Oniux: kernel-level Tor isolation for Linux applications
The Tor project has announced the oniux utility which provides Tor network isolation, using Linux namespaces, for third-party applications.
Namespaces are a powerful feature that gives us the ability to isolate Tor network access of an arbitrary application. We put each application in a network namespace that doesn't provide access to system-wide network interfaces (such as eth0), and instead provides a custom network interface onion0.
This allows us to isolate an arbitrary application over Tor in the most secure way possible software-wise, namely by relying on a security primitive offered by the operating system kernel. Unlike SOCKS, the application cannot accidentally leak data by failing to make some connection via the configured SOCKS, which may happen due to a mistake by the developer.
The Tor project cautions that oniux is considered experimental as the software it depends on, such as Arti and onionmasq, are still new.
Posted May 16, 2025 13:19 UTC (Fri)
by rillian (subscriber, #11344)
[Link]
In case anyone else is confused building out of a local repo, the project is configured to target The
Posted May 17, 2025 2:52 UTC (Sat)
by Fowl (subscriber, #65667)
[Link] (1 responses)
Posted May 17, 2025 8:40 UTC (Sat)
by k3ninho (subscriber, #50375)
[Link]
K3n.
Posted May 19, 2025 12:37 UTC (Mon)
by alip (subscriber, #170176)
[Link]
PS: I am the main author of Syd.
aarch64-unknown-linux-musl
aarch64-unknown-linux-musl by default, and will fail to build if cross-toolchains for that target are not installed. One can work around by passing --target x86_64-unknown-linux-gnu to cargo, or whatever one's native target is.build.target directive in .cargo/config is ignored by cargo install which is why the blog post's suggestion of installing directly from the upstream repo works.Leeks and leaks
Leeks and leaks
syd-tor is an alternative
- Proxy sandboxing: https://man.exherbo.org/syd.7.html#Proxy_Sandboxing
- syd-tor: https://man.exherbo.org/syd-tor.1.html