OpenVPN Data Channel Offload (DCO)

OpenVPN DCO changes how Access Server handles the data flowing through the VPN tunnel. With DCO, the data channel encryption and decryption are offloaded to kernel space, letting the kernel do the work instead of dealing with it in user space. This saves on copy operations from kernel to user space and back and uses multi-threading.

OpenVPN DCO is a loadable kernel module that can optionally be installed and used with the Access Server.

To understand the change, here's how the OpenVPN protocol handles data without implementing DCO. This process is called context-switching:

In contrast, when you install and enable the OpenVPN DCO module, it uses this more efficient process:

The OpenVPN daemons run in user space for default Access Server installations without DCO. To use multiple CPU cores, Access Server must manage multiple OpenVPN daemons with load-balanced connections.

The solution to improving performance is moving the data channel handling to the kernel space, where it can be handled more efficiently and with multi-threading:  OpenVPN Data Channel Offload (DCO).

Here's the tutorial you can follow: Turn on OpenVPN DCO.

Here's the tutorial you can follow: Upgrade the OpenVPN DCO module.