Skip to main content

Tutorial: Turn on OpenVPN DCO

Abstract

Install and turn on OpenVPN DCO to increase Access Server's performance. This module offloads the data channel to the Linux kernel.

Overview

Enabling OpenVPN DCO for your VPN server and clients can improve performance. This document describes enabling it in Access Server and OpenVPN Connect for Windows.

Prerequisites

You must meet the following requirements to deploy and use OpenVPN DCO on Access Server.

Supported Access Server version:

  • 2.12.0 and newer

Supported platforms:

  • Debian 11

  • Debian 12

  • Red Hat Enterprise Linux 8

  • Red Hat Enterprise Linux 9

  • Ubuntu 20.04 LTS (x86_64 and ARM64 architectures)

  • Ubuntu 22.04 LTS (x86_64 and ARM64 architectures)

Compatible clients:

  • OpenVPN2-based clients that use OpenVPN 2.4 or newer (OpenVPN 2.3 and older are not supported)

  • OpenVPN3-based clients such as OpenVPN Connect v3 and OpenVPN3 Linux client

Tip

The client does not need to use DCO to connect to a server that uses DCO. With only one side doing DCO, there is already a performance benefit. However, it is best if both sides use it. The following clients can use DCO on the client side, although it will have to be enabled separately in the client.

Clients with DCO capability:

Follow these steps to install DCO on your Access Server server based on your Linux OS. Ensure your server has an officially supported kernel. We don't test or support DCO on custom-compiled kernels and can't guarantee it works for your situation.

The steps below are for systems where your OS installs the latest kernel when available.

If your system requires staying on one specific kernel version, refer to the DCO troubleshooting page.

Tip

After installing the DCO module, you can see it's installed on your server from the Admin Web UI Status Overview page — check the row for kernel data channel offloading. The field displays the ovpn-dco version.

  1. Connect to your server's console and obtain root privileges.

  2. Update and upgrade the operating system (recommended):

    apt update
    apt upgrade
  3. Reboot the OS:

    reboot
  4. Upgrade Access Server to 2.12.0 or newer or do a fresh install of 2.12.0 with the install commands in the Access Server portal. (Refer to our detailed instructions for updating Access Server, if helpful.)

  5. Install the DCO module:

    apt install openvpn-dco-dkms

Due to the many different environments for our customers' deployments, if you encounter issues installing DCO with these steps, refer to our troubleshooting tips. We provide information about possible dependencies you may need to address.

  1. Install the Extra Packages for Enterprise Linux (EPEL) repository.

  2. Update and upgrade the OS (choose the command  appropriate for your RHEL version):

    yum upgrade

    or

    yum update
  3. Reboot the OS.

  4. Upgrade Access Server to 2.12.0 or newer or do a fresh install of 2.12.0 with the install commands in the Access Server portal. (Refer to our detailed instructions for updating Access Server, if helpful.)

  5. Install the DCO module:

    yum install kmod-ovpn-dco

After installing the DCO kernel module, you can enable DCO in Access Server's Admin Web UI.

  1. Sign in to the Admin Web UI.

  2. Click Configuration > Advanced VPN.

  3. Click Prefer kernel Openvpn data channel offloading if available (ovpn-dco) to set data channel offloading to Yes.

  4. Access Server now displays a message on the Status Overview page that the ovpn-dco module is active.

Instead of turning on OpenVPN DCO from the Admin Web UI, you can manage it from the command-line interface (CLI).

  1. Connect to your console with root privileges.

  2. Run these commands:

    sacli -k "vpn.server.daemon.ovpndco" -v "true" ConfigPut
    sacli start

From the Admin Web UI:

  1. Click Status > Status Overview.

  2. Under Kernel data channel offloading, the status displays as active and lists the ovpn-dco version.

From the CLI:

  1. Connect to your server's console and obtain root privileges.

  2. Run this command to verify ovpn-dco is in use:

    ip -details link show
    • Note the interfaces that start with as0; you'll see these include ovpn-dco in the output.

Suppose you've enabled secure boot on the system running your Access Server. In that case, it will fail to boot correctly if you install the DCO loadable kernel module without adding its signature to the secure boot system.

Ensure you do one of two things:

  1. Either add the module's signature to verify it and boot securely.

  2. Or disable secure boot.

This situation will improve in the future as DCO is under review for inclusion in the Linux kernel itself. Once it is part of the Linux kernel, a separate loadable kernel module won't be required.