In order to work well, Wire needs to have access to the following domain names:
wire.com, www.wire.com, prod-nginz-https.wire.com, prod-nginz-ssl.wire.com, prod-assets.wire.com, wire-app.wire.com, clientblacklist.wire.com
Wire uses load balancers that return dynamic IP addresses for these domain names, which means that potential whitelisting has to be based on domain names rather than IP addresses. All of these domain names need to be reachable on TCP port 443.
If IP-to-IP connections are not possible, Wire uses TURN servers to relay calls. The list of TURN servers can be obtained by looking up the SRV record of the domain name _turn._udp.prod.wire.com.
Currently the TURN servers are:
turn01.de.prod.wire.com, turn02.de.prod.wire.com, turn03.de.prod.wire.com, turn04.de.prod.wire.com
TURN servers need to be reachable on all UDP ports for highest reliability. Should that not be possible, TURN servers will be contacted on port 3478 via TCP or port 5349 via TLS. For a more robust calling experience, outbound UDP connections to all IP addresses should be allowed.
Some firewalls may require enabling of WebRTC and SRTP Audio/Video protocols in the application control.
Additionally Wire might connect to other domain names, for example when link previews are generated, or when media like YouTube, Vimeo, SoundCloud, etc. are shared.