OnionPhone is a VOIP tool for calling over Tor networ which can be used as a VOIP plugin for TorChat. Call is targeted by the Onion address of the recipient (its hidden service HS). The recipient can initialize a reverse Onion connection to the originator's HS and use a faster channel periodically resetting the slower channel to reduce overall latency.

The ability to switch to a direct UDP connection (with NAT traversal) after the connection is established over Tor (Tor instead of SIP without a specialized server, any registration or metadata collection) is also provided. In addition, OnionPhone can establish a direct UDP or TCP connection to the specified port on IP-address or host.


OnionPhone uses a custom UDP/TCP protocol (not RTP) with only one byte unencrypted header that can provide some obfuscation against DPI.


OnionPhone provides independent level of p2p encryption and authentication that uses modern cryptographic primitives: Diffie-Hellmann key exchange with Elliptic Curve 25519 and Keccak Sponge Duplexing encryption. In the case of a call to the Onion address Tor protects against MitM attacks. Also the recipient can verify identity of the originator's Onion address (only with the permission of the sender) similarly to the TorChat authentication.


Other possible ways of multifactor authentication are:

  • voice (biometrics);
  • using previously shared password (with the possibility of hidden notification under enforcement);
  • using a long-term public keys signed by PGP.


Onion Phone provides Perfect Forward Secrecy (uses a fresh key for each call) and Full Deniability for using long-term public keys of participants (as a fact and a content of the conversation): like a deniable SKEME protocol uses for initial key exchange.


OnionPhone can use a wide range of built-in voice codecs (C source included) from ultra low-bitrates up to high quality. The full list is: MELPE-1200, MELP-2400, CODEC2-1300, CODEC2-3200, LPC10-2400, CELP4800, AMR-4750/12200+DTX, LPC-5600+VOCODER, G723-6400, G729-8000, GSM-HR-5600, GSM-FR-13200, GSM-EFR-12400, ILBC-13333, BV16-16000, OPUS-6000VBR, SILK-10000VBR, SPEEX-15200VBR+R. Some of them are free but some require a license (check regional laws).


Additional features: implemented noise suppressors (NPP7 and SPEEX) of environment sounds and automatic mic gain control. Built-in LPC vocoder featuring irreversible voice chage (robot, whisper etc.).

Specially designed dynamic adaptive buffer useful for smart jitter compensation in high latency Onion environment. Radio mode (Push to Talk) and voice control mode (Voice Active Detector with generation a short signal when transmission is completed) are available.


Are available control interfaces (UI) using Telnet and WebSocket (HTML5 GUI on JavaScript using a web-browser).

Crossplatform Qt GUI TorChat + OninPhone + H.264 video is in plans now.


The OnionPhone project:

  • uses command-line style, does not require installation and can be run from removable disk or TrueCrypt container;
  • is fully open source, developed on pure C at the possible lowest level and carefully commented;
  • is statically linked, does not require additional third-party libraries and uses a minimum of system functions;
  • can be compiled under Linux OS (Debian, Ubuntu etc.) using GCC or under Win32 OS (from Windows 98 up to 8) using MinGW. The build for Android and crossplatform library style with minimal necessary API are in plans now.

I. Installation

The easiest way is to use OnionPhone as a VOIP plugin for TorChat:

  • Step 1: Put the OnionPhone folder on the hard disk, removable media or TrueCrypt container (preferred).
  • Step 2: Edit the TorChat configuration file /torchat/bin/Tor/torrc.txt:
    immediately following the line:
  • HiddenServicePort 11009
    add the a new line:
    HiddenServicePort 17447
    then run the TorChat.
  • Step 3: Right click on myself icon of TorChat contact list and copy ID to clipboard. Edit the OnionPhone configuration file conf.txt: specify our Onion address using copied ID, for example: Our_onion=gegelcy5fw7dsnsn
    Once started the OnionPhone now is ready to receive incoming and make outgoing calls.

II. Key management:

OnionPhone uses public keys to authenticate the subscribers to each other using PGP. Once you must generate long-term key pair (public and private keys), sign public key using PGP and add it to your address book. After this yor can establish un-authenticated (but still encrypted) connection with other subscriber, send own public key to him and receive his public key. After checking PGP signatures you and your subscriber set some trust level to received keys and now authenticated calls each other are avaliable.


