Skip to main content

Setting Up NordVPN Onion Over VPN with Threat Protection on TP-Link Omada [cite: 2]

Description: This guide details how to configure a dedicated "Secure Network" VLAN on a TP-Link Omada router (ER8411/OC300) that routes all traffic through NordVPN's Onion network. [cite: 3] It includes specific steps for enabling malware blocking (Threat Protection) and preventing location leaks via IPv6 and WebRTC/QUIC. [cite: 4]

Last Updated: January 2026 [cite: 5]

Prerequisites: NordVPN Account, Omada SDN Controller, Omada Router. [cite: 6]

Phase 1: Obtain Configuration & Credentials [cite: 7]

Do not use your regular NordVPN email and password. [cite: 8]

  1. Log in to the NordVPN Dashboard and navigate to NordVPN > Manual setup. [cite: 9]
  2. Get Credentials: [cite: 10]
    • Click the Service credentials tab. [cite: 11]
    • Copy the Username and Password (these are long alphanumeric strings). [cite: 12]
  3. Download Onion Config: [cite: 13]
    • Go to the Server recommendation tab. [cite: 14]
    • Change the Country to Switzerland or The Netherlands. [cite: 15]
    • In the Server type dropdown, select Onion Over VPN. [cite: 16]
    • Click Get setup configuration and download the UDP .ovpn file. [cite: 17]
  4. Extract Server IP: [cite: 18]
    • Open the downloaded .ovpn file with a text editor (Notepad). [cite: 19]
    • Locate the line starting with remote. [cite: 20]
    • Copy the IP Address found on that line (e.g., 37.120.137.172). [cite: 21]

Phase 2: Configure Omada VPN Client [cite: 22]

This sets up the tunnel interface. [cite: 23]

  1. In Omada Controller, go to Settings > VPN > VPN > OpenVPN Client. [cite: 24]
  2. Click Create and configure: [cite: 25]
    • VPN Type: VPN Client - OpenVPN [cite: 26]
    • Username/Password: Paste the Service Credentials obtained in Phase 1. [cite: 27]
    • Configuration: Upload the .ovpn file you downloaded. [cite: 28]
  3. CRITICAL FIX (IP Mismatch): [cite: 29]
    • Check the Remote Server field. If it does not match the IP address inside your text file, delete it. [cite: 30]
    • Manually enter the correct IP address you found in the text file (e.g., 37.120.137.172). [cite: 31]
    • Ensure the port is set to 1194. [cite: 32]
  4. Local Networks: Select your specific VLAN (e.g., "SecureLAN"). [cite: 33]
  5. Click Create/Apply. [cite: 34]
  6. Check VPN > Client status to confirm it says "Connected". [cite: 35]

Phase 3: Enable Malware Protection (DNS) [cite: 36]

This replaces standard DNS with NordVPN's Threat Protection filtering. [cite: 37]

  1. Go to Settings > Wired Networks > LAN. [cite: 38]
  2. Edit your Secure Network VLAN. [cite: 39]
  3. Scroll to DNS Server and select Manual. [cite: 40]
  4. Enter the following IPs: [cite: 41] 
    Primary DNS: 103.86.96.96 [cite: 43]
Secondary DNS: 103.86.99.99 [cite: 44]
  5. Click Save. [cite: 46]

Phase 4: "Leak Plug" Configuration [cite: 47]

These steps prevent Google and other services from bypassing the VPN. [cite: 48]

Step A: Disable IPv6 [cite: 49]

  1. In the same VLAN Edit menu (Settings > Wired Networks > LAN), scroll to Configure IPv6. [cite: 50]
  2. Uncheck the Status box (or set interface type to "None") to disable IPv6 entirely for this VLAN. [cite: 51]
  3. Click Save. [cite: 52]

Step B: Block QUIC (UDP 443) [cite: 53]

Omada cannot use "0.0.0.0/0" for groups, so we use the "Split Subnet" method. [cite: 54]

  1. Create Port Group: [cite: 55]
    • Go to Settings > Profiles > Groups. [cite: 56]
    • Create a new IP-Port Group named QUIC_Ports. [cite: 57]
    • Port: 443 [cite: 58]
    • Subnets: Add these two entries to cover all IPs: [cite: 59] 
      Entry 1: 1.0.0.0/1 [cite: 61]
Entry 2: 128.0.0.0/1 [cite: 62]
  2. Create ACL Rule: [cite: 64]
    • Go to Settings > Network Security > ACL > Gateway ACL. [cite: 65]
    • Create a new rule: [cite: 66]
      • Description: Block_QUIC_Google [cite: 67]
      • Direction: LAN > WAN [cite: 68]
      • Policy: Deny [cite: 69]
      • Protocol: UDP [cite: 70]
      • Source: Your Secure VLAN (Network). [cite: 71]
      • Destination: IP-Port Group > QUIC_Ports. [cite: 72]
    • Click Create. [cite: 73]

Phase 5: Verification [cite: 74]

Perform these tests to confirm security. [cite: 75]

  • BrowserLeaks Test: Visit https://browserleaks.com/ip. [cite: 76]
    • Success: IP Location shows Europe (Netherlands/Switzerland). [cite: 77]
    • Success: WebRTC Leak shows European IP or "Disabled". [cite: 78]
    • Success: IPv6 Test says "Not Reachable". [cite: 79]
  • Latency Check: [cite: 80]
    • Run a speed test (e.g., fast.com). [cite: 81]
    • Success: Latency should be high (>100ms), confirming traffic is routing through the Tor network. [cite: 82]

Troubleshooting Notes [cite: 83]

  • Connection Failed: If the VPN refuses to connect, re-open the .ovpn file in a text editor and verify the "Remote Server" IP in Omada matches the file exactly. [cite: 84]
  • Google Speed Test 5ms: If you see low ping on Google, the QUIC block is not active. [cite: 85] Verify the ACL rule is set to UDP (not TCP) and the destination group covers all IPs. [cite: 86]
Back to top