Tutorial: Turn on OpenVPN DCO
Install and turn on OpenVPN DCO to increase Access Server's performance. This module offloads the data channel to the Linux kernel.
Overview
Enabling OpenVPN DCO for your VPN server and clients can improve performance. This document describes enabling it in Access Server and OpenVPN Connect for Windows.
Prerequisites
You must meet the following requirements to deploy and use OpenVPN DCO on Access Server.
Supported Access Server version:
2.12.0 and newer
Supported platforms:
Debian 11
Debian 12
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
Ubuntu 20.04 LTS (x86_64 and ARM64 architectures)
Ubuntu 22.04 LTS (x86_64 and ARM64 architectures)
Ubuntu 24.04 LTS (x86_64 and ARM64 architectures)
Compatible clients:
OpenVPN3-based clients such as OpenVPN Connect v3 and OpenVPN3 Linux client
OpenVPN2-based clients that use OpenVPN 2.4 or newer (OpenVPN 2.3 and older are not supported)
Tip
The client does not need to use DCO to connect to a server that uses DCO. With only one side doing DCO, there is already a performance benefit. However, it is best if both sides use it. The following clients can use DCO on the client side, although it will have to be enabled separately in the client.
Clients with DCO capability:
OpenVPN3 Connect for Windows (as of 3.4.0).
OpenVPN3 Linux client (check with the community documentation for the supported Linux operating systems).
OpenVPN 2.6.0 or newer (check with the community documentation for the supported Linux operating systems).
OpenVPN GUI community client for Windows (refer to community downloads).
Follow these steps to install DCO on your Access Server server based on your Linux OS. Ensure your server has an officially supported kernel. We don't test or support DCO on custom-compiled kernels and can't guarantee it works for your situation.
The steps below are for systems where your OS installs the latest kernel when available.
If your system requires staying on one specific kernel version, refer to the DCO troubleshooting page.
Tip
After installing the DCO module, you can see it's installed on your server from the Admin Web UI Status Overview page — check the row for kernel data channel offloading. The field displays the ovpn-dco version.
Connect to your server's console and obtain root privileges.
Update and upgrade the operating system (recommended):
apt update apt upgrade
Reboot the OS:
reboot
Upgrade Access Server to 2.12.0 or newer or do a fresh install of 2.12.0 with the install commands in the Access Server portal. (Refer to our detailed instructions for updating Access Server, if helpful.)
Install the DCO module:
apt install openvpn-dco-dkms
Due to the many different environments for our customers' deployments, if you encounter issues installing DCO with these steps, refer to our troubleshooting tips. We provide information about possible dependencies you may need to address.
Install the Extra Packages for Enterprise Linux (EPEL) repository.
Update and upgrade the OS (choose the command appropriate for your RHEL version):
yum upgrade
or
yum update
Reboot the OS.
Upgrade Access Server to 2.12.0 or newer or do a fresh install of 2.12.0 with the install commands in the Access Server portal. (Refer to our detailed instructions for updating Access Server, if helpful.)
Install the DCO module:
yum install kmod-ovpn-dco
After installing the DCO kernel module, you can enable DCO in Access Server's Admin Web UI.
Sign in to the Admin Web UI.
Click Configuration > Advanced VPN.
Click Prefer kernel Openvpn data channel offloading if available (ovpn-dco) to set data channel offloading to Yes.
Access Server now displays a message on the Status Overview page that the ovpn-dco module is active.
Set VPN tunnel MTU (recommended)
Access Server has a maximum transmission unit (MTU), previously a background setting. With DCO, we provided a way for you to adjust it as needed.
We recommend setting the VPN tunnel MTU to 1420 when you enable DCO:
Sign in to the Admin Web UI.
Click Configuration > Advanced VPN.
Enter '1420' as the value in the field, VPN tunnel MTU.
Note
For VPN tunnel MTU: the minimum allowable value is 576, and the maximum is 65536.
Instead of turning on OpenVPN DCO from the Admin Web UI, you can manage it from the command-line interface (CLI).
Connect to your console and get root privileges.
Run these commands:
sacli -k "vpn.server.daemon.ovpndco" -v "true" ConfigPut sacli start
From the Admin Web UI:
Click Status > Status Overview.
Under Kernel data channel offloading, the status displays as active and lists the ovpn-dco version.
From the CLI:
Connect to your server's console and obtain root privileges.
Run this command to verify ovpn-dco is in use:
ip -details link show
Note the interfaces that start with as0; you'll see these include ovpn-dco in the output.
Suppose you've enabled secure boot on the system running your Access Server. In that case, it will fail to boot correctly if you install the DCO loadable kernel module without adding its signature to the secure boot system.
Ensure you do one of two things:
Either add the module's signature to verify it and boot securely.
Or disable secure boot.
This situation will improve in the future as DCO is under review for inclusion in the Linux kernel itself. Once it is part of the Linux kernel, a separate loadable kernel module won't be required.