Console utility addkey is useful for key management:


  • Step 1: To generate a new key pair run: ./addkey -Gname [-Yaccess] [options] where name is your identifier, access is the password that will be used to encrypt your private key and options will be passed to other participants. If -Y is omitted the private key will be stored unencrypted. In this case it is recommended to store OnionPhone folder in a protected place (TrueCrypt container etc.). The most common use is option -Oour_onion_address to present own address. Upon receipt of your key this option will be automatically copied in address books of other participants.
    For example, after the command:
    ./addkey -Galice -Y1234 -Or4kxspnzpnsel4fu
    files alice.sec (the private key encrypted using password 1234) and alice (the public key) will be created in the folder keys.
  • Step 2: To sign the public key open it as a text and sign their content using PGP. Signature must be added to the key file. Once the key has been signed further edition is not allowed (renaming is still possible).
  • Step 3: Before using the key you must add it to your address book:
    ./addkey -Aalice
    To use this key as its own default edit the OnionPhone configuration file conf.txt specifying the key's name:
  • Step 4: Now you can send the key to other users. For transmission of the key establish an un-authenticated call guest to guest with the other party (see above) and execute -Kname, where name is the key for transmission (or -K without parameter if this key is assigned as your own default). Key will be automatically added to the remote address book with the lowest possible level of trust. After manual PGP signature check of the the key file other parties can set the desired trust level by editing -L parameter to the corresponding entries in the address book file keys / contacts.txt, for example:
    [alice] {FNrjEjGmlZtvKXzBQkNIDA ==} #alice -Or4kxspnzpnsel4fu -L1

    You can also pass the key in any other way (for example, by email). The recipient verifies PGP signature in the key file and determines the necessary trust level, then add the key to the address book indicating the trust level as -Llevel, for example:
    ./addkey -Aalice -L1

III. Calls:

  • To accept an incoming call press Enter.
  • To make an outgoing call as a guest to guest (without use of personal keys) type command: -Oremote_onion_address and press Enter then wait 10 - 30 sec for connection over Tor to be established.
  • To toggle continuous voice transmission press Enter. Hold down / release the Tab for Push-to-Talk mode.
  • To apply the voice codec from 1 to 18 use the command -Ccodec_number. Smaller numbers correspond to low bitrate codecs, greater ones are for high quality. Numbers from 16 to 18 correspond to the variable bit rate codecs.
  • To enable security vocoder use the command -Qmode, where mode=3 corresponds to "whisper" voice (recommended), modes 6-255 correspond to "robot" etc.
  • To deactivate the vocoder use the command -Q-3. To use the chat feature type a message and send it by pressing Enter.
  • To switch to direct UDP connection use the command -S (both parties must do this).
  • To return into Tor from direct UDP connection use the command -O.
  • To end the call use the command -H.
  • To show contacts from adress books use the command -V or -Vfilter, where filter is substring for searching.
  • To extract command for calling use -Ename where name is your subscriber for next call. Use -E without name for recalling.
  • To exit the OnionPhone use the command -X or hit Esc twice for emergency exit.

  • IV. Console

    The keyboard is used to typing the commands, control the voice transmission and navigating in menu.

    Control keys are:

    1. Back removes the last typed character.
    2. Del clears the typed string.
    3. Tab activates voice transmission while key is held down (Push-to-Talk mode).
    4. Sift+Tab (Linux) or Ctrl+Tab (Windows) activates the voice detector.
    5. Up, Down arrows are used to navigate between menu units.
    6. Left, Right arrows are used to select menu items.
    7. Enter:
      - answers while incoming call is waits for being accepted;
      - enables / disables continuous voice transmission if command line is empty;
      - if the first char of command string is "-" (command was typed) processes the command;
      - otherwise sends typed chat message.
    8. Esc:
      - rejects while incoming call is waits for being accepted;
      - if hit twice immideately exits the program clearing the memory.

    V. Telnet

    OnionPhone can be used as a daemon controlled by any Telnet client or by any other application using Telnet protocol. Specify control interface in the file conf.txt:


    For activation of Telnet mode the first sends string #. After this you can send an OnionPhone commands as described above and receive text reports. Additional feature is the usage of the string #ascii_code for emulate the key pressing. For examples, #13 emulates Enter. Note: #10 clears the command string and emulates Enter.

    VI. WEB interface

    Web interface is the HTML5 local web-page uses JavaS—Āript for the user-friendly graphical interface that controls the Onion Phone daemon. WebSocket protocol shares the OnionPhone control interface, specified in the file conf.txt:
    Your Web-brouser must support HTML5, WebSocket and JavaScript must be enabled. Note that only local JavaScript will be used (can be inspected in files \webgui\js\tooltip.js and \webgui\js\websock.js in OnionPhone folder). Press Connect button for the WebSocket bidirectional asynchrone connection between browser and OnionPhone. Then use graphic elements for controlling the OnionPhone and see Log for checking results. Pop tabs are useful to study the the interface.