orjail v1.1-1 releases: force programs to exclusively use tor network


a more secure way to force programs to exclusively use tor network.


we’ve tried to deanonymize a program executed in torsocks environment and that was not so difficult as torsocks use LD_PRELOAD, so you only need to statically compile your stuff. as Whonix is sometimes too much, the idea is to experiment with Linux namespaces and learn by doing something useful (at least for us).

How it works

it creates a separated network namespace (using ip netns) with its own network interface and a link to the host interface with some iptables rules (on a host) that force traffic generated from inside orjail to the only exit via Tor (including DNS).
inside it, you’ll be in another pid namespace (this way you cannot switch namespace), and another mount namespace (we use this to show a different /etc/resolv.conf).

Changelog v1.1-1

  • remove genmkfile as dev-deps
  • fix #51 use standalone genmkfile
  • fix and clean hidden service usage
  • fix #53, add -p flag to specify a private home
  • More



  1. a Linux kernel supporting namespaces (you have it since 2008)
  2. Tor installed
  3. firejail (optional)
git clone https://github.com/orjail/orjail.git

additional info

  1. orjail needs root permission to run
  2. orjail runs your program as your user
  3. orjail will launch a Tor instance bound to orjail interface


run a hidden service inside orjail (you’ll find your address inside examples/hostname)

sudo orjail -v -H 8080 -d examples "python -m SimpleHTTPServer 8080"

getting a homepage content with curl via Tor

sudo orjail curl autistici.org > autistici.org

same as before with another user

sudo orjail -u another_user curl autistici.org

“resolve” an onion address (not so useful, just to show that .onion resolving works)

sudo orjail dig wi7qkxyrdpu5cmvr.onion

get an onion webserver content via Tor:

sudo orjail curl wi7qkxyrdpu5cmvr.onion

open a firefox that could reach internet via Tor only:

sudo orjail firefox -P /tmp/tmpprofile

firefox has a flag that blocks .onion resolution by default, change it in about:config/network.dns.blockDotOnion.

running a browser inside orjail is not safe, please use Tor Browser instead

get an anonymous shell

sudo orjail -s

run pidgin in verbose mode

sudo orjail -v pidgin

keep the namespace after exit so we can start another program in same ns

sudo orjail -k ls

Use firejail as a security sandbox to join orjail network namespace

sudo orjail -f thunderbird

Copyright (C) 2018 – underscore@autistici.org

Source: https://github.com/orjail/