Allow traffic to and from *.signal.org on TCP port 443 and all UDP ports. If you have a transparent or reverse proxy it needs to support WebSockets. Signal uses a non-standard TCP port to catch filtering issues at the signaling step and also utilizes a random UDP port.
In addition to *.signal.org, Signal utilizes other domains to support sharing group links, sticker packs, usernames, etc. You may also want to allow traffic to and from the following domains as well:
- signal.art
- signal.group
- signal.link
- signal.me
- signal.tube
If the wildcard FQDN config is not working properly and you notice issues with calling, allow turn3.voip.signal.org, and sfu.voip.signal.org. These are subject to change at anytime.
More specifically:
- REQUIRED for group calls: TCP 443, UDP 10000
- REQUIRED for 1:1 calls: TCP 443 only
- RECOMMENDED for 1:1 calls, relay only: TCP 443, UDP 3478
- RECOMMENDED for 1:1 calls: TCP 443, all UDP
- Other ports may be used if they are available.
Common issues that may indicate you should check your network or firewall settings:
- You have Google Play Services working and cannot register for Signal Android.
- You do not see a QR code to scan when linking with Signal Desktop.
- You see a captcha when registering.
- Calls end after fixed amount of time.
- Individual chats do not show your contact's name, only the phone number.
- Group chats are not visible.