Oniux: Kernel-level Tor isolation for any Linux app

blog.torproject.org

・

197 points

・

marcodiego

・

6 days ago

53 comments

mjg59 ・ 6 days ago

Huh. I had a conversation with a Tor developer on this topic about a decade ago, when network namespaces were still kind of a new hotness - the feedback I got was that it would be an easy way for people to think they were being secure while still leaking a bunch of identifiable information, so I didn't push that any further.

ajb ・ 6 days ago

I think the tor folks made a fundamental strategic error by pushing that line. Yes, people who face a serious threat need to use tor browser and still pay attention to other ways to leak etc. But if we'd got 'tor everywhere' it would still make mass surveillance a lot harder. For one thing, today mass surveillance can detect who is using tor. If everyone was using it that wouldn't matter.
computerfriend ・ 6 days ago

Strange, because torsock and torify do the same thing, but less robustly.
- gobip ・ 6 days ago
  
  When you have torsocks or torify for everything, you're gonna leave your footprint through tor, whereas something like Tor Browser is designed specifically not to leave any print on the web.
  Using tor directly on the kernel level means that your DNS is gonna leak. Your OS telemetry is gonna leak etc.
  It's still a good idea but it should be implemented top to bottom and nothing left in between, otherwise you're de-anonymized quickly.

natmaka ・ 6 days ago

Isn't all this reserved to TCP, in other words in which way may it protect non-TCP activity?

yencabulator ・ 5 days ago

I don't know the details, but https://gitlab.torproject.org/tpo/core/onionmasq says
> This project is an attempt to implement a simple user-space network stack that can handle TCP *and UDP* state such that it is possible to forward the traffic into the Tor network.
mmooss ・ 5 days ago

What do Tor Browser users do for YouTube or DNS? Also, what about HTTP/3?
- FrostKiwi ・ 4 days ago
  
  DNS is already done by Tor. In fact, if you feed it a raw IP, it will warn in tor's output that it received an IP, which may indicate that the user has accidentally setup browsing via Tor, but DNS resolution via a normal, unsecured way.
  YouTube mainly throttles TOR hard and it's a bit of a fight uphill against a never ending avalanche of Captchas or a straight up service refusal. Bridges solve this, by going through exit nodes that are not publicly listed to be TOR exist nodes. Even with bridges it's still a high chance to trip Google's bot detection.
  HTTP/3 is unsupported.
  
  mmooss ・ 2 days ago
  ・ 3 more
  
  Thanks.
  > YouTube mainly throttles TOR
  What I mean is, streaming media usually uses UDP (I don't know about YouTube, but I'd guess that's the case) and according to this thread, Tor routes only TCP and not UDP. So is YouTube and other streaming media being routed around Tor?
  
  LegionMammal978 ・ 2 days ago
  ・ 2 more
  
  > (I don't know about YouTube, but I'd guess that's the case)
  YouTube delivers video in chunks over the standard HTTPS port 443, as does Twitch. YouTube supports HTTP/3, so it will use UDP via QUIC if your browser and network also support it, but otherwise it will simply go over TCP.
  
  mmooss ・ 2 days ago
  
  Thanks!
charcircuit ・ 6 days ago

Non-TCP activity wouldn't route and will fail to send.
- heavyset_go ・ 6 days ago
  
  Note that you can use the Tor daemon as a normal DNS via UDP server and it will resolve your DNS requests over the network for you.
  Maybe I'm wrong, but it seems similar to I2P where if you want "UDP", you'd need bespoke plugins/transports/whatever for each application.
- natmaka ・ 6 days ago
  
  Thank you, therefore my first impression seems right: without any provision for UDP this isn't an easy-to-setup and transparent way for any user to preserve his/her privacy.
  
  HappMacDonald ・ 6 days ago
  
  As always this will depend on your definition for "any user".
  Users who try to do a lot of UDP traffic will have to change their habits, yes. But a majority of users who don't know a lot about computers rarely do anything on a PC that isn't driven by the browser anyway.
  But at least the users who try to use UDP won't wind up specifically leaking info, just wind up slightly confused why certain things aren't working.
- izhak ・ 6 days ago
  
  UDP wouldn't route?..
  
  c0balt ・ 6 days ago
  
  The TOR protocol does not natively support UDP, though there are workarounds[0]
  [0]: https://www.whonix.org/wiki/Tunnel_UDP_over_Tor
  
  charcircuit ・ 6 days ago
  
  Yes.

mike-cardwell ・ 5 days ago

Instructions on front page for install don't work. Need to change the version number from 0.4.0 to 0.5.0

  cargo install --git https://gitlab.torproject.org/tpo/core/oniux oniux@0.5.0

mike-cardwell ・ 5 days ago

Hmm. I assumed this worked like torsocks in that it would direct traffic through the locally running tor daemon. However, I've noticed that if I stop the locally running tor daemon, oniux still works whilst torify and torsocks do not. [edit] The documentation does actually say this. Pretty neat.

It works inside docker as well, but I needed to use --privileged. Just copied the binary into a debian:12 container and it works there:

  docker run -it --rm --privileged -v "$PWD/oniux:/usr/bin/oniux" debian:12

yencabulator ・ 5 days ago

I would assume this uses the Rust rewrite as a library, not the older C daemon.
https://tpo.pages.torproject.net/core/arti/

tobias2014 ・ 6 days ago

Oniux seems like an "officially" supported tool similar to orjail (which hasn't received a commit in four years, but still works great as a shell script with iptables/iproute tools [1]). Orjail has also an option to run with firejail for further isolation, which seems to be still a feature that Oniux doesn't have.

[1] https://github.com/orjail/orjail/blob/master/usr/sbin/orjail

1vuio0pswjnm7 ・ 6 days ago

No Javascript URL:
https://raw.githubusercontent.com/orjail/orjail/master/usr/s...

