Previous Page

Hoover - 2024-10-12

Anonymity - Easy Anonymous Chats Using SimpleX (and onion-only servers)

In this tutorial we're going to see how to setup a chat application for Anonymous use. This is especially important in a world where mass-surveillance is nearly-omnipresent. It has become the end users' responsibility to uphold their privacy and anonymity while communicating online.

Sidenote: Help us improve this tutorial by letting us know if there's anything missing or incorrect on this git issue directly!

Choosing the most appropriate chat application

In order to choose the most appropriate messaging app for our intended use (Anonymity), we have the following requirements:

Privacy:

1. The application must be free and open source (FOSS)

2. The application must have End to End Encryption by default (E2EE)

3. The application must allow us to run and use our own servers (Decentralisation)

Anonymity:

1. The application must support Tor .onion servers out of the box

2. The application must allow you to chat without requiring any information (no emails, no usernames, no phone numbers)

3. The application must have the ability for us to join chatrooms without revealing our identity (Incognito Mode)

Deniability:

1. The application must have disappearing messages (Deniability)

You'd be suprised to see that as of right now (November 2024) there is only SimpleX that actually fits all of these criterias. therefore that's what we'll use for Anonymous chats.

Mobile OPSEC Recommendations:

1. Hardware : Google Pixel Phone

2. Host OS: GrapheneOS

3. Graphene Profile: Anonymous Use

4. Applications: Orbot and SimpleX

Desktop OPSEC Recommendations:

1. Hardware : (Personal Computer / Laptop)

2. Host OS: Linux

3. Hypervisor: libvirtd QEMU/KVM

4. Virtual Machine: Linux or Whonix or Tails

5. Application: Tor (if not on Whonix or Tails), and SimpleX

We will be going through how to set up your own SimpleX server through Tor, and how to configure your Android client to route your traffic through it.

How to Set Up Anonymous Chats

Step 1. Option A: GNU/Linux

First, update your package list and install Tor by running the following commands in your terminal:

sudo apt update
sudo apt install tor

Once installed, start the Tor service:

sudo systemctl start tor@default

Next you'll need to download SimpleX AppImage which can be found here on SimpleX website.

Open a terminal in the directory of your downloaded AppImage. Make the AppImage executable, then launch it:

[ mainpc ] [ /dev/pts/26 ] [~]
→ chmod +x simplex-desktop-x86_64.AppImage

[ mainpc ] [ /dev/pts/26 ] [~]
→ ./simplex-desktop-x86_64.AppImage

Step 1. Option B: Android

Download and install the Orbot .apk from the GitHub repository.

Open Orbot, and in the bottom-right corner, tap on More, then Settings to enter the settings.

In the settings menu, scroll down and enable the Power User Mode.

After enabling Power User Mode, go back to the More section and press Choose apps and select SimpleX in the list. Go back to Connect in the bottom navigation menu and press Connect.

Download and install SimpleX using F-Droid

Step 2.

Navigate through the setup process, select your username, and press Create. The screenshots showcase the process for Android, but the steps are identical for Linux/GNU as well.

Once you've created your profile, open the kebab menu on the bottom left and open Settings > Network and servers and activate SOCKS Proxy. Press SOCKS proxy settings and set your port to 9050, then save.

You have now successfully configured SimpleX to use Tor!

Step 3. SimpleX Server Setup

It's important to note that in theory, it doesn't matter which SimpleX server you connect to, as all communications are end-to-end encrypted. When you connect via Tor, it further ensures that the server itself won't be able to trace your connection back to you. Your anonymity is maintained through the use of Tor, and your conversations are protected by SimpleX's encryption.

We're going to make use of HackLiberty's tutorial on how to install and configure a SimpleX server using Docker.

First we're going to create the docker-compose.yml file and the .env file as follows:

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ cat docker-compose.yml
version: '3.7' #this version is obsolete, change me

networks:
  tor-test:
    driver: bridge
    ipam:
      config:
        - subnet: 10.6.0.0/24
          gateway: 10.6.0.1

services:
  simplex-smp-server:
    image: simplexchat/smp-server:latest
    container_name:  simplex-smp
    restart: always
    user: "1000:1000" #user uid - change if necessary
    ports:
      - "127.0.0.1:5223:5223" #this will expose port 5223 to internet
    volumes:
      - ./smp/config:/etc/opt/simplex:Z
      - ./smp/logs:/var/opt/simplex:Z
    environment:
      - ADDR=${SIMPLEX_ADDR}
#     - PASS=${SIMPLEX_PASSWORD} #for non public servers
    networks:
      tor-test:
        ipv4_address: 10.6.0.5
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL

