Simon Rydell
Physics, programming
and the rest


IRC anytime

Setting up a raspberry pi with ssh and weechat

IRC, or Internet Relay Chat, is a great way to get in touch with really experienced people of almost all subjects. I'm a newcomer to IRC but It's really growing on me. I've used irssi, but recently fallen for weechat for its easy to use, easy to configure approach.

The only thing is the constant upkeep. You see, whenever you log out of an IRC client, you stop listening to the channels, meaning you'll lose anything that has been said while you were away. Tmux helps some but since I'm on a laptop I lose wifi whenever I leave home. Lets solve this by setting up a secure ssh server running weechat that can be accessed from anywhere.

Conventions used in this article:

  • Whenever the reader need to change something, it is marked as {{ change_me }}.

  • When the terminal is from the home computer, the prompt will be listed as (home)$ and when on the pi (pi)$.

Setting up ssh and wifi headless

Start by downloading and installing raspbian to a sd card. Since I'm not a big fan of the clunky temporary external screen + keyboard and mouse we will do a headless setup. Assuming you have your SD card mounted, ssh can be enabled at boot by creating an empty file called ssh in the boot folder.

(home)$ touch {{ /path/to/raspberrypi/boot/ssh }}

The raspberry pi uses wpa_supplicant for wifi and is able to move a wpa_supplicant.conf from the boot directory on the SD card (same as with ssh) to /etc/wpa_supplicant/wpa_supplicant.conf. Create a file called wpa_supplicant.conf and add the following.

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country={{ your_ISO-3166-1_two-letter_country_code }}

network={
    ssid="{{ your_wifi_name }}"
    psk="{{ your_wifi_password }}"
    key_mgmt=WPA-PSK
}

Where the ISO code for your country can be found here. You should now be able to boot up, automatically connect to your wifi and ssh into the raspberry pi.

(home)$ ssh pi@{{ IP_of_raspberry_pi }}

You can usually find the IP address of the pi in your router by going to 192.168.0.1 in your browser of choice. Note that for me the router IP is 192.168.10.1 so it may differ.

Static IP

Since you probably don't want to redo the previous steps, you should consider giving the pi a static IP. To do so you need the interface you want to configure:

(pi)$ ifconfig

...
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
             inet 192.168.10.171  netmask 255.255.255.0  broadcast 192.168.10.255
             inet6 fe80::ac6d:1efb:40ed:5794  prefixlen 64  scopeid 0x20<link>
             ether b8:27:eb:45:eb:c3  txqueuelen 1000  (Ethernet)
             RX packets 153062  bytes 178284808 (170.0 MiB)
             RX errors 0  dropped 0  overruns 0  frame 0
             TX packets 74992  bytes 8352104 (7.9 MiB)
             TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
...

So you can see my interface is wlan0 and my current IP is 192.168.10.171 and IPv6 is fe80::ac6d:1efb:40ed:5794. Edit /etc/dhcpcd.conf to make the IP static.

# /etc/dhcpcd.conf

# static IP configuration
interface wlan0
static ip_address={{ your_IP_address }}/24
static ip6_address={{ your_IPv6_address }}/64
static routers={{ your_router_IP }}
static domain_name_servers={{ your_router_IP }}

Reboot the pi and check that it works.

SSH key generation and configuration

Key pair authentication is generally preferable to passwords. Passwords can be hacked, and maintaining a large number of them by memory is difficult and by other means, potentially insecure. By default, the pi uses passwords, so we should really change that.

Start by generating a new key pair on your home machine.

(home)$ ssh-keygen -t rsa -b 4096 -C "{{ your_email_address }}"

If you usually don't use a passphrase and store your private key unencrypted on disk, please see further reading on keychain.

You can now copy the key to your pi.

(home)$ ssh-copy-id pi@{{ pi_IP }}

Note that this only applies to the pi user as the key is being appended to /home/pi/.ssh/authorized_keys. The next time you ssh into the pi the key will be used instead.

ssh into the pi and edit the config for the ssh daemon.

