pull down to refresh

TorVPN + OnionMasq + Oniux: A New Paradigm in Mobile Privacy and for Bitcoiners

Notice & DYOR
This post is educational. It does not constitute legal, financial, or security advice.
Always check local laws and consider your own threat model.
Tor and Arti evolve quickly: always confirm the sources at the end.

🌐 Context and Origin

The Tor Project, globally recognized for its browser and anonymity network, recently launched its own VPN application for Android: TorVPN, built on the OnionMasq architecture and written in Rust.
Unlike Orbot (maintained by Guardian Project since 2009), TorVPN integrates natively with Android’s VPN framework, marking a paradigm shift in mobile privacy.

Official site: https://gitlab.torproject.org/tpo/applications/vpn

πŸ”’ Commercial VPNs vs. TorVPN

Traditional VPNs:
  • Encapsulate all traffic into a single tunnel to a corporate server.
  • Risks: logs, government orders, single point of failure.
TorVPN (OnionMasq):
  • Splits traffic into multiple globally distributed hops (relays).
  • No single node knows both source and destination.
  • Per-app isolation: separate circuits for each app.
  • Example: your banking app will never share a route with your social network.

πŸ›‘ Censorship Circumvention

TorVPN integrates pluggable transports:
  • obfs4 β†’ disguises traffic as random data.
  • Snowflake (WebRTC) β†’ simulates a video call.
These mechanisms bypass deep packet inspection (DPI) where commercial VPNs often fail.

βš™ Technical Innovations

  • Socket protection: fixes Orbot’s routing loops.
  • DNS resolution over Tor: hides queries from ISPs.
  • Per-application metrics:
    • getBytesReceivedForApp
    • refreshCircuitsForApp
    • getCircuitCountryCodesForAppUID
Greater granularity compared to the binary on/off of classic VPNs.

πŸ“Š Usage Modes

  • Protect all apps
  • Protect selected apps
  • No apps protected
This level of control redefines privacy on mobile devices.

🚨 Limitations and Warnings

  • BETA phase: possible leaks.
  • Not supported on tablets or Chromebooks.
  • Not yet recommended for:
    • Darknet access.
    • Journalism in high-risk areas.
    • Whistleblowing in repressive contexts.
Early users act as voluntary testers.

🧩 Update: Oniux (Tor Project)

The Tor Project released Oniux, a utility combining OnionMasq + Arti + Linux namespaces to confine applications in isolated environments where traffic flows only through Tor.
Goal: zero leaks, even with malicious or misconfigured binaries.
Quick example (Linux):
# Install Rust if you don’t have it:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

# Install Oniux from the official repository:
cargo install --git https://gitlab.torproject.org/tpo/core/oniux

# Encapsulate an app:
oniux electrum
oniux git clone https://example.com/repo.git
⚠️ Note: some tools (e.g., curl) block .onion due to RFC 7686 even inside Oniux. Use compatible clients or adjust your workflow.

πŸ“‘ UDP/QUIC and the Future

Currently Tor is TCP-first. Proposal 339 exists for UDP over Tor, but it is not yet implemented at scale. Plan your flows (Bitcoin P2P, Electrum, APIs) over TCP.

β‚Ώ Relevance for Bitcoiners

  • Electrum/Electrs: run inside Oniux to force all traffic through Tor, even if the app ignores SOCKS.
  • Bitcoin Core/Services: combine OnionMasq/Oniux for outgoing traffic + onion services in Arti for RPC and dashboards.
  • Ops/Infra: run git, ssh, wget inside Oniux in hostile networks, minimizing leaks.

🧭 Best Practices

  • Maintain OPSEC hygiene (timing, fingerprints, metadata).
  • Consider UDP limitations and blocked tools.
  • For exposed services: use onion services and stay up to date with Arti improvements (RPC, DoS resistance, etc.).

🌍 Global Impact and Challenges

In many countries, mobile is the only Internet access. TorVPN democratizes strong privacy on mobile devices, a long-standing demand.
However, open questions remain:
  • Will Tor maintain long-term support?
  • Can it scale for global demand?
Previous projects such as Tor Messenger or Tor Cloud were abandoned.

πŸ“š Sources and References (DYOR)

  1. Tor GitLab: OnionMasq – https://gitlab.torproject.org/tpo/core/onionmasq
  2. Kernel docs: TUN/TAP – https://docs.kernel.org/networking/tuntap.html
  3. Tor Project Blog β€” Introducing Oniux – https://blog.torproject.org/introducing-oniux-tor-isolation-using-linux-namespaces/
  4. BleepingComputer β€” New Tor Oniux tool – https://www.bleepingcomputer.com/news/security/new-tor-oniux-tool-anonymizes-any-linux-apps-network-traffic/
  5. LWN.net β€” Oniux: kernel-level Tor isolation – https://lwn.net/Articles/1021354/
  6. RFC 7686 Issue (curl) – https://github.com/curl/curl/issues/17363
  7. Tor Proposal 339: UDP over Tor – https://spec.torproject.org/proposals/339-udp-over-tor.html
  8. Tor Forum (QUIC/HTTP3) – https://forum.torproject.org/t/when-will-tor-browser-support-newer-protocols/8731
  9. Arti 1.4.0 Release – https://blog.torproject.org/arti_1_4_0_released/
  10. Arti 1.4.6 Release – https://blog.torproject.org/arti_1_4_6_released/

Conclusion
TorVPN + OnionMasq + Oniux are not β€œjust another VPN”: they represent a deep redesign of digital privacy.
For mobile users and Bitcoiners, they offer real isolation without relying on third parties.
⚠️ While still in BETA, use them with caution.
Privacy is not plug-and-play: it requires awareness and discipline.