Skip to main content

Tutorial: Verify and Troubleshoot OpenVPN DCO in Access Server

Abstract

Install and turn on OpenVPN DCO to enhance Access Server's performance. This module offloads the data channel to the Linux kernel.

Overview

OpenVPN Data Channel Offload (DCO) improves VPN performance by moving data-channel packet processing from the user space into the Linux kernel. This reduces CPU overhead and can provide:

  • Higher throughput.

  • Lower latency.

  • Improved scalability under load.

  • Better performance for high-bandwidth deployments.

In Access Server 3.x, OpenVPN DCO is installed and enabled by default when using the current installation or upgrade script. This tutorial explains how to verify that DCO is running and what to do if it's not.

Prerequisites

To deploy and use OpenVPN DCO on Access Server, you must meet the following requirements.

Supported Access Server version:

  • Access Server 3.x (DCO installs automatically using the current install/upgrade script)

Supported platforms:

  • Debian 12

  • Debian 13

  • Red Hat Enterprise Linux 8

  • Red Hat Enterprise Linux 9

  • Red Hat Enterprise Linux 10

  • Ubuntu 22.04 LTS (x86_64 and ARM64 architectures)

  • Ubuntu 24.04 LTS (x86_64 and ARM64 architectures)

Compatible clients:

  • OpenVPN3-based clients such as OpenVPN Connect v3 and OpenVPN3 Linux client

  • OpenVPN2-based clients that use OpenVPN 2.4 or newer (OpenVPN 2.3 and older are not supported)

Tip

The client does not need to use DCO to connect to a server that uses DCO. With only one side doing DCO, there is already a performance benefit. However, it is best if both sides use it. The following clients can utilize DCO on the client side, although it must be enabled separately within the client.

Clients with DCO capability:

Step 1: Verify OpenVPN DCO is in use

From the Admin Web UI:

  1. Sign in to the Admin Web UI.

  2. Click Status.

  3. On the Overview tab, locate Server Details.

  4. Confirm that DCO is shown as enabled.

    • If DCO is enabled, no further action is required.

  5. Click VPN Server.

    • The Network Settings tab is displayed.

  6. Click the Data Channel Offload tab.

    • The DCO status displays with additional details.

From the CLI:

You can also confirm DCO availability and usage from the command line.

  1. Connect to your server's console and obtain root privileges.

  2. Check whether the DCO module is available and recognized by Access Server:

    sacli support | grep 'ovpn-dco availability'

    • Example output:

      ovpn-dco availability: True1,  ovpn-dco version 0.2.20251017-2+noble2

      1

      True indicates that the DCO module is available.

      2

      The version number confirms which DCO build is installed.

  3. Verify that DCO is actively in use by the OpenVPN daemon:

    ip -details link show

  4. Look for interfaces that start with as0.

    • If DCO is active, you'll see ovpn-dco referenced in the output.

Step 2: Check VPN tunnel MTU (optional)

When using DCO, we recommend setting the VPN tunnel MTU to 1420 bytes:

  1. In the Admin Web UI, click VPN Server.

    • The Network Settings tab is displayed.

  2. Click the Advanced tab.

  3. Set the MTU (Maximum Transmission Unit) value to 1420.

  4. Click Save and Restart.

Note

The minimum allowable MTU is 576. The maximum is 65536.

Troubleshooting

If DCO isn't enabled or not in use, check the common issues below. For more troubleshooting tips, refer to Troubleshooting Tips for OpenVPN DCO.

1. Confirm the system was rebooted after upgrade

DCO installation after upgrading Access Server requires a full system reboot.

  1. Run:

    reboot

  2. After the system comes back online, verify DCO again from the Admin Web UI Status page.

2. Check the running kernel

Ensure your system is running a supported kernel.

  1. Run:

    uname -a

  2. Verify that:

3. Check if Secure Boot is enabled

If Secure Boot is enabled, the DCO kernel module may fail to load unless properly signed.

  1. Run:

    mokutil --sb-state

    • Output when Secure Boot is enabled:

      root@openvpnas:~# mokutil --sb-state
SecureBoot enabled

  2. If Secure Boot is enabled, you must either:

    1. Sign the DCO module for Secure Boot validation, or

    2. Disable Secure Boot.

Tip

The situation will improve in the future as DCO is under review for inclusion in the Linux kernel itself. Once it's part of the kernel, a separate loadable kernel module won't be required.

4. Check DKMS module status

OpenVPN DCO uses DKMS (dynamic kernel module support) to build and install the kernel module.

  1. Run:

    dkms status

  2. The output shows whether the ovpn-dco module is added, built, or installed for your current kernel.

    • Example output:

      ovpn-dco/0.2.20251017-2+noble, 6.8.0-101-generic, x86_64: installed

  3. If the module isn't listed as installed for your running kernel, DCO won't function.

5. Check for legacy data ciphers

Access Server uses DCO-compatible data ciphers by default. However, if legacy ciphers are configured, DCO will fail.

OpenVPN DCO doesn't support legacy CBC-type ciphers. It only supports modern AEAD ciphers such as:

  • AES-256-GCM

  • AES-128-GCM

  • CHACHA20-POLY1305

If a legacy cipher is configured, you may see the following warning:

"[Warning] OpenVPN data-channel offloading was requested but failed to activate: OpenVPN data-channel offloading was requested but failed to activate. This typically happens if there is a configuration option that is incompatible with DCO or if the DCO kernel module could not be loaded. (dco_not_active)"

  1. Check both data cipher and legacy cipher settings:

    sacli ConfigQuery | egrep "vpn.server.data_ciphers|vpn.server.cipher"

  2. If the output includes CBC-type ciphers (such as AES-256-CBC or Blowfish), DCO won't be enabled.

  3. To use DCO, ensure both server and clients are configured to use AEAD ciphers only. Refer to the following tutorial for instructions on updating encryption settings in Access Server:

Important details

  • Access Server uses AES-256-CBC by default, with automatic negotiation to AES-256-GCM when supported.

  • OpenVPN 2.4 and newer clients default to AES-256-CBC with automatic upgrade to AES-256-GCM.

  • OpenVPN3-based client ssupport AEAD ciphers and are compatible with DCO.

  • OpenVPN 2.3 and older clients require CBC-type ciphers and are incompatible with DCO.

If you must support OpenVPN 2.3 or older clients, you may need to retain CBC-type cipher support, which prevents DCO from being used.

In this section: