i would like to setup home network using TPLINK Archer BE 55O . This router host the wire guard server and my client deive such as iphone , i try to access the hubitat. The problem i am facing handshake issue with wireguard server, my client is unable to connect with the wireguard server. i am asking your support how you guys configured the wire guard server and the iphone client. i am posting the client logs . previously i used BT internet (PPOE), i dont see any problem accessing my hubitat from remote mobile network. but recently i have changed to youfiber, they are utilizing DHCP.
in the client WG , i am pointing endpoint with DDNS name
i have given allowed ips full tunnel (0.0.0.0/0) and split tunnel ,the client is not connecting
please share your configuration and approach , how you have solved this issue?
NET] UDP bind has been updated 2026-01-11 22:13:13.683556: [NET] Routine: receive incoming v6 - started 2026-01-11 22:13:13.683595: [NET] Routine: receive incoming v4 - started 2026-01-11 22:13:18.526772: [APP] Status update notification timeout for tunnel 'mm'. Tunnel status is now 'connected'. 2026-01-11 22:13:18.709821: [NET] peer(9tWH…dMyw) - Handshake did not complete after 5 seconds, retrying (try 2) 2026-01-11 22:13:18.709949: [NET] peer(9tWH…dMyw) - Sending handshake initiation 2026-01-11 22:13:23.901233: [NET] peer(9tWH…dMyw) - Handshake did not complete after 5 seconds, retrying (try 3) 2026-01-11 22:13:23.901460: [NET] peer(9tWH…dMyw) - Sending handshake initiation 2026-01-11 22:13:28.912367: [NET] peer(9tWH…dMyw) - Handshake did not complete after 5 seconds, retrying (try 2) 2026-01-11 22:13:28.912581: [NET] peer(9tWH…dMyw) - Sending handshake initiation
Thanks. But the ports 51820 server side which automatically came, even I changed new ports no luck, same issue. As you said I gave both client and server same port, still I am getting handshake issue
It is not routable over the global Internet. And yet the router logs show that the request to connect arrived, but only the handshake failed to complete.
Before looking at VPN issues, we should eliminate some basic network issues.
You say that you use to have a PPPOE connection, but you weren't clear if you were running a VPN on that previous connection, and if you are now setting up a VPN for the first time.
Have you confirmed that you have a public IP on the new router? Or is it making use of CGNAT.
How is your DDNS service configured? I assume that once you get this working, you will change the iPhone config to use the DDNS IP.
Is your Archer BE550 directly connected to your ISP or behind a Gateway/firewall? If behind a gateway/firewall, you may need to allow incoming traffic to your Archer via the port you configured for Wireguard.
The TP-Link instructions to configure Wireguard server on their routers is pretty straightforward.
Search your ISP site for how to configure your gateway/firewall for Wireguard access.
Hello , I have to test the connection with client, I disabled the firewall in to link. My router is directly connected with you fibre. As you said , I am using all straightforward Parmeters whatever router client configuration. Only the change I am doing, I am replacing the endpoint with DDNS NAME ; port for the VPN server.
Hello , I am replacing that ENDPOINT with DDNS . Iam using tp-link proprietary DDNS service to internally configured with domain address. After placing that address and saving client configuration, it will translated to the as in screenshot.
I have used with BT network and able to access WireGuard VPN and reached my local network successfully. Two days back I moved to you fibre , from that moment I couldn’t access anything.
Hello, you are saying if doesn’t a public static IP , enabling DDNS will not make any sense ( buying the router with DDNS / VPN Server) , still somehow we have to pay money for static IP. IS that my understanding correct ?
Earlier I used BT, they haven’t provide any static or public ip. But it worked well. Only the difference BT is PPOE and you fibre is DHCP
Go to http://whatsmyip.org and see if the address shown matches the address you are setting the iPhone client to. The address returned will almost certainly be different , since as I said that address is a CGNAT address
Technically a public ip doesn't have to be a static ip. In the context of your ISP it probably is though.
Yes, without a public ip most things will have a very hard time getting back to your local network. It basically ensures you are double NAT'd and are not routeable. You would need a service on your local network to poke a hole to the outside world first. Look at a teleport vpn.
This service is free for personal use. The only requirement is that you need to have a device on your network running 7/24, hosting the Tailscale client software. That could be a PC or laptop or a virtual machine running on NAS.
Edit. BTW a different router will not resolve a CGNAT issue.
If nothing else, you can confirm whether your WAN IP address is routable with WireGuard by testing with your current WAN IP address, rather than a dynamic dns hostname.
So you are connecting your personal router to your ISP's fibre modem/router?
That in itself can be causing your apparent double NAT situation. However the IP that you listed is normally associated with CGNAT and not the private LAN IP of most routers. That address is usually in the 192.168.x.y range.
I am not familiar with the equipment that youfiber makes use of. Since your link to the Ubiquiti router was to a UK website, I suspect you are located outside of North America. Can you provide more information regarding your ISP and the model of modem that they supply.
Knowing that information we can learn if your ISP does provide public addresses, and if they do, you may be able to resolve the problem by putting the ISP modem into bridge mode.
It looks like the public IP you are behind is 88.97.222.51. Then your personal router is behind a 100.87.x.x address.
Generally speaking home routers use one of three networks below
192.168.x.x
172.16.x.x to 172.31.x.x
10.x.x.x
For it to be a 100.87.x.x address looks like as the poster mentioned above is used by GNAT's which is a service ISP uses to nat customer connections. Just as a test if you plug a computer or device directly in to your internet connection what IP does it get.
If it can get a address that is outside of those ranges then it can be routed and be accessible from the outside. If not then wireguard isn't a option.