  simplex-xftp-server:
    image: simplexchat/xftp-server:latest
    container_name:  simplex-xftp
    user: "1000:1000" #user uid - change if necessary
    ports:
      - "127.0.0.1:5233:5233" #port mapping to expose xftp to internet on port 5233
    restart: always
    volumes:
      - ./xftp/config:/etc/opt/simplex-xftp:Z
      - ./xftp/logs:/var/opt/simplex-xftp:Z
      - ./xftp/files:/srv/xftp
    environment:
      - ADDR=${XFTP_ADDR}
      - QUOTA=150gb #change to set your own quota
    networks:
      tor-test:
        ipv4_address: 10.6.0.6
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL

  tor:
    image: osminogin/tor-simple
    container_name: tor-simplex
    volumes:
      - ./tor-data:/var/lib/tor
      - ./tor-data/torrc:/etc/tor
    networks:
      tor-test:
        ipv4_address: 10.6.0.4

[ Wonderland ] [ /dev/pts/15 ] [/srv/simplex]
→ cat .env
SIMPLEX_ADDR="nowhere"      #If using FDQN, make sure to set DNS record
SIMPLEX_PASSWORD="dawiuhwaihyawy4129y89u0u1"
XFTP_ADDR="nowhere"         #If using FDQN, make sure to set DNS record
#yes no clearnet at all

Then we're going to create the folders as follows:

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ mkdir -p  {xftp,smp}/{config,logs}

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ tree .
.
├── docker-compose.yml
├── notes.txt
├── smp
│   ├── config
│   └── logs
└── xftp
    ├── config
    └── logs

7 directories, 2 files

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ mkdir -p xftp/files

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ ls
docker-compose.yml  notes.txt  smp  xftp

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ cd xftp

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex/xftp]
→ ls
config  files  logs

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex/xftp]
→ cd ..

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ ls
docker-compose.yml  notes.txt  smp  xftp

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ mkdir -p tor-data/torrc

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ mkdir -p tor-data/{simplex-xftp,simplex-smp}

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ mkdir -p  {xftp,smp}/{config,logs}
[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ chmod 700 tor-data/simplex-xftp

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ chmod 700 tor-data/simplex-smp

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ sudo chown 100:65533  tor-data/simplex-xftp

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ sudo chown 100:65533  tor-data/simplex-smp

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ chown -R 100:65533 tor-data/

chmod 777 -R smp
chmod 777 -R  xftp

Be aware that SimpleX's documentation doesn't recommend by default that the servers be anonymous, they only care about the users being anonymous, that's why they recommend these 3 lines in the torrc configuration:

SOCKSPort 0
HiddenServiceNonAnonymousMode 1
HiddenServiceSingleHopMode 1

DO NOT USE THESE, otherwise your servers' location will be known. You need to use the following instead:

[ Wonderland ] [ /dev/pts/15 ] [/srv/simplex]
→ vim tor-data/torrc/torrc

[ Wonderland ] [ /dev/pts/15 ] [/srv/simplex]
→ cat tor-data/torrc/torrc
 SOCKSPort 0.0.0.0:9050 
 HiddenServiceDir /var/lib/tor/simplex-smp
 HiddenServicePort 5223 simplex-smp:5223
 HiddenServicePort 80 simplex-smp:80
 HiddenServiceDir /var/lib/tor/simplex-xftp
 HiddenServicePort 5233 simplex-xftp:5233

Then we're going to run the docker containers so that it creates the tor hostnames for both the smp and xftp services, so that we can use both in the .env file:

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ docker-compose up

[ Wonderland ] [ /dev/pts/15 ] [/srv/simplex]
→ tree tor-data
tor-data
├── simplex-smp
│   ├── authorized_clients
│   ├── hostname
│   ├── hs_ed25519_public_key
│   └── hs_ed25519_secret_key
├── simplex-xftp
│   ├── authorized_clients
│   ├── hostname
│   ├── hs_ed25519_public_key
│   └── hs_ed25519_secret_key
└── torrc
    └── torrc

[ Wonderland ] [ /dev/pts/15 ] [/srv/simplex]
→ cat tor-data/simplex-smp/hostname
b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion

[ Wonderland ] [ /dev/pts/15 ] [/srv/simplex]
→ cat tor-data/simplex-xftp/hostname
wg54vc6p3dscshywvt2wninachqoarrodtunapds7t7p47sn5e3qonid.onion

