Transport Modes
Transport Modes
One protocol, many ways to carry it. Even when a whole protocol looks blocked, switching its transport mode often restores a working path. This guide maps every transport OrbVPN ships — and exactly when to reach for each one.
Why Transports Matter
A transport mode is how a protocol's traffic travels across the network. The same protocol can run directly, over a WebSocket, through a CDN, or with its TLS handshake disguised. When a censor blocks the most obvious path, a different transport for the very same protocol frequently slips through untouched.
As a rule: the most direct transport is fastest, and each step toward heavier stealth (WebSocket, then CDN-Fronting) trades a little speed for resilience against blocking. Pick the lightest transport your network allows.
CDN-Fronting, explained
Several transports route through the Cloudflare CDN. To a censor this traffic is indistinguishable from ordinary HTTPS to millions of legitimate websites — so blocking it means blocking the wider internet. That is why CDN-Fronting is the strongest stealth option, at the cost of one extra network hop.
WireGuard Transports
Direct UDP
Standard WireGuard over UDP. The fastest, lowest-overhead path. Use it on any open network.
CDN-Fronting
Routes WireGuard through a Cloudflare WebSocket bridge to UDP. Use it when your network blocks UDP or WireGuard directly — it hides inside ordinary HTTPS.
VLESS Transports
VLESS carries the widest range of transports, which is why it is OrbVPN's flagship anti-censorship protocol. Its default — Reality — is also the strongest disguise.
Reality (TCP) — Default
XTLS-Vision over TCP with a forged TLS handshake against a real allowed site. The most secure and undetectable VLESS transport, and the basis for mimicry profiles.
Plain TCP
Raw TCP with no TLS layer, giving a minimal protocol signature. Often the best path through DPI in Iran, Russia, and China when Reality is being throttled.
WebSocket
Carries VLESS inside a WebSocket connection. Works on restricted networks that only permit HTTP-shaped traffic.
gRPC
Efficient, multiplexed transport over HTTP/2. A good option on networks that allow HTTP/2 and benefit from multiplexing.
CDN-Fronting
Routes VLESS through Cloudflare so it looks like normal HTTPS. The maximum-stealth VLESS transport for heavy censorship (mobile platforms).
A note on HTTP/2
An HTTP/2 transport exists in the protocol design but is not yet enabled in the app. The available VLESS transports are Reality (TCP), Plain TCP, WebSocket, gRPC, and CDN-Fronting.
OrbConnect Transports
Direct HTTPS
OrbConnect's standard HTTPS tunnel. Fast and secure for open and lightly filtered networks.
CDN-Fronting
Routes OrbConnect through a Cloudflare WebSocket bridge to its TCP endpoint. Maximum stealth — it hides inside ordinary Cloudflare HTTPS.
SSH Tunnel Transports
Direct SSH
A standard SSH connection. Fastest SSH path. Use it where SSH is allowed without inspection.
Obfuscated SSH (OSSH)
Scrambles the SSH handshake into random-looking bytes (ChaCha20 keyed by Argon2id), so DPI cannot recognize it as SSH.
OSSH + WebSocket
Wraps OSSH in a WebSocket so it looks like web traffic. Use it where only HTTP-shaped traffic passes.
OSSH + CDN
Routes OSSH through Cloudflare for maximum stealth under the heaviest censorship.
Full details
The SSH transports have a dedicated guide with region recommendations — see SSH Tunnel & OSSH.
Choosing a Transport: The Order to Try
Start Direct
Use the most direct transport for your protocol — WireGuard Direct UDP, VLESS Reality, OrbConnect Direct HTTPS, or Direct SSH. Best speed, lowest overhead.
Strip TLS or Obfuscate
If a direct transport connects but passes no data (a throttling signature), move to VLESS Plain TCP, or to OSSH for the SSH Tunnel, to reduce your protocol signature.
Go HTTP-Shaped
If only HTTP traffic passes, switch to a WebSocket transport — VLESS WebSocket or OSSH + WebSocket.
Front Through a CDN
Under heavy censorship, choose a CDN-Fronting transport so your traffic hides inside ordinary Cloudflare HTTPS. The most resilient option, with one extra hop.
Auto does this for you
You rarely need to walk this ladder by hand. Connect on Auto (Smart Connect) and OrbVPN tries the right transports in the right order for your detected region, verifying real traffic before it settles. Set a manual region override if geolocation is wrong — see Region & Failover.
Transport Troubleshooting
UDP Blocked
WireGuard will not connect at all. Switch WireGuard to CDN-Fronting, or move to VLESS, OrbConnect, or the SSH Tunnel.
Connects but No Traffic
Typical of throttling. On VLESS, switch from Reality to Plain TCP. On SSH, switch to OSSH. Or change mimicry profile.
Only Web Traffic Allowed
Use a WebSocket transport (VLESS WebSocket or OSSH + WebSocket), or a CDN-Fronting transport.
Everything Direct Is Blocked
Reach for a CDN-Fronting transport. To block it, the network would have to block Cloudflare and millions of sites with it.
There Is Always a Path
Between protocols and their transports, OrbVPN almost always has a working route through. Let Auto find it for you.