Hi, I know this subject is well trodden but I've reached a block and hopefully someone can help. 

I've run VPNs from home servers for many years and am very familiar with double NAT issues, ports and the usual pitfalls, however getting a Deco L2TP server accessible remotely using an iOS/MacOS/iPadOS device has got me.

My topology is: ISP --> Deco X55 using PPTP (IPV4 and IPV6) --> Mesh (note, there is no ISP router)

I have used DynDNS for many years and (while too expensive!) has never been an issue for me. 

I created the L2TP VPN server on the Deco using PSK, I've configured the iOS/macOS/iPadOS devices to connect using my DynDNS host name, the results are:

1. Connect internally using the external hostname, connected OK - so all credentials and config work.

2. Connect on iOS using 5g - fails.

3. Connect macOS and iPadOS using tethering via iPhone - fails. 

I can see the Deco logs which suggest the negotiations all work (the request reaches the server, leases etc created) but the connection seems to end on the server side with this log message. 

Tue Oct 28 10:10:28 2025 user.info root: IPsec-user: verb : up-host
Tue Oct 28 10:10:28 2025 user.info root: IPsec-user: /sbin/hotplug-call ipsec client is not running, exit 

There is clearly more in the logs - but it needs a lot of redacting!!

I have tested external port forwarding from the X55 to an internal NAS using the host name - that's fine, so once again proving that the ISP/DynDNS routing is fine.

One oddity I do have in my network, is that I use an X50-5g Deco as a hybrid mesh failover, this is always connected to a 5g network, but given that my port forward test was OK and dynDNS reports my main ISP Address for the host I don't believe this is the issue. 

Finally, I have discovered one problem (TP-LINK) with the Deco connecting to DynDNS, if I specify the wildcard option in the DynDNS host I want to use, the Deco fails to connect to it, if I take the wildcard option off it connected.

Any help gladly accepted.