[ Wonderland ] [ /dev/pts/15 ] [/srv/simplex]
→ vim .env

[ Wonderland ] [ /dev/pts/15 ] [/srv/simplex]
→ cat .env
SIMPLEX_ADDR="b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion"      #If using FDQN, make sure to set DNS record
SIMPLEX_PASSWORD="dawiuhwaihyawy4129y89u0u1"
XFTP_ADDR="wg54vc6p3dscshywvt2wninachqoarrodtunapds7t7p47sn5e3qonid.onion"         #If using FDQN, make sure to set DNS record

Then we'll save both the private keys in our keepass and then shred them:

#save both the private keys it in your keepass and then shred it

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ cat smp/config/ca.key
-----BEGIN PRIVATE KEY-----
REDACTED
-----END PRIVATE KEY-----

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ shred -u smp/config/ca.key

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ cat xftp/config/ca.key
-----BEGIN PRIVATE KEY-----
REDACTED
-----END PRIVATE KEY-----

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ shred -u xftp/config/ca.key

Then we edit the smp config correctly as we will NOT use the clearnet at all, the config parts regarding port 443 https are to be commented.

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ cat smp/config/smp-server.ini | tail -n3
#https: 443
#cert: /etc/opt/simplex/web.crt
#key: /etc/opt/simplex/web.key

[TRANSPORT]
# Host is only used to print server address on start.
# You can specify multiple server ports.
host: nowhere
#port: 5223,443 ## we dont need 443!
port: 5223
log_tls_errors: off

Then we also configure it so that the simplex smp server goes through the docker tor daemon to connect to other servers:

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ vim smp/config/smp-server.ini

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ cat smp/config/smp-server.ini

[PROXY]
# Network configuration for SMP proxy client.
# `host_mode` can be 'public' (default) or 'onion'.
# It defines prefferred hostname for destination servers with multiple hostnames.
host_mode: onion
required_host_mode: on

# The domain suffixes of the relays you operate (space-separated) to count as separate proxy statistics.
# own_server_domains:

# SOCKS proxy port for forwarding messages to destination servers.
# You may need a separate instance of SOCKS proxy for incoming single-hop requests.
socks_proxy: 10.6.0.4:9050
#socks_proxy: tor-simplex:9050

# `socks_mode` can be 'onion' for SOCKS proxy to be used for .onion destination hosts only (default)
# or 'always' to be used for all destination hosts (can be used if it is an .onion server).
socks_mode: always

# Limit number of threads a client can spawn to process proxy commands in parrallel.
# client_concurrency: 32

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ vim xftp/config/file-server.ini

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ cat xftp/config/file-server.ini
[STORE_LOG]
# The server uses STM memory for persistence,
# that will be lost on restart (e.g., as with redis).
# This option enables saving memory to append only log,
# and restoring it when the server is started.
# Log is compacted on start (deleted objects are removed).
enable: on

# Expire files after the specified number of hours.
expire_files_hours: 48

log_stats: off

[AUTH]
# Set new_files option to off to completely prohibit uploading new files.
# This can be useful when you want to decommission the server, but still allow downloading the existing files.
new_files: on

# Use create_password option to enable basic auth to upload new files.
# The password should be used as part of server address in client configuration:
# xftp://fingerprint:password@host1,host2
# The password will not be shared with file recipients, you must share it only
# with the users who you want to allow uploading files to your server.
# create_password: password to upload files (any printable ASCII characters without whitespace, '@', ':' and '/')

# control_port_admin_password:
# control_port_user_password:

[TRANSPORT]
# host is only used to print server address on start
host: nowhere
port: 5233
log_tls_errors: off
# control_port: 5226

[FILES]
path: /srv/xftp
storage_quota: 10gb

[INACTIVE_CLIENTS]
# TTL and interval to check inactive clients
disconnect: off
# ttl: 21600
# check_interval: 3600

Then we simply run the docker containers again:

[ Wonderland ] [ /dev/pts/14 ] [/srv/simplex]
→ docker-compose down ; docker-compose up -d

Starting simplex-xftp ... done
Starting simplex-smp  ... done
Starting tor-simplex  ... done

simplex-smp            | Server address: smp://BD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI=@nowhere
simplex-xftp           | Server address: xftp://emX7ForsbdpIscNiDZ6b0HTbfFUayn00C1wmeVTofYA=@nowhere

#need to manually change the @nowhere to be the onion urls:
smp://BD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI=@b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion
xftp://emX7ForsbdpIscNiDZ6b0HTbfFUayn00C1wmeVTofYA=@wg54vc6p3dscshywvt2wninachqoarrodtunapds7t7p47sn5e3qonid.onion:5233

