XMPP Jabber Tor Hidden Service: Encrypted Messaging Deployment

XMPP advantages: mature protocol (20+ years), multiple client implementations (Conversations Android, Gajim desktop, Monal iOS), OMEMO end-to-end encryption (based on Signal protocol's Double Ratchet), federation between XMPP servers, and lightweight server implementations suitable for small VPS. Compared to Matrix: XMPP is simpler protocol with less resource usage. XMPP federation over Tor is well-supported. OMEMO E2EE is supported in major clients. For a private chat server with a small known group, XMPP is less resource-intensive than Matrix Synapse.

Prosody is a lightweight Lua-based XMPP server. Install: apt install prosody. Configuration in /etc/prosody/prosody.cfg.lua: VirtualHost 'YOUR_ONION.onion'; c2s_interfaces = { '127.0.0.1' }; s2s_interfaces = { '127.0.0.1' } (listen on localhost only). Enable modules: modules_enabled = { 'roster', 'saslauth', 'tls', 'dialback', 'disco', 'carbons', 'pep', 'private', 'blocklist', 'vcard4', 'mam', 'omemo' }. Disable registration by default: allow_registration = false. Tor torrc: HiddenServicePort 5222 127.0.0.1:5222 (client connections), HiddenServicePort 5269 127.0.0.1:5269 (server-to-server federation). Clients connect to YOUR_ONION.onion at port 5222 using their XMPP client configured to use Tor SOCKS5 proxy.

OMEMO (XMPP end-to-end encryption) requires the omemo module in Prosody and client support. Clients with OMEMO support: Conversations (Android, excellent OMEMO support), Gajim (Linux/Windows), Monal (iOS), Dino (Linux). For OMEMO to work, clients must: enable OMEMO in conversation settings, exchange keys with contacts (first message may show key verification dialog), and verify contact fingerprints for strong security. OMEMO is multi-device (multiple devices per user automatically receive messages if all devices have OMEMO keys). Enable the MAM (Message Archive Management) module in Prosody so message history synchronizes across devices.

XMPP federation allows users on different XMPP servers to communicate. To federate over Tor: configure Prosody or Ejabberd to use a SOCKS5 proxy for outbound federation connections (pointing to local Tor daemon at 127.0.0.1:9050). Inbound federation: other servers connect to your .onion address on port 5269. Some XMPP clients and servers support direct Tor connection; others require manual SOCKS5 proxy configuration. Federation with your .onion address: users on other servers can communicate with your users using @user@YOUR_ONION.onion JIDs (Jabber IDs). Note: most clearnet XMPP servers cannot connect to .onion addresses by default, limiting federation to Tor-capable servers.

Conversations (Android): Settings > Expert settings > Enable 'Use Tor'. This routes all Conversations traffic through Tor automatically. Account setup: JID = username@YOUR_ONION.onion, server = YOUR_ONION.onion, port = 5222. Gajim (desktop): Accounts > Add > Advanced > Proxy: SOCKS5 localhost:9050. The .onion address is entered as the server. Monal (iOS): requires manual proxy configuration; iOS SOCKS5 system-level proxy configuration routes Monal through Tor when Orbot VPN is active. All major XMPP clients support SASL authentication - configure with the username and password set on your Prosody server.