In order to work well, Wire needs to have access to the following domain names:
wire.com, www.wire.com, prod-nginz-https.wire.com, prod-gninz-ssl.wire.com, prod-assets.wire.com, wire-app.wire.com
Wire uses load balancers that return dynamic IP addresses for these domain names, which means that potential whitelisting has to be based on domain names rather than IP addresses. All of these domain names need to be reachable on TCP port 443.
If IP-to-IP connections are not possible, Wire uses TURN servers to relay calls. The list of TURN servers can be obtained by looking up the SRV record of the domain name _turn._udp.prod.wire.com.
Currently the TURN servers are:
turn01.de.prod.wire.com, turn02.de.prod.wire.com, turn03.de.prod.wire.com, turn04.de.prod.wire.com
TURN servers need to be reachable on all UDP ports. However, for a robust calling experience, outbound UDP connections to all IP addresses should be allowed.
Additionally Wire might connect to other domain names, for example when link previews are generated, or when media like YouTube, Vimeo, SoundCloud, etc. are shared.