Daily uses a variety of domains, IP addresses, ports, and protocols to connect calls. If you're trying to make calls to and from a network behind a corporate firewall, or through a VPN, you'll need to make sure you can access the following domains:

Additionally, you'll want to make sure you can access *.daily.co on port 443, as it's used for a variety of fallback connection types.

If you have a VPN, Daily calls will have much better quality if you can configure Daily's traffic to bypass it. You can usually do that by configuring split tunneling. You'll at least want to exempt port 443 for the Twilio IP ranges listed below, and possibly for the Xirsys IPs as well. If you can exempt UDP traffic altogether, that's even better.

Twilio's IP ranges: https://www.twilio.com/docs/stun-turn/regions

Xirsys's IP ranges: https://docs.xirsys.com/?pg=ip-whitelist

If you have a firewall, you should allow UDP hole punching, which is essentially the standard behavior for most firewalls. If you're explicitly allowing or denying UDP ports, you'll definitely need to open port 3478 for signaling and media tunneling. You'll also need to open UDP ports 40000-65534 for all hosts in order for peer-to-peer calls to work correctly.

When you're in a call with 4 or fewer people, Daily uses direct peer-to-peer connections for your audio and video for maximum quality. When the fifth person joins, the call automatically switches to routing everyone's audio and video through a centralized Daily server.

To test whether SFU mode resolves a user's connection issues, you can use the setNetworkTopology() method to switch a call to server-based mode.

await callFrame.setNetworkTopology({ topology: 'sfu' });

Please note that this method is only for testing. For more details, please refer to our docs: https://docs.daily.co/reference#setnetworktopology

Content Security Policy (CSP) Directives

If you need to control access to resources with a Content-Security-Policy (CSP) header, the easiest way is to allow all Daily subdomains. For example:

Content-Security-Policy: default-src 'self' *.daily.co;

If you can't use wildcard domains, you can use your Daily subdomain, along with a few specific extra domains that we use for loading resources: