add a photo for the group.
Tick the Incognito option. Doing this ensures your profile name and image is hidden from your group members and allows for anonymous connections with other people without shared data. Once you have filled out the necessary information, press Create group.
as noted above, since you are only using tor-only simplex servers, this means that you are forcing the users to use Tor to be able to join your invite links. Here's what the invite link looks like:
https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2FBD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI%3D%40b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion%2FSMvbQfvtczzC7r6Sv3gEgy_s01_ZYPh_%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEA9kSAhfaJMzC8YWZzkpoCL8mnBmq2U8VE8_v5HYk0nyE%253D&data=%7B%22groupLinkId%22%3A%22zjrwnXSNIBJO9ZhoHcRRkQ%3D%3D%22%7D
as you can see the default invite link looks like that, and as you can see the onion server address appears in the link, which is the reason why if the user that wants to join doesnt have tor connectivity, he won't be able to join. If you don't want to use any of simplex's servers, you can simply replace the https://simplex.chat/ at the beginning with your simplex smp server onion url as follows:
http://b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion/contact#/?v=2-7&smp=smp%3A%2F%2FBD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI%3D%40b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion%2FSMvbQfvtczzC7r6Sv3gEgy_s01_ZYPh_%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEA9kSAhfaJMzC8YWZzkpoCL8mnBmq2U8VE8_v5HYk0nyE%253D&data=%7B%22groupLinkId%22%3A%22zjrwnXSNIBJO9ZhoHcRRkQ%3D%3D%22%7D
If you want to not contact any simplex server to be able to view the invite link, you can simply replace the server address to simplex:/, which will transform the link as follows:
simplex:/contact#/?v=2-7&smp=smp%3A%2F%2FBD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI%3D%40b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion%2FSMvbQfvtczzC7r6Sv3gEgy_s01_ZYPh_%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEA9kSAhfaJMzC8YWZzkpoCL8mnBmq2U8VE8_v5HYk0nyE%253D&data=%7B%22groupLinkId%22%3A%22zjrwnXSNIBJO9ZhoHcRRkQ%3D%3D%22%7D
If you have received an invite to a SimpleX chatroom, you can join it by pressing the input field at the bottom of the screen labeled Search or paste SimpleX link.
Paste your invite link into the input field and press Enter.
You will be met with a window asking whether you'd like to connect using your current profile or using an Incognito profile.
Select Use new incognito profile.
This is because we don't want to reveal what our simplex username is, we just want to join the chatroom using a random username that is not tied to our identity.
And there as you can see, everyone that joins in in incognito gets a random pseudonym with the format "Random Adjective Random Word" effectively helping the users maintain their anonymity while in the chat.
By following this tutorial, you've set up a secure, anonymous chat system using SimpleX and Tor. You've learned how to install Orbot, configure SimpleX servers with `.onion` addresses, create incognito chatrooms, and join them anonymously. This setup ensures that your private conversations remain secure and untraceable.
- Installed Orbot and routed traffic through the Tor network.
- Configured SimpleX servers to use `.onion` addresses.
- Created and joined anonymous chatrooms in incognito mode.
Until there is Nothing left.
Creative Commons Zero: No Rights Reserved
Donate XMR:
42yco9t6qK98N191EZzKJUCH7cit5JT8mBJQvVULEPAPeBHurbFqGj2hK7kaFhqasv8AYLpbuP15Wg5suzyjUd5SMLqabRw
Contact: fuzzy.hat4381@fastmail.com