Allow traffic to and from *.whispersystems.org and *.signal.org on TCP port 443 and all UDP ports. If you have a transparent or reverse proxy it needs to support WebSockets. Signal uses a non-standard TCP port to catch filtering issues at the signaling step and also utilizes a random UDP port. The underlying IPs are constantly changing, so it'd be hard to define accurate firewall rules.
If the wildcard FQDN config is not working properly and you notice issues with calling, allow turn3.voip.signal.org, and sfu.voip.signal.org. These are subject to change at anytime.
More specifically:
- REQUIRED for group calls: TCP 443, UDP 10000
- REQUIRED for 1:1 calls: TCP 443 only
- RECOMMENDED for 1:1 calls, relay only: TCP 443, UDP 3478
- RECOMMENDED for 1:1 calls: TCP 443, all UDP
- Other ports may be used if they are available.
Common issues that may indicate you should check your network or firewall settings:
- You have Google Play Services working and cannot register for Signal Android.
- You do not see a QR code to scan when linking with Signal Desktop.
- You see a captcha when registering.
- Calls end after fixed amount of time.