When launching privacy-critical apps and services, developers want to make sure that every packet really only goes through Tor. One mistyped proxy setting–or a single system-call outside the SOCKS wrapper–and your data is suddenly on the line.

That’s why today, we are excited to introduce oniux: a small command-line utility providing Tor network isolation for third-party applications using Linux namespaces. Built on Arti, and onionmasq, oniux drop-ships any Linux program into its own network namespace to route it through Tor and strips away the potential for data leaks. If your work, activism, or research demands rock-solid traffic isolation, oniux delivers it.

oniux vs. torsocks

You may have also heard of a tool with a similar goal, known as torsocks, which works by overwriting all network-related libc functions in a way to route traffic over a SOCKS proxy offered by Tor. While this approach is a bit more cross-platform, it has the notable downside that applications making system calls not through a dynamically linked libc, either with malicious intent or not, will leak data. Most notably, this excludes support for purely static binaries and applications from the Zig ecosystem.

oniux is experimental

Although this section should not discourage you from using oniux, you should keep in mind that this is a relatively new feature which uses new Tor software, such as Arti and onionmasq.

While things are already working as expected at the moment, tools such as torsocks have been around for over 15 years, giving them more experience on the battlefield.

But we do want to reach a similar state with oniux, so please go ahead and check it out!

This is very cool. Proxying via SOCKS has always been leaky and prone to user-error, and overloading glibc function calls is a sure-fire way for folks to have a false sense of security. Especially given how popular statically linking libc via musl and golang has become.

Come to think of it… torsocks probably doesn’t work at all for statically-linked distros like Alpine?

Network namespaces is the exact right solution. WireGuard’s website even calls it out as a preferred solution: Routing & Network Namespaces - WireGuard

Wait, I don’t think Alpine is statically linked – at least not once you replace the busybox links that come with the installation image with real packages. The libc is musl but it is still a shared library. Or am I wrong?

The only distro that I know that statically links everything is oasis

No you’re absolutely correct. I think my brain fallaciously associated musl with static linking

It wouldn’t make sense for a distro to be fully statically linked, since it’d bloat binary sizes like crazy.