Security, privacy, and limitations
BibaVPN is an experimental tunnel for research and personal labs. Read this before exposing a server to the internet or relying on it for high-stakes work.
Threat model (plain language)
| Actor | What they see |
|---|---|
| Your BibaVPN server operator | Effectively all bytes you send through the proxy—the same trust position as any SOCKS or VPN exit you route through. |
| Passive network observer | Outbound TLS to your server; goal of anti-DPI features is to blend that session with ordinary long-lived HTTPS / WebSocket use. There is no guarantee against every classifier or future analysis. |
| Active attacker without PSK | Should not decrypt the inner Biba v3 layer without breaking crypto or stealing secrets. |
BibaVPN is not an anonymity system like Tor. It does not hide that you connect to your server.
Credentials handling
psk,token, and invite passphrases are cryptographic secrets. Keep them out of git (see repository.gitignorepatterns), chat logs where possible, and public bug reports.- The default design carries
tokenin the v3 sealed AUTH frame, not in the WebSocket URL. Avoid reviving--legacy-path-authunless you must support obsolete clients—it is documented as weaker. - Rotate credentials if they ever leak or if a former administrator should lose access.
TLS verification
--insecureon the client disables certificate verification. Use only on trusted loopback tests (for example the Hub Docker lab). For real use:--pin-cert, or embedded pin inside a v3 invite from--print-invite-uriwith file-based--cert/--key(rustls or--tls-stack boringwhen built withboring-tls).
Experimental software
- The protocol may change; a future BibaV4 inner format could break interoperability. Pin versions and read CHANGELOG.md before upgrading.
- There is no commercial warranty; operate under your own risk assessment.
Responsible disclosure
Report security bugs privately using the process in SECURITY.md.
Legal and compliance
You are responsible for obeying laws and contracts in your jurisdiction (export rules, acceptable use, provider terms, workplace policy). This documentation is not legal advice.
Further reading
- README.md — Security
- PROTOCOL.md — cryptographic framing and invite design
- Server setup / Client setup — safe defaults in deployment