Skip to main content

Setting Up NordVPN Onion Over VPN with Threat Protection on TP-Link Omada

Dedicated Secure Network (NordVPN Onion over VPN)

Description: This guide details how to configure a dedicated "Secure Network" VLAN on a TP-Link Omada router (ER8411/OC300) that routes all traffic through NordVPN's Onion network. [cite: 3] It includes specific steps forto enablingenable malware blocking (Threat Protection) and preventingto prevent location leaks via IPv6 and WebRTC/QUIC. [cite: 4]

Last Updated: January 2026 [cite: 5]

Prerequisites: NordVPN Account, Omada SDN Controller, Omada Router. [cite: 6]Router

Phase 1: Obtain Configuration & Credentials [cite: 7]

Do not use your regular NordVPN email and password. [cite: 8]

  1. Log in to the NordVPN Dashboard and navigate to NordVPN > Manual setup. [cite: 9]setup.
  2. Get Credentials: [cite: 10]
    • Click the Service credentials tab. [cite: 11]
    • Copy the Username and Password (these are long alphanumeric strings). [cite: 12]
  3. Download Onion Config: [cite: 13]
    • Go to the Server recommendation tab. [cite: 14]
    • Change the Country to Switzerland or The Netherlands. [cite: 15]
    • In the Server type dropdown, select Onion Over VPN. [cite: 16]VPN.
    • Click Get setup configuration and download the UDP .ovpn file. [cite: 17]
  4. Extract Server IP: [cite: 18]
    • Open the downloaded .ovpn file with a text editor (Notepad). [cite: 19]
    • Locate the line starting with remote. [cite: 20]remote.
    • Copy the IP Address found on that line (e.g., 37.120.137.172). [cite: 21]

Phase 2: Configure Omada VPN Client [cite: 22]

This sets up the tunnel interface. [cite: 23]

  1. In Omada Controller, go to Settings > VPN > VPN > OpenVPN Client. [cite: 24]Client.
  2. Click Create and configure: [cite: 25]
    • VPN Type: VPN Client - OpenVPN [cite: 26]
    • Username/Password: Paste the Service Credentials obtained in Phase 1. [cite: 27]
    • Configuration: Upload the .ovpn file you downloaded. [cite: 28]
  3. CRITICAL FIX (IP Mismatch): [cite: 29]
    • Check the Remote Server field. If it does not match the IP address inside your text file, delete it. [cite: 30]
    • Manually enter the correct IP address you found in the text file (e.g., 37.120.137.172). [cite: 31]
    • Ensure the port is set to 1194. [cite: 32]1194.
  4. Local Networks: Select your specific VLAN (e.g., "SecureLAN"). [cite: 33]
  5. Click Create/Apply. [cite: 34]Apply.
  6. Check VPN > Client status to confirm it says "Connected". [cite: 35]

Phase 3: Enable Malware Protection (DNS) [cite: 36]

This replaces standard DNS with NordVPN's Threat Protection filtering. [cite: 37]

  1. Go to Settings > Wired Networks > LAN. [cite: 38]LAN.
  2. Edit your Secure Network VLAN. [cite: 39]VLAN.
  3. Scroll to DNS Server and select Manual. [cite: 40]Manual.
  4. Enter
the following IPs: [cite: 41] 
Primary DNS: 103.86.96.96 [cite: 43]
Secondary DNS: 103.86.99.99

[cite: 44]


    

  1. Click Save. [cite: 46]Save.
    2. 



Phase 4: "Leak Plug" Configuration [cite: 47]


These steps prevent Google and other services from bypassing the VPN. [cite: 48]


Step A: Disable IPv6 [cite: 49]


    

  1. In the same VLAN Edit menu (Settings > Wired Networks > LAN), scroll to Configure IPv6. [cite: 50]IPv6.
    2. 

  2. Uncheck the Status box (or set interface type to "None") to disable IPv6 entirely for this VLAN. [cite: 51]
    3. 

  3. Click Save. [cite: 52]Save.
    4. 



Step B: Block QUIC (UDP 443) [cite: 53]


Omada cannot use "0.0.0.0/0" for groups, so we use the "Split Subnet" method. [cite: 54]


    

  1. Create Port Group:
[cite: 55]

      

    • Go to Settings > Profiles > Groups. [cite: 56]Groups.
      • 

    • Create a new IP-Port Group named QUIC_Ports. [cite: 57]QUIC_Ports.
      • 

    • Port: 443 [cite: 58]
      • 

    • Subnets: Add these two entries to cover all IPs:
      • 

    [cite:
59]
    2. 



Entry 1: 1.0.0.0/1 [cite: 61]
Entry 2: 128.0.0.0/1

[cite: 62]




    

  1. Create ACL Rule:
[cite: 64]

      

    • Go to Settings > Network Security > ACL > Gateway ACL. [cite: 65]ACL.
      • 

    • Create a new rule:
[cite: 66]

        

      • Description: Block_QUIC_Google [cite: 67]
        • 

      • Direction: LAN > WAN [cite: 68]
        • 

      • Policy: Deny [cite: 69]
        • 

      • Protocol: UDP [cite: 70]
        • 

      • Source: Your Secure VLAN (Network). [cite: 71]
        • 

      • Destination: IP-Port Group > QUIC_Ports. [cite: 72]
        • 

      

      • 

    • Click Create. [cite: 73]Create.
      • 

    

    2. 



Phase 5: Verification [cite: 74]


Perform these tests to confirm security. [cite: 75]


    

  • BrowserLeaks Test: Visit https://browserleaks.com/ip. [cite: 76]ip.

      

    • Success: IP Location shows Europe (Netherlands/Switzerland). [cite: 77]
      • 

    • Success: WebRTC Leak shows European IP or "Disabled". [cite: 78]
      • 

    • Success: IPv6 Test says "Not Reachable". [cite: 79]
      • 

    

    • 

  • Latency Check: [cite: 80]

      

    • Run a speed test (e.g., fast.com). [cite: 81]
      • 

    • Success: Latency should be high (>100ms), confirming traffic is routing through the Tor network. [cite: 82]
      • 

    

    • 





Troubleshooting Notes [cite: 83]


    

  • Connection Failed: If the VPN refuses to connect, re-open the .ovpn file in a text editor and verify the "Remote Server" IP in Omada matches the file exactly. [cite: 84]
    • 

  • Google Speed Test 5ms: If you see low ping on Google, the QUIC block is not active. [cite: 85] Verify the ACL rule is set to UDP (not TCP) and the destination group covers all IPs. [cite: 86]
    • 


    
        

    


            

        

    


    


    
    

        

             Back to top