Transport Modes

Freedom Messenger supports three transport modes that determine how users connect to your server. Each mode offers different levels of protection against network inspection and blocking.

HTTPS Mode

How It Works

Direct encrypted connection using standard HTTPS. The server obtains a TLS certificate from Let's Encrypt automatically and renews it before expiration.

Browser --HTTPS--> :443 (Go TLS + Let's Encrypt) --> Freedom Messenger

When to Use

When your server's IP address is not blocked and you do not need to hide the fact that users are connecting to your server. This is the simplest mode.

Requirements

  • Ports 443 and 80 open
  • Domain A record pointing to server IP
  • No other web server running on port 443
  • An email address for Let's Encrypt notifications

Cloudflare Mode

How It Works

Your server sits behind Cloudflare's global CDN. All traffic goes through Cloudflare first, so external observers see connections to Cloudflare's network — not to your server directly.

Browser --HTTPS--> Cloudflare CDN --HTTP--> :8080 --> Freedom Messenger

When to Use

When you want to hide your server's IP address. Useful if your server is in a country with internet restrictions — network monitors see traffic going to Cloudflare (a major CDN used by millions of websites), not to your specific server.

Requirements

  • Cloudflare account (free tier works)
  • Domain DNS managed by Cloudflare
  • Port 8080 open (Cloudflare connects to this port)
  • Cloudflare proxy (orange cloud) enabled for your domain

Setup Tips

  • In Cloudflare, set SSL/TLS mode to "Full" or "Full (strict)" if you have an origin certificate
  • The server trusts the CF-Connecting-IP header to identify users' real IP addresses for rate limiting
  • Optional: configure a Cloudflare origin certificate for encrypted connection between Cloudflare and your server

VLESS Mode

How It Works

The server embeds Xray-core to serve VLESS+REALITY protocol on port 443. To any network observer, the traffic looks identical to a normal TLS connection to microsoft.com (or another configured SNI). Even deep packet inspection (DPI) systems cannot distinguish it from real traffic.

VLESS Client --REALITY TLS--> :443 (Xray) --internal--> :8080 --> Freedom Messenger

When to Use

Maximum protection. When the network you operate in uses DPI to detect and block VPNs, proxies, and non-standard traffic. This mode makes your server completely invisible to inspection systems.

Requirements

  • Port 443 open
  • Domain A record pointing to server IP
  • Users must connect through VLESS-compatible client apps (the browser-based interface works through the Xray fallback to the cover website)

Generated Keys

The setup wizard generates the required cryptographic keys:

  • UUID — unique client identifier
  • X25519 private/public key pair — for REALITY handshake
  • Short ID — additional client authentication

These are stored in config.toml under the [stealth] section.

Choosing a Mode

Criteria HTTPS Cloudflare VLESS
Setup difficulty Easy Medium Medium
DPI resistance None Moderate Maximum
IP hidden No Yes No
Browser access Direct Direct Via cover site only
Latency Lowest Low Low
The transport mode is set once during freedom-mess setup. Changing it later requires re-running the setup wizard. Your data is preserved.