(pi)$ sudo vim /etc/ssh/sshd_config

Now change the file so that it looks as follows.

# /etc/ssh/sshd_config

# Use some other port than the standard 22.
# NOTE: Only use ports >1024 since these are unprivileged
Port {{ your_custom_port }}

...

PermitRootLogin no

...

# Only allow key auth
PasswordAuthentication no
PermitEmptyPasswords no

...

UsePAM yes
ChallengeResponseAuthentication no

...

# If you don't need this, disable them both
AllowTcpForwarding no
X11Forwarding no

The rule is - if you see anything that you don't use, disable it!

Downloading and installing the latest weechat

Unfortunately, as of writing this, the weechat package is horribly outdated in apt on the pi (1.8 and the latest is 2.2). Since I'm using some of the newer features, I'll have to jump through some hoops. Note that if this doesn't apply to you, simply sudo apt install weechat and be done with it.

The developers of weechat hosts a set of deb-files on their website, so I wrote a small script to download and install all of them. You may need to change the version number.

#!/bin/bash

VERSION="2.2-1"
FILES="weechat-core_${VERSION}_armhf.deb \
weechat-curses_${VERSION}_armhf.deb \
weechat-dev_${VERSION}_armhf.deb \
weechat-doc_${VERSION}_all.deb \
weechat-guile_${VERSION}_armhf.deb \
weechat-headless_${VERSION}_armhf.deb \
weechat-javascript_${VERSION}_armhf.deb \
weechat-lua_${VERSION}_armhf.deb \
weechat-perl_${VERSION}_armhf.deb \
weechat-php_${VERSION}_armhf.deb \
weechat-plugins_${VERSION}_armhf.deb \
weechat-python_${VERSION}_armhf.deb \
weechat-ruby_${VERSION}_armhf.deb \
weechat-tcl_${VERSION}_armhf.deb \
weechat_${VERSION}_all.deb"

# Download all files
url_prefix="https://weechat.org/raspbian/dists/stable/main/binary-armhf/"
all_urls=""
for f in ${FILES}; do
    all_urls="${url_prefix}${f} ${all_urls}"
done
wget "${all_urls}" || echo "Could'nt download the files. Maybe the version number is wrong?"; exit 1

# Install and cleanup
for f in ${FILES}; do
    sudo dpkg -i "./${f}"
    rm "./${f}"
done

# Install any missing dependencies
sudo apt install -f

unset url_prefix
unset all_urls
unset FILES
unset VERSION

Ssh into the pi and paste in the script

(home)$ ssh -p {{ your_custom_port }} pi@{{ IP_of_raspberry_pi }}
(pi)$ mkdir weechat && cd weechat
(pi)$ vim install_weechat.sh

{{ Paste script }}

(pi)$ chmod +x install_weechat.sh
(pi)$ ./install_weechat.sh

If there are some errors just follow the messages from apt and you will be fine. You can now start weechat with

(pi)$ weechat

How you choose to keep a persistent session with weechat open at all times is up to you, but I suggest and use tmux. Another alternative would be screen. Try and see what you like!

Adding a convenient alias (here using tmux)

(home)$ alias irc='ssh -t pi@{{ IP_of_raspberry_pi }}  "tmux attach" 2> /dev/null'

Yields a comfortable interface to weechat

alt text
weechat running in a tmux session on a remote raspberry pi

All that is left to do is to expose your pi to the world via port forwarding through your router. If you wish to do this, the security is on you.

There are some other things that could potentially improve security and overall user-friendliness of the system and I've put them as further reading.

Further reading

  • keychain - A nice frontend for {ssh,gpg}-agent
  • Securing OpenSSH - Gentoo article on security critical options in /etc/ssh/sshd_config
  • ufw - [U]ncomplicated [F]ire[w]all, a netfilter firewall interface
  • fail2ban - Daemon to ban IP addresses which show suspicious activity
  • ntp - Daemon to synchronize the system clock with internet time servers
  • Weechat relay with Let's Encrypt Certificates - Add TLS encryption to your weechat communications
  • SSH config file - An introduction to ~/.ssh/config