BibaVPN: A DPI-resistant tunnel in Rust. TLS + WebSocket muxing with per-frame padding.
I've been working on a tunneling solution designed to bypass active probing and traffic analysis in restrictive environments. It's fully open-source (MIT) and written in pure Rust.
The Stack & Architecture:
- Transport: Wraps SOCKS5/HTTP-CONNECT into TLS + WebSocket.
- Multiplexing: Multiple streams over a single long-lived WebSocket connection to minimize TLS handshake fingerprints.
- Anti-DPI: Uses a shared-PSK layer (BibaV2) and per-frame random padding to obfuscate traffic patterns
- Camouflage: Support for HTTP decoy/camouflage on the same port
- Fingerprinting: Implementation of browser-ordered TLS upgrade headers (using a uTLS-like approach in the biba crate).
Why this instead of X? I wanted something that looks like standard HTTPS/WSS traffic to an outside observer, but provides full control over the frame padding and TLS hello. No proprietary "black box" protocols б just standard primitives used to hide the tunnel.
It’s still experimental, so I’m looking for feedback on the protocol spec and the multiplexing implementation.
Repo: https://github.com/Eljaja/BibaVPN
Protocol Details: Check PROTOCOL.md in the root.