diff --git a/crates/client/Cargo.toml b/crates/client/Cargo.toml
index 6b81376..ac4b509 100644
--- a/crates/client/Cargo.toml
+++ b/crates/client/Cargo.toml
@@ -9,7 +9,8 @@ path = "src/main.rs"
 
 [dependencies]
 tokio = { version = "1", features = ["full"] }
-tokio-tungstenite = { version = "0.21", features = ["connect"] }
+tokio-tungstenite = { version = "0.21", features = ["connect", "native-tls"] }
+native-tls = { version = "0.2", features = [] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 helios-common = { path = "../common" }
diff --git a/crates/client/src/main.rs b/crates/client/src/main.rs
index c3c72b3..a2cb802 100644
--- a/crates/client/src/main.rs
+++ b/crates/client/src/main.rs
@@ -3,9 +3,10 @@ use std::sync::Arc;
 use std::time::Duration;
 
 use futures_util::{SinkExt, StreamExt};
+use native_tls::TlsConnector;
 use serde::{Deserialize, Serialize};
 use tokio::sync::Mutex;
-use tokio_tungstenite::{connect_async, tungstenite::Message};
+use tokio_tungstenite::{connect_async_tls_with_config, tungstenite::Message, Connector};
 use tracing::{error, info, warn};
 
 use helios_common::{ClientMessage, ServerMessage};
@@ -46,12 +47,12 @@ impl Config {
 
 fn prompt_config() -> Config {
     let relay_url = {
-        println!("Relay server URL [default: ws://46.225.185.232:8765/ws]: ");
+        println!("Relay server URL [default: wss://remote.agent-helios.me/ws]: ");
         let mut input = String::new();
         std::io::stdin().read_line(&mut input).unwrap();
         let trimmed = input.trim();
         if trimmed.is_empty() {
-            "ws://46.225.185.232:8765/ws".to_string()
+            "wss://remote.agent-helios.me/ws".to_string()
         } else {
             trimmed.to_string()
         }
@@ -111,7 +112,13 @@ async fn main() {
 
     loop {
         info!("Connecting to {}", config.relay_url);
-        match connect_async(&config.relay_url).await {
+        // Build TLS connector - accepts self-signed certs for internal CA (Caddy tls internal)
+        let tls_connector = TlsConnector::builder()
+            .danger_accept_invalid_certs(true)
+            .build()
+            .expect("TLS connector build failed");
+        let connector = Connector::NativeTls(tls_connector);
+        match connect_async_tls_with_config(&config.relay_url, None, false, Some(connector)).await {
             Ok((ws_stream, _)) => {
                 info!("Connected!");
                 backoff = Duration::from_secs(1); // reset on success