I already had an OpenVPN Server running correctly, but I hit a few snags standing up the WireGuard VPN Server on my BE63. This covers what I had to do to get it working.

Hardware / firmware

• Model: Deco BE63

• Hardware: v1.6

• Firmware: 1.1.1 Build 20250616 Rel. 12316

Network context

• Deco LAN: 192.168.68.0/22

• WireGuard server running on the Deco

• WireGuard client running on Windows (official WireGuard client)

1. Deco UI / validation quirk when creating the server

On this firmware, attempting to customize WireGuard settings before saving anything consistently produced:

“Failed to save your settings. Please try again later.”

What caused the error:

• Changing the server’s tunnel IP range

• Editing peer “Allowed IPs (Client)” before first save

• Adjusting any defaults on the initial creation screen

What worked:

1. Go to VPN Server → WireGuard.

2. Create a new WireGuard server using all default values:

   • Tunnel IP: 10.5.5.1/32

   • Client Access: Home Network Only (this was for my use case - I want to access systems on the Deco LAN while away, not use its Internet)

   • No advanced tweaks

3. Add a peer using the suggested defaults, only fill in the Description field.

4. Save without modifying anything else.

5. Then use Export Config to get the .conf file for the client.

This was the only sequence that allowed the Deco to save the WireGuard configuration without errors.

2. Traffic issue on the client (“unallowed src IP”)

After importing the exported config into WireGuard for Windows, the handshake succeeded but packets weren’t being accepted. The client log showed:

Packet has unallowed src IP (10.5.5.1) from peer 1 (...)

This happens because WireGuard treats the Peer → AllowedIPs list as both a routing table and a list of permitted source IPs.

The Deco-generated config only included:

AllowedIPs = 10.5.5.3/32,192.168.68.0/22

Because the server’s tunnel IP is 10.5.5.1, any packets coming from that address were rejected by the client.

3. The one-line fix that made everything work

Edit the client configuration (after exporting it from the Deco) and expand the AllowedIPs line to include the server’s tunnel address.

For example:

[Peer] PublicKey = <redacted>

AllowedIPs = 10.5.5.0/24,192.168.68.0/22

Endpoint = <your-ddns>.tplinkdns.com:51820

PersistentKeepalive = 25

You can also explicitly list it as:

AllowedIPs = 10.5.5.1/32,10.5.5.3/32,192.168.68.0/22

After restarting the tunnel, the client can:

• Ping the server’s tunnel IP (10.5.5.1)

• Reach devices on the 192.168.68.x LAN

• Keep all other traffic local (since only the tunnel subnet + LAN are in AllowedIPs)

TL;DR for other Deco BE63 users

• On BE63 v1.6 firmware 1.1.1, WireGuard server creation is very picky:
  → You must create the server and peer using all defaults first, save, then export the config.

• If your WireGuard client shows “Packet has unallowed src IP (10.5.5.1)”,
  → Add the server’s tunnel IP (10.5.5.1) into your AllowedIPs on the client.