Aissen ・ 4 days ago

Fun fact, this has been broken with curl for 5 years (and so are the blog examples), because Tor developers previously insisted that apps shouldn't attempt to resolve .onion domain names: https://daniel.haxx.se/blog/2025/05/16/leeks-and-leaks/

I hope they can find a resolution.

ahmedfromtunis ・ 6 days ago

Does this mean one can now access tor websites using chrome?

kyguy23 ・ 6 days ago

You can, but please don’t do this, you’ll stick out even more! Tor browser has a series of anti fingerprinting strategies that chrome doesn’t
- jeroenhd ・ 5 days ago
  
  I don't think anonimity is a concern for people who still use Chrome at this point.
  It does allow accessing onion sites, though, even though anyone running an onion site will probably tell you that it's a terrible idea to use plain Chrome to access them.
- OsrsNeedsf2P ・ 6 days ago
  
  Does Brave attempt to mimic any of these anti fingerprinting strategies? Asking because it has a "Private tab with Tor" feature
  
  fatchan ・ 6 days ago
  
  No. First of all, just check for `navigator.brave`. If it exists, it's Brave. When I ran a .onion site I added a JavaScript check and if navigator.brave was present, it redirected users to a specific page saying:
  > Hey, there's something funny about your Tor Browser. When browsing Tor hidden services (.onion), you should be using Tor Browser. Are you using an outdated version, or perhaps something else entirely?
  Brave is chrome. Tor browser is firefox, has a bunch of tweaks, different default settings, and a different fingerprint. Also when browsing on Tor, you should disable JavaScript as it's a source of many vulnerabilities.
  
  orbital-decay ・ 6 days ago
  
  The main strategy is that most people on Tor are using Tor Browser. This creates a cluster big enough to blend in. If you're using anything else, you're sticking out.
acheong08 ・ 6 days ago

You always could by just setting the proxy environment variables (or in settings). The standard port for the tor daemon is 9050.
In fact, it's relatively easy to write a socks proxy that lets you route traffic through a arbitrary protocols. For example, I can serve/visit websites on syncthing with a socks5 proxy as a translation layer: https://github.com/acheong08/syndicate
- stepupmakeup ・ 6 days ago
  
  Chrome has zero user-facing proxy controls of its own on Windows, nor PAC support. But the --proxy-server command line argument works.

ericfrederich ・ 6 days ago

They use hexchat as an example but do these processes run with the users configuration? Wouldn't this leak IRC usernames if you forget to change it. ... Or leak cookies if you launch a browser?

alfiedotwtf ・ 6 days ago

Separation of concerns - although Tor goes to great lengths to prevent fingerprinting, Tor and Oniux’s main aim IMHO is to make the source IP untraceable.
Same thing could have been said about using Tor to login to Gmail (if it were not HTTPS).
charcircuit ・ 6 days ago

What do you mean by leak usernames? It would leaks that a username uses tor. It would still leak that all of the usernames connecting to the same IRC host would be the same person.
IRC seems pretty dangerous if you want to remaining anonymous considering how many people are logging disconnection times allowing them to be correlated with other network disruption events.
- 47282847 ・ 5 days ago
  
  Tor is anonymizing you primarily from the network. There are many use cases where you do want to be authenticated/known to whoever you are talking to. You just want observers to not know.
  In your example of correlation of connection times, it may not be your goal to remain anonymous from the network and its participants, you may be interested in the location-hiding properties, and/or adversarial networks (like local government or corporate networks) and firewalls.
- 01HNNWZ0MV43FF ・ 6 days ago
  
  Irssi iirc used to default your username to your system username, so noobs would leak their given name by accident. After seeing that I changed my username in Linux to always be the most common username
  
  ericfrederich ・ 3 days ago
  
  I was talking more about you using HexChat with your preferred username "FooBar", but then when on Tor you want to be "SpamEggs". If you launch HexChat through oniux and it reads your config file, you might hit the login button before changing your name from FooBar to SpamEggs.
  
  SV_BubbleTime ・ 6 days ago
  ・ 6 more
  
  What is the most common Linux username though? Obviously you don’t want to do your regular work as root. And guest has its own issues.
  Is there a “common name”?
  
  tbrownaw ・ 6 days ago
  
  Not sure about "most common", but I have some vms that use `user` as the username.
  
  user32489318 ・ 6 days ago
  
  Robert'); DROP TABLE Students;-- Roberts
  
  romnon ・ 6 days ago
  
  ubuntu
  
  Xevion ・ 6 days ago
  
  admin
  
  Fnoord ・ 6 days ago
  
  root
  
  PaulDavisThe1st ・ 6 days ago
  
  root?

alfiedotwtf ・ 6 days ago

The DevEx is beautifully done here i.e it’s idiot-proof! Nice work to the people behind this <3

brians ・ 6 days ago

It’s really, really not. Idiots are ingenious. The operational care to use this in ways that preserve anonymity is beyond most users.

hexo ・ 6 days ago

Nice, now please rewrite the prototype in C and will happily use it.

jsiepkes ・ 6 days ago

It's written in Rust. What would you need a C version for?
- matt3210 ・ 6 days ago
  
  So I can read it to make sure it's not doing bad things.
  
  jsiepkes ・ 2 days ago
  
  "make sure it's not doing bad things" is never going to happen. Just look at the XZ attack (which is written in C) or the "The International Obfuscated C Code Contest" [1].
  Also you might want to read "Reflections on Trusting Trust" [2].
  [1] https://www.ioccc.org/
  [2] https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...
  
  saagarjha ・ 6 days ago
  ・ 2 more
  
  Consider learning Rust.
  
  glowiefedposter ・ 4 days ago
  
  [flagged]