Skip to main content

OpenVPN Data Channel Offload (DCO)

Abstract

Benefit from performance improvements with OpenVPN DCO on Access Server.

OpenVPN Data Channel Offload (DCO) provides performance improvements on Access Server. This topic explains what it is and how it works.

What is OpenVPN DCO?

OpenVPN DCO changes how Access Server handles the data flowing through the VPN tunnel. With DCO, data channel encryption and decryption are offloaded to kernel space, allowing the kernel to handle the work instead of dealing with it in user space. This saves on copy operations from kernel to user space and back and uses multi-threading.

OpenVPN DCO is a loadable kernel module that can optionally be installed and used with the Access Server.

Important

As of version 3.0.0, Access Server displays a warning message in the Admin Web UI Status page if DCO is enabled but not functioning correctly on your system. This may indicate the kernel module isn't properly installed. Check your Linux version and kernel compatibility, and refer to the installation instructions, linked below, to enable DCO.

Data handling without OpenVPN DCO

To understand the change, here's how the OpenVPN protocol handles data without implementing DCO. This process is called context-switching:

  1. Data packets arrive in the kernel space.

  2. OpenVPN copies the packets to the user space.

  3. OpenVPN decrypts and encrypts packets in the user space.

  4. OpenVPN copies those packets back to the kernel space.

  5. The data packets then get sent to their destination.

Data handling with OpenVPN DCO

In contrast, when you install and enable the OpenVPN DCO module, it uses this more efficient process:

  1. Data packets arrive in the kernel space.

  2. OpenVPN DCO processes the packets in the kernel space.

  3. The data packets then get sent to their destination.

The OpenVPN daemons run in user space for default Access Server installations without DCO. To use multiple CPU cores, Access Server must manage multiple OpenVPN daemons with load-balanced connections.

The solution to improving performance is moving the data channel handling to the kernel space, where it can be handled more efficiently and with multi-threading:  OpenVPN Data Channel Offload (DCO).

Tip

While DCO on only one side can increase performance, both Access Server and the client software should use DCO to achieve optimal improvement.

How to enable OpenVPN DCO

Here's the tutorial you can follow: Turn on OpenVPN DCO.

Upgrade the OpenVPN DCO module

Here's the tutorial you can follow: Upgrade the OpenVPN DCO module.

In this section: