Allow *.whispersystems.org, *.signal.org, TCP port 443, and UDP traffic. If you have a transparent or reverse proxy it needs to support WebSockets. Signal uses a non-standard TCP port to catch filtering issues at the signaling step and also utilizes a random UDP port. All UDP ports will need to be opened. The underlying IPs are constantly changing, so it'd be hard to define accurate firewall rules.
If the wildcard FQDN config is not working properly and you notice issues with calling, allow turn2.voip.signal.org, turn3.voip.signal.org, and sfu.voip.signal.org. These are subject to change at anytime.
Common issues that may indicate you should check your network or firewall settings:
- You have Google Play Services working and cannot register for Signal Android.
- You do not see a QR code to scan when linking with Signal Desktop.
- You see a captcha when registering.
- Calls end after fixed amount of time.