Need help troubleshooting VPN setup for cameras

Goal: VPN to be used on 2 iphones and an iPad intermittently to be able to access home camera security system.

I was previously using OpenVPN for years without any issues. Then one day it just stopped working on both phones and iPad, out of the blue. Could not get it working again. The VPN would connect no problem but the cameras would not connect. Then I discovered Wireguard.

I configured it as below. The problem I’m having is reliability. E.g., this was working on Client 1 (iphone), but then stopped. The VPN connects, but when I connect to the camera system (Blue Iris) it can’t connect. It’s currently working no problem on Client 2 (iPad) - VPN connects, BlueIris pops right up with no issues. So I’m not really sure what’s going on, it seems to work for a while and then… not.

Really appreciate any tips. The setup is as follows:

I’m on a TP-Link Omada system, with ER605v2 router which is where I’m configuring Wireguard. I used https://www.wireguardconfig.com/ to set things up as well as I’m not a networking expert by any means.

Router wireguard settings:

(Home network is 192.168.1.0/24)

MTU 1420

Listen Port 51820

Local IP address: 192.168.0.1

Peers:

Allow address: 192.168.1.0/24 (for all Peers) & 192.168.0.2/24 (for Peer 1), 192.168.0.3/24 (for Peer2) and 192.168.0.4/24 (for Peer 3)

Persistent keepalive 25

The endpoint and endpoint port fields are blank.

Here’s what the wireguard config tool generated, and I used these QR codes to set up the tunnels on the clients (keys & WAN IP erased).

EDIT: Figured out the problem! It turns out only one Peer was functioning at a time, whichever one I access from a client first. So if I connected to Client 1 from iPhone, Client 1 VPN would function normally but the others wouldn’t. And I could connect Client 1 from any of the devices, but only using the Client 1 configuration.

So after figuring that out and doing some google searching and finding this post, it turns out the allowed addresses on the Peer side needs to be “192.168.0.2/32” (rather than 192.168.0.2/24, which is how I originally had it).

So I made that change and voila, now I can connect to any of the peers from any of my devices, and it seems to work reliably.

Now… I have no idea why that is, so if someone can explain it I’d love to learn!

Your masks have a big mismatch from your description.

Config looks good. Does internet access through the VPN work? If it does, the problem isn’t with wireguard. When you remotely VPN in are you on cellular or wi-fi? If wi-fi, the issue could be overlapping IP address range at home and the remote wi-fi location. You’d have to change your home network address range to fix this if this was the case (presuming the remote wi-fi side was not able to be changed by you).

Did some more troubleshooting… it seems that the Client 3 configuration works no problem. The Client 1 & 2 are malfunctioning. If I load clients 1 and 3 on the same device, I can toggle on Client 1 and not get a connection, and if I toggle on Client 3 it works perfectly. I have no idea why this is! I even tried changing the IP address of Client 1 to match 3’s, and it still doesn’t register - so my guess at this point is that there’s something wrong with the public key, I think I’m just going to blow it all up and start from scratch unless there’s other thoughts.

Could you explain what you mean by that? Trying to learn

I’m connecting to the VPN on cellular on my phone, no Wifi. Internet does work on the phone when connected but my understanding is that’s because it’s set up as a split tunnel, isn’t that right? I.e. I’m only accessing the 192.168.1.0/24 range, otherwise my phone is on the internet via its own WAN IP (to confirm this, the cellular AT&T WAN IP shows up when I check my IP when connected to the VPN).

Can you access any other devices on your home network over the VPN? How does the iPad connect? Is it cellular also?

Blue Iris is running on Windows? Have you disabled or modified the windows firewall to allow incoming connections from IP addresses outside of your home network?

Figured out the problem! I will edit the post with the solution.

Looked at your edit and I’m glad things are working for you but I use WG on an iPhone as well and my configs are all /24 for the interface addresses all the way around so I can’t see that really being an issue.

Man, I don’t know; I’m beyond confused, but that one change clearly made the difference for me. Wondering if someone can explain what the deal is.

Wish I could explain it but I can’t recreate the issue on my end. I have noticed router’s with WG built-in have traditionally used /32 on the interface address which is common on point-to-point (peer-to-peer) tunnels. With WG we typically can get away with setting up the interface like a typical LAN subnet but WG being a Layer 3 VPN doesn’t have an actual network or broadcast address/domain so the router and some clients may not like something like 192.168.0.1/24 that implies that the network address is 192.168.0.0 and the broadcast address is 192.168.0.255.

As I said, I couldn’t recreate the issue. All my devices, iPhone, included work just fine using the /24 with the configs generated from that site. My Asus router uses /32 in the WG configs it generates and I’ve never bothered to change the configs it creates, I’m surprised your router doesn’t generate configs for you.