OpenVPN Data Channel Offload (DCO)
Benefit from performance improvements with OpenVPN DCO on Access Server.
OpenVPN Data Channel Offload (DCO) provides performance improvements on Access Server. This topic explains what it is and how it works.
What is OpenVPN DCO?
DCO changes how Access Server handles the traffic through the VPN tunnel. Instead of processing data in user space, encryption and packet handling occur in kernel space
This reduces memory copies and context switching, resulting in better performance and scalability.
DCO behavior across Access Server versions
Access Server 2.x and earlier
DCO is optional and needs to be installed and enabled manually.
Access Server 3.1.0 and earlier
DCO is enabled by default.
The DCO module may still require manual installation depending on how Access Server is installed.
Access Server 3.2.0 and newer
Uses updated DCO module (
ovpn) aligned with upstream Linux kernel 6.16+.Older versions use
ovpn-dcomodules.
Data handling without OpenVPN DCO
Without DCO, OpenVPN processes data in the user space:
Packets arrive in the kernel space.
OpenVPN copies the packets to the user space.
Encryption and decryption occur in the user space.
Packets are copied back to the kernel space.
Packets are sent to their destination.
Data handling with OpenVPN DCO
With DCO enabled:
Packets arrive in the kernel space.
DCO processes packets directly in the kernel.
Packets are sent to their destination.
Performance considerations
Without DCO, Access Server relies on multiple OpenVPN processes to scale across CPU cores.
With DCO:
Processing occurs in the kernel space.
Multi-threading is handled more efficiently.
CPU overhead is reduced.
Tip
For best performance, both the Access Server and VPN clients should use DCO.
How to enable OpenVPN DCO
Here's the tutorial you can follow: Turn on OpenVPN DCO.
Upgrade the OpenVPN DCO module
Here's the tutorial you can follow: Upgrade the OpenVPN DCO module.