@tantonj 

you cannot use port forward to route through the VPN, you must use policy route, which you can find here.

settings, transmition, routing and policy routing

  @shberge Thanks for the suggestion. I've tried this already, but wasn't sure if I was doing it correctly. Below is a screenshot of my policy. The ip group "ip camera" has the subnet 192.168.0.101/32 (the local ip of the ip camera). However when i try to navigate to my router's vpn ip it does not bring up the ip camera. Any idea what I could be doing wrong here? Thanks,

  @tantonj 

but I'm not quite sure if I understand your setup. if you have a working VPN tunnel, it is not necessary to do anything more if you only want to have access to a camera on a remote site.
remember that when you use the vpn client on the router it is the site client and camera have to be on the site that have vpn server.
if the vpn does not work, you should see in the documentation how vpn is set up, on page 140 the vpn description starts.

https://static.tp-link.com/upload/manual/2023/202305/20230516/1910013343_Omada%20SDN%20Controller_User%20Guide_REV5.9.0.pdf

when vpn work you should could ping camera on remote site, there is no need for port forward or policy route.

  @shberge 

You have it backwards.

The ip camera is on my local network (client of my vpn router). The VPN router has an active client session with a vpn server elsewhere in the world. I can ping any machine on the vpn network. However, I'm trying to get the machines on the vpn network to be able to view MY ip camera. With the vpn router connected to the vpn only the router has a vpn ip. The clients of my ER router do not have their own vpn ips, so machines on the vpn network cannot directly talk to these devices.

Theoretically I could just make my own vpn server and have the machines I need to reach my ip camera become clients of that vpn. However, my isp does not let me do this as I'm on a rural wireless internet service and dmz/port forwarding does not work. So my hope was to redirect traffic going towards my vpn router's vpn ip to one of it's clients (my ip camera).

I'm guessing the routing policy does not work in this direction. And port forwarding doesn't have the vpn connection as an option on the interface. 

  @tantonj 

ok, understand a bit more now :-) i.e. you cannot route traffic from a VPN Server to a client. so you can just forget about it..
there are occasional exceptions, it is the tp-link omada router which is the vpn server and if it is a server you have control over then you can set up working mode as routing, this also requires that you have a user on the server who is also configured as routing client.

this way you can create a site-to-site with pptp or l2tp vpn, then the traffic will flow both ways

  @shberge 

I do have full control of the vpn server. However it is not tp-link omada or even a router. The VPN server is a windows 2019 server. It currently hosts both a pptp and an l2tp vpn. Do you think this is possible with windows vpn? (I'll need to research site-to-site with windows). I'll also note my router can connect to the server through pptp but not through l2tp (despite using windows vpn client able to connect to both).

But I'm really not trying to route traffic from a VPN Server TO a client. The vpn router has an ip address on the vpn, so why can't the router just forward that to one of it's clients?

  @tantonj 

client to server is a one-way communication that is triggered by the client, that's just the way it is. I don't know if you can use windows server in the same way as two tp-link routers. it must then have routing mode to work as you think.

Have you tried port forwarding in the usual way then? if it's just a camera, you can use NAT from WAN to LAN. it is not so secure, but you can approve only remote IP in the NAT rule.

If you have a dynamic IP, you can use a ddns service such as no-ip

  @shberge 

Indeed I have tried all of that (even signing up for paid no-ip account). However, I am on a wireless home internet service. The modem/router's dmz/port forwarding doesn't work. Basically the reason is that my public ip isn't actually my public ip it's like trying to port forward on your lte connection. Not going to work. I even hacked my attena a bit and found another gateway behind my modem/router. Only to see that it's just yet again another gateway before hitting the tower. Basically I can't port forward until the red team hooks up the fiber line (currently my wireless provider is the blue team). Oh the joys of the highly regulated duopoly that is Canadian telecom.

Looks like I'm out of luck for now. (Red team has the fiber box on the side of my house, the fiber line down the road, and a cable coiled up at the front of my driveway waiting for someone to come by and hook it up to the node)

  @tantonj 

yes then it will be difficult until you get an internet line with a wan ip on your router. but you can check if you have the option of routing on pptp on the windows server, I don't think so but I don't know. if you have two Omada-compatible routers, it is quite easy to get routing with pptp or l2tp