Oniux: Kernel-level Tor isolation for any Linux app

by marcodiegoon 5/31/2025, 8:46 PMwith 52 comments

by mjg59on 6/1/2025, 1:56 AM

Huh. I had a conversation with a Tor developer on this topic about a decade ago, when network namespaces were still kind of a new hotness - the feedback I got was that it would be an easy way for people to think they were being secure while still leaking a bunch of identifiable information, so I didn't push that any further.

by natmakaon 6/1/2025, 1:59 AM

Isn't all this reserved to TCP, in other words in which way may it protect non-TCP activity?

by mike-cardwellon 6/1/2025, 11:37 AM

Instructions on front page for install don't work. Need to change the version number from 0.4.0 to 0.5.0

  cargo install --git https://gitlab.torproject.org/tpo/core/oniux oniux@0.5.0

by tobias2014on 6/1/2025, 3:57 AM

Oniux seems like an "officially" supported tool similar to orjail (which hasn't received a commit in four years, but still works great as a shell script with iptables/iproute tools [1]). Orjail has also an option to run with firejail for further isolation, which seems to be still a feature that Oniux doesn't have.

[1] https://github.com/orjail/orjail/blob/master/usr/sbin/orjail

by mike-cardwellon 6/1/2025, 12:12 PM

Hmm. I assumed this worked like torsocks in that it would direct traffic through the locally running tor daemon. However, I've noticed that if I stop the locally running tor daemon, oniux still works whilst torify and torsocks do not. [edit] The documentation does actually say this. Pretty neat.

It works inside docker as well, but I needed to use --privileged. Just copied the binary into a debian:12 container and it works there:

  docker run -it --rm --privileged -v "$PWD/oniux:/usr/bin/oniux" debian:12

by Aissenon 6/2/2025, 9:59 AM

Fun fact, this has been broken with curl for 5 years (and so are the blog examples), because Tor developers previously insisted that apps shouldn't attempt to resolve .onion domain names: https://daniel.haxx.se/blog/2025/05/16/leeks-and-leaks/

I hope they can find a resolution.

by ahmedfromtunison 6/1/2025, 1:50 AM

Does this mean one can now access tor websites using chrome?

by ericfrederichon 5/31/2025, 11:12 PM

They use hexchat as an example but do these processes run with the users configuration? Wouldn't this leak IRC usernames if you forget to change it. ... Or leak cookies if you launch a browser?

by alfiedotwtfon 6/1/2025, 12:45 AM

The DevEx is beautifully done here i.e it’s idiot-proof! Nice work to the people behind this <3

by hexoon 6/1/2025, 4:54 AM

Nice, now please rewrite the prototype in C and will happily use it.