Tor Project launches Oniux, a Rust-powered command-line tool that isolates any Linux application at the kernel level, guaranteeing secure traffic routing through the Tor network.
In an era where digital surveillance and data leaks pose growing threats, the Tor Project has unveiled a groundbreaking new tool designed to enforce network anonymity for Linux applications like never before. Oniux, a compact yet powerful command-line utility written in Rust, leverages Linux namespaces to provide kernel-enforced isolation, ensuring that every byte of traffic from an application flows exclusively through the Tor network.
Unlike legacy tools like torsocks, which rely on user-space tricks to route traffic via SOCKS proxies, Oniux creates a fully isolated network namespace for each application. This means that even if the app is compromised or poorly configured, it cannot leak traffic outside of Tor.
Beyond LD_PRELOAD: How Oniux Achieves True Isolation
Torsocks operates by injecting itself into dynamically linked applications using LD_PRELOAD, intercepting libc network calls and redirecting them to a Tor SOCKS proxy. However, this method has critical shortcomings:
- It fails to intercept raw system calls, which a malicious app can exploit to bypass Tor.
- It doesn’t support statically compiled binaries or non-libc-based apps.
- Applications still access the host’s real interfaces, lacking true isolation.
Oniux solves all of these issues by leveraging native Linux kernel features like:
- Network namespaces to isolate applications from the host’s interfaces.
- User and PID namespaces to limit privileges and capabilities.
- Mount namespaces to inject a Tor-safe
/etc/resolv.conffor DNS resolution. - A virtual interface (
onion0) connected through onionmasq, ensuring all packets exit only via Tor.
“Oniux drops any Linux application into its own private networking environment, enforced by the kernel and routed exclusively through Tor,” explains the Tor development team. “No libc hacks, no proxy leaks — just hardened, verifiable isolation.”
Oniux vs. Torsocks: A Technical Comparison
| Feature | Oniux | Torsocks |
|---|---|---|
| Standalone operation | Yes | Requires Tor daemon |
| Isolation mechanism | Linux namespaces | LD_PRELOAD hack |
| Application support | All (dynamic/static/malicious) | Only libc-based dynamic apps |
| Protection against leaks | Yes (kernel-level enforcement) | No (bypasses possible) |
| Platform compatibility | Linux only | Cross-platform |
| Tor engine | Arti (written in Rust) | Classic Tor (C-based) |
| Maturity | Experimental | Over 15 years in production |
Using Oniux: Getting Started
Oniux requires a Linux system with Rust installed. Once set up, the tool can be installed using:
cargo install --git https://gitlab.torproject.org/tpo/core/oniux [email protected]
Example usage:
# Route a curl request through Tor
oniux curl https://icanhazip.com
# Access an .onion site
oniux curl http://example.onion
# Isolate an interactive shell
oniux bash
# Launch a GUI app with Tor isolation
oniux hexchatYou can also enable detailed debugging with:
RUST_LOG=debug oniux curl https://icanhazip.comUnder the Hood: How Oniux Works
Oniux internally uses the clone(2) system call to create isolated process trees with their own:
- Network namespace: Provides a clean interface (
onion0) with no access toeth0,wlan0, etc. - Mount namespace: Binds a Tor-compliant
resolv.conffor DNS isolation. - User namespace: Restricts the process privileges even when running as root.
- PID namespace: Runs processes in a private process tree to prevent interference or surveillance.
It then uses onionmasq to configure the virtual interface and Arti, the next-generation Tor implementation in Rust, as the core Tor engine.
Caveats: Oniux is Experimental
Despite its advantages, Oniux is still in early development. The Tor Project warns users not to rely on it yet for mission-critical operations. Stability, compatibility with various Linux distributions, and performance under stress are still being evaluated.
However, developers and privacy enthusiasts are encouraged to test, audit, and contribute to the project. Its long-term goal is to become the default method for routing sensitive applications through Tor — safely and reliably.
Conclusion: A New Era of Application-Level Privacy on Linux
With Oniux, the Tor Project introduces a powerful security model that goes beyond proxy settings and library hooks. By embedding Tor isolation into the kernel layer, it closes the gaps that have plagued previous tools and opens the door to stronger, verifiable privacy guarantees for Linux users.
Whether you’re a journalist, researcher, or just a privacy-conscious Linux user, Oniux offers a glimpse into the future of secure, anonymous computing.
👉 Source code and full documentation available at:
https://gitlab.torproject.org/tpo/core/oniux
via: Tor Project
