Connecting to freenode

You can access the freenode network via the freenode webchat or using an IRC client such as irssi, WeeChat, ERC, HexChat, Smuxi, Quassel or mIRC.

You can connect to freenode by pointing your IRC client at chat.freenode.net on ports 6665-6667 and 8000-8002 for plain-text connections, or ports 6697, 7000, 7070 for TLS-encrypted connections.

Accessing freenode Via TLS

freenode provides TLS client access on all servers, on ports 6697, 7000 and 7070. Users connecting over TLS will be given the 671 numeric, which displays is using a secure connection will appear in WHOIS.

Some additional work may be required to verify the server certificates on connection. First, ensure that your system has an up-to-date set of root CA certificates. On most Linux distributions, this will be in a package named something like ca-certificates. Many systems install these by default, but some (such as FreeBSD) do not. For FreeBSD, the package is named ca_root_nss, which will install the appropriate root certificates in /usr/local/share/certs/ca-root-nss.crt.

Certificate verification will generally only work when connecting to freenode.net. If your client thinks the server's certificate is invalid, make sure you connect to chat.freenode.net rather than any other name that leads to freenode.

For most clients, this should be sufficient. If not, you can download the root certificate from LetsEncrypt.

Client TLS certificates are also supported, and may be used for identification to services. See this kb article. If you have connected with a client certificate, has TLS (SSL) client certificate fingerprint 93903be541f3dd3c6abc7b227025af3e2731ffa3de81319c7e24a541b3e68139 (showing your certificate's SHA256 fingerprint in place of f1ecf46...) will appear in WHOIS (a 276 numeric).

Accessing freenode Via Tor

freenode is also reachable via Tor, bound to some restrictions. You can't directly connect to chat.freenode.net via Tor; use the following hidden service as the server address instead:

The hidden service requires SASL authentication. In addition, due to the abuse that led Tor access to be disabled in the past; we have unfortunately had to add another couple of restrictions:

If you haven't set up the requisite SASL authentication, we recommend SASL EXTERNAL. You'll need to generate a client certificate and add that to your NickServ account. This is documented in our knowledge base.

Connecting using SASL EXTERNAL requires that you connect using TLS encryption.

You'll then want to tell your client to try the EXTERNAL mechanism. Unfortunately, we lack comprehensive documentation for this, but it's a feature in most modern clients, so please check their docs for instructions for now.

Verifying Tor TLS connections

A Tor hidden service name securely identifies the service you are connecting to. Verifying the TLS server certificate is strictly speaking unnecessary while using the hidden service. Nonetheless, you can use the following methods to verify the hidden service's TLS server certificate.

The best way to ensure the TLS server-side certificate successfully validates is to add the following fragment to your torrc configuration file and configure your client to connect to hs.freenode.net via Tor. The TLS server certificate used by the hidden service will validate using this hostname.

# V2 torrc snippet:
MapAddress hs.freenode.net 5nh6poze3l2yhmrl.onion

We recommend that you use the v3 address with no map as v3 is signed via the .onion address, and hs.freenode.net is also signed in that certificate.

Older clients that don't support SOCKS4a or later will need to use MapAddress with an IP address, and the certificate will not validate successfully. In this case, validation will need to be disabled.

Periodically the hidden service's certificate changes as it is updated. This means that the certificate fingerprint can not be reliably pinned.