TorVPN + OnionMasq + Oniux: A New Paradigm in Mobile Privacy and for Bitcoiners
Notice & DYOR
This post is educational. It does not constitute legal, financial, or security advice.
Always check local laws and consider your own threat model.
Tor and Arti evolve quickly: always confirm the sources at the end.
π Context and Origin
The Tor Project, globally recognized for its browser and anonymity network, recently launched its own VPN application for Android: TorVPN, built on the OnionMasq architecture and written in Rust.
Unlike Orbot (maintained by Guardian Project since 2009), TorVPN integrates natively with Androidβs VPN framework, marking a paradigm shift in mobile privacy.
Unlike Orbot (maintained by Guardian Project since 2009), TorVPN integrates natively with Androidβs VPN framework, marking a paradigm shift in mobile privacy.
Official site: https://gitlab.torproject.org/tpo/applications/vpn
π Commercial VPNs vs. TorVPN
Traditional VPNs:
- Encapsulate all traffic into a single tunnel to a corporate server.
- Risks: logs, government orders, single point of failure.
TorVPN (OnionMasq):
- Splits traffic into multiple globally distributed hops (relays).
- No single node knows both source and destination.
- Per-app isolation: separate circuits for each app.
- Example: your banking app will never share a route with your social network.
π‘ Censorship Circumvention
TorVPN integrates pluggable transports:
- obfs4 β disguises traffic as random data.
- Snowflake (WebRTC) β simulates a video call.
These mechanisms bypass deep packet inspection (DPI) where commercial VPNs often fail.
β Technical Innovations
- Socket protection: fixes Orbotβs routing loops.
- DNS resolution over Tor: hides queries from ISPs.
- Per-application metrics:
getBytesReceivedForApp
refreshCircuitsForApp
getCircuitCountryCodesForAppUID
Greater granularity compared to the binary on/off of classic VPNs.
π Usage Modes
- Protect all apps
- Protect selected apps
- No apps protected
This level of control redefines privacy on mobile devices.
π¨ Limitations and Warnings
- BETA phase: possible leaks.
- Not supported on tablets or Chromebooks.
- Not yet recommended for:
- Darknet access.
- Journalism in high-risk areas.
- Whistleblowing in repressive contexts.
Early users act as voluntary testers.
π§© Update: Oniux (Tor Project)
The Tor Project released Oniux, a utility combining OnionMasq + Arti + Linux namespaces to confine applications in isolated environments where traffic flows only through Tor.
Goal: zero leaks, even with malicious or misconfigured binaries.
Goal: zero leaks, even with malicious or misconfigured binaries.
Quick example (Linux):
# Install Rust if you donβt have it:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
# Install Oniux from the official repository:
cargo install --git https://gitlab.torproject.org/tpo/core/oniux
# Encapsulate an app:
oniux electrum
oniux git clone https://example.com/repo.git
β οΈ Note: some tools (e.g.,
curl
) block .onion
due to RFC 7686 even inside Oniux. Use compatible clients or adjust your workflow.π‘ UDP/QUIC and the Future
Currently Tor is TCP-first. Proposal 339 exists for UDP over Tor, but it is not yet implemented at scale. Plan your flows (Bitcoin P2P, Electrum, APIs) over TCP.
βΏ Relevance for Bitcoiners
- Electrum/Electrs: run inside Oniux to force all traffic through Tor, even if the app ignores SOCKS.
- Bitcoin Core/Services: combine OnionMasq/Oniux for outgoing traffic + onion services in Arti for RPC and dashboards.
- Ops/Infra: run
git
,ssh
,wget
inside Oniux in hostile networks, minimizing leaks.
π§ Best Practices
- Maintain OPSEC hygiene (timing, fingerprints, metadata).
- Consider UDP limitations and blocked tools.
- For exposed services: use onion services and stay up to date with Arti improvements (RPC, DoS resistance, etc.).
π Global Impact and Challenges
In many countries, mobile is the only Internet access. TorVPN democratizes strong privacy on mobile devices, a long-standing demand.
However, open questions remain:
However, open questions remain:
- Will Tor maintain long-term support?
- Can it scale for global demand?
Previous projects such as Tor Messenger or Tor Cloud were abandoned.
π Sources and References (DYOR)
- Tor GitLab: OnionMasq β https://gitlab.torproject.org/tpo/core/onionmasq
- Kernel docs: TUN/TAP β https://docs.kernel.org/networking/tuntap.html
- Tor Project Blog β Introducing Oniux β https://blog.torproject.org/introducing-oniux-tor-isolation-using-linux-namespaces/
- BleepingComputer β New Tor Oniux tool β https://www.bleepingcomputer.com/news/security/new-tor-oniux-tool-anonymizes-any-linux-apps-network-traffic/
- LWN.net β Oniux: kernel-level Tor isolation β https://lwn.net/Articles/1021354/
- RFC 7686 Issue (curl) β https://github.com/curl/curl/issues/17363
- Tor Proposal 339: UDP over Tor β https://spec.torproject.org/proposals/339-udp-over-tor.html
- Tor Forum (QUIC/HTTP3) β https://forum.torproject.org/t/when-will-tor-browser-support-newer-protocols/8731
- Arti 1.4.0 Release β https://blog.torproject.org/arti_1_4_0_released/
- Arti 1.4.6 Release β https://blog.torproject.org/arti_1_4_6_released/
Conclusion
TorVPN + OnionMasq + Oniux are not βjust another VPNβ: they represent a deep redesign of digital privacy.
For mobile users and Bitcoiners, they offer real isolation without relying on third parties.
β οΈ While still in BETA, use them with caution.
Privacy is not plug-and-play: it requires awareness and discipline.
TorVPN + OnionMasq + Oniux are not βjust another VPNβ: they represent a deep redesign of digital privacy.
For mobile users and Bitcoiners, they offer real isolation without relying on third parties.
β οΈ While still in BETA, use them with caution.
Privacy is not plug-and-play: it requires awareness and discipline.