Tor networking plugin for docker containers

• linux 386 / amd64 / arm / arm64

$ go get github.com/jessfraz/onion

NOTE: Make sure you are using Docker 1.9 or later

WARNING: By default all outbound udp traffic in the network should be blocked because it will not be routed through tor.

Start the tor router

NOTE: in the future it should be easier to start any container to route and have the plugin be smart about finding it, but for now.... deal with it.

$ docker run -d \
    --net host \
    --name tor-router \
    jess/tor-router

# follow the logs to make sure it is bootstrapped successfully
$ docker logs -f tor-router

Run the plugin container

$ docker run -d \
    --net host \
    --cap-add NET_ADMIN \
    --name onion \
    -v /run/docker/plugins:/run/docker/plugins \
    -v /var/run/docker.sock:/var/run/docker.sock \
    jess/onion

Create a new network

$ docker network create -d tor vidalia

Test it out!

$ docker run --rm -it --net vidalia jess/httpie -v --json https://check.torproject.org/api/ip

Unit tests:

$ make test

Integration tests:

$ make dtest

Thanks to the libnetwork team for writing the networking go plugin and of course the networking itself ;) Also a lot of this code is from the bridge driver in libnetwork itself.

Also huge thanks to the Tor project for protecting the internet.

• FIND A WAY TO DO THIS WITHOUT IPTABLES
• the tor router should be discoverable as any docker image or container name etc and the ports for forwarding should be able to be found through that
• the tor router should not have to be run as --net host
• moar tests (unit and integration)
• exposing ports in the network is a little funky
• saving state?
• make deny all udp traffic configurable
• udp integration tests suck
• unit tests