Introducing oniux: Kernel-level Tor isolation for any Linux app
34 points by cve
34 points by cve
Classic solution is using two VMs where one is a Tor (or other similar system) gateway and second VM runs the application. Only the first one is connected to the internet. Second one can only communicate with the gateway (over a dedicated virtual network connection).
New oniux looks much more lightweight and easier to use.
Easier to use, but also not trying to do as much. At least, thinking of QubesOS, where there are separate VMs for a number of jobs, and isolation from each other is much of the point.
This kinda reminds me of a Linux implementation of Tor transparent proxying. I’ve done something similar, though using FreeBSD/HardenedBSD jails: https://git.hardenedbsd.org/shawn.webb/articles/-/blob/master/infosec/tor/2017-01-14_torified_home/article.md
I have a fully Torified network that automagically routes all traffic through Tor. I have a wifi access point and a switch behind this network, so I can plug in any device (or connect to the wifi network) and have 100% of that device’s TCP and DNS traffic route through Tor (without the device knowing/caring about Tor). Non-DNS UDP is blocked, of course.