BibaVPN server provisioning (control plane → VPS)

The control plane provisions each user instance with file-based self-signed TLS, certificate pinning in the invite, and hardened bibavpn-server flags. This matches the secure deployment model documented for manual VPS setup.

What the provisioner does

On each provision (SSH to the Docker host):

1. Creates a persistent cert directory on the host: {CONTROL_PLANE_BIBA_CERT_BASE_DIR}/{container_name}/
2. Generates a 4096-bit RSA self-signed cert once (reused on container restart if the directory remains).
3. Runs bibavpn-server in Docker with: - --cert / --key (not --self-signed-san) - --read-only + tmpfs for /tmp - v3 defaults: --proto-domain default, --pad-mode adaptive - auth rate limits, session caps, handshake/mux timeouts - --print-invite-uri (embeds pin_cert_pem — clients do not need --insecure)
4. Waits for biba://… in container logs and stores it on the instance.

Environment variables

VPS requirements

In addition to Docker and tc shaping:

• openssl on the host (cert generation)
• Writable CONTROL_PLANE_BIBA_CERT_BASE_DIR (typically /var/lib/bibavpn/certs)
• public_host on the server record must match what clients use for SNI (IP or DNS name)

Client connection

Users receive:

• invite_uri (biba://…) — may be shared over an ordinary channel
• invite_passphrase — share separately (portal shows both)

Clients should use --from-invite; pin is inside the invite. Do not use --insecure for control-plane instances.

Manual reference

See also server-setup.md for the same TLS/pin model when deploying without the control plane.