Matrix Synapse as a Tor Hidden Service: Encrypted Chat Deployment

Matrix provides: end-to-end encryption for private rooms (using Matrix E2EE based on Signal protocol's Double Ratchet), federation (rooms can span multiple servers), decentralization (no single company controls the protocol), and rich features (file sharing, voice, video, threads). Running Synapse as a hidden service adds: server location anonymity (operator's IP is not exposed), accessibility in censored countries (via Tor Browser or Element with Tor support), and resistance to server seizure identification. Matrix is more feature-rich than XMPP and more decentralized than Signal.

Install Synapse: pip install matrix-synapse or use the official Debian package repository. Generate initial configuration: python -m synapse.app.homeserver --server-name YOUR_ONION.onion --config-path /etc/matrix-synapse/homeserver.yaml --generate-config. Important configuration in homeserver.yaml: server_name: YOUR_ONION.onion, listeners with bind_address: 127.0.0.1 (never 0.0.0.0), disable_registration: true (for private servers). Tor torrc: HiddenServicePort 8448 127.0.0.1:8448 (Matrix federation port), HiddenServicePort 80 127.0.0.1:80 (for client access through Nginx). The server_name must be the .onion address for proper Matrix identity.

Matrix federation allows rooms that span multiple servers. Tor-based federation requires configuring Synapse to route federation connections through Tor. Add to homeserver.yaml: federation_client: proxies: SOCKS5: host: 127.0.0.1: port: 9050. This routes all outbound federation connections through Tor, preventing the hidden service server's IP from being revealed to federated servers. Inbound federation: your .onion address serves as the federation endpoint. Other servers must be capable of connecting to .onion addresses (requires their Tor/Tor-proxy configuration). Federation with clearnet servers reveals your .onion address to those servers (acceptable as .onion addresses do not reveal real IPs).

Element (Matrix reference client) can connect to a .onion homeserver. Web client: self-host Element Web on the same hidden service server, accessible via Tor Browser. Configuration in config.json: default_server_config: m.homeserver: base_url: http://YOUR_ONION.onion:8448. Element Desktop: in Settings > Security > Homeserver, enter the .onion address. Element must be configured to use a SOCKS5 Tor proxy: in system networking settings, point Element's SOCKS5 proxy to 127.0.0.1:9050. For users accessing from Tor Browser: self-hosted Element Web on the same .onion server is the cleanest UX.

Private Matrix rooms: create rooms with join_rules: invite (invitation only), enable E2EE (end-to-end encryption for the room). Room history visibility: set to shared for new members to see history after joining, or joined to see only messages after joining. Guest access: disable for private servers. Registration tokens: enable token-based registration to control who can create accounts on your server. Synapse admin API: available at _synapse/admin for server administration, restrict to localhost access only. Room bridging: Matrix bridges can connect Matrix rooms to Signal, IRC, Telegram via bots - configure bridges with careful attention to how they handle E2EE (bridges often decrypt to forward, which breaks E2EE guarantees).