Sidenote: One important thing to note though is that you shouldn't be the only one to use your own simplex servers as if you are the only one to use that one simplex server, people may figure out that you're the same person when trying to use different profiles. This is why you should list your simplex servers publicly somewhere, either in your own community like i did here:

Or you can list your simplex servers on public lists like this one:

Optional but recommended: Since you are using docker containers, you can easily automate keeping them updated with a simple cronjob:

[ Wonderland ] [ /dev/pts/4 ] [~]
→ crontab -e

#daily simplex containers update
0 0 * * * docker-compose -f /srv/simplex/docker-compose.yml pull ;  docker-compose -f /srv/simplex/docker-compose.yml down; docker-compose -f /srv/simplex/docker-compose.yml up -d

Once that's done, we can go ahead and add the servers in our simplex client:

Step 4: Configure SimpleX To Use Your Server

Now from our simplex client we need to make sure that we are using our own simplex servers, which have the following URL:

SMP server:
smp://BD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI=@b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion

XFTP server:
xftp://emX7ForsbdpIscNiDZ6b0HTbfFUayn00C1wmeVTofYA=@wg54vc6p3dscshywvt2wninachqoarrodtunapds7t7p47sn5e3qonid.onion:5233

And now that our simplex client is ONLY using our onion-only simplex servers, we can create our own chatrooms:

How to Create Chatrooms in Incognito mode

Now that we are using our own simplex servers, we can create a chatrooms in incognito mode (meaning that our username will simply be a random noun and adjective):

Enter a name for your group. You can also add a photo for the group.

Tick the Incognito option. Doing this ensures your profile name and image is hidden from your group members and allows for anonymous connections with other people without shared data. Once you have filled out the necessary information, press Create group.

as noted above, since you are only using tor-only simplex servers, this means that you are forcing the users to use Tor to be able to join your invite links. Here's what the invite link looks like:

https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2FBD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI%3D%40b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion%2FSMvbQfvtczzC7r6Sv3gEgy_s01_ZYPh_%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEA9kSAhfaJMzC8YWZzkpoCL8mnBmq2U8VE8_v5HYk0nyE%253D&data=%7B%22groupLinkId%22%3A%22zjrwnXSNIBJO9ZhoHcRRkQ%3D%3D%22%7D

as you can see the default invite link looks like that, and as you can see the onion server address appears in the link, which is the reason why if the user that wants to join doesnt have tor connectivity, he won't be able to join. If you don't want to use any of simplex's servers, you can simply replace the https://simplex.chat/ at the beginning with your simplex smp server onion url as follows:

http://b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion/contact#/?v=2-7&smp=smp%3A%2F%2FBD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI%3D%40b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion%2FSMvbQfvtczzC7r6Sv3gEgy_s01_ZYPh_%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEA9kSAhfaJMzC8YWZzkpoCL8mnBmq2U8VE8_v5HYk0nyE%253D&data=%7B%22groupLinkId%22%3A%22zjrwnXSNIBJO9ZhoHcRRkQ%3D%3D%22%7D

If you want to not contact any simplex server to be able to view the invite link, you can simply replace the server address to simplex:/, which will transform the link as follows:

simplex:/contact#/?v=2-7&smp=smp%3A%2F%2FBD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI%3D%40b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion%2FSMvbQfvtczzC7r6Sv3gEgy_s01_ZYPh_%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEA9kSAhfaJMzC8YWZzkpoCL8mnBmq2U8VE8_v5HYk0nyE%253D&data=%7B%22groupLinkId%22%3A%22zjrwnXSNIBJO9ZhoHcRRkQ%3D%3D%22%7D

How to Join Chatrooms in Incognito mode

If you have received an invite to a SimpleX chatroom, you can join it by pressing the input field at the bottom of the screen labeled Search or paste SimpleX link.

Paste your invite link into the input field and press Enter.

You will be met with a window asking whether you'd like to connect using your current profile or using an Incognito profile.

Select Use new incognito profile.

This is because we don't want to reveal what our simplex username is, we just want to join the chatroom using a random username that is not tied to our identity.

And there as you can see, everyone that joins in in incognito gets a random pseudonym with the format "Random Adjective Random Word" effectively helping the users maintain their anonymity while in the chat.

Conclusion

By following this tutorial, you've set up a secure, anonymous chat system using SimpleX and Tor. You've learned how to install Orbot, configure SimpleX servers with `.onion` addresses, create incognito chatrooms, and join them anonymously. This setup ensures that your private conversations remain secure and untraceable.

What You've Accomplished

- Installed Orbot and routed traffic through the Tor network.
- Configured SimpleX servers to use `.onion` addresses.
- Created and joined anonymous chatrooms in incognito mode.