Tutorial: Install, Verify, and Troubleshoot OpenVPN DCO in Access Server
Install and turn on OpenVPN DCO to enhance Access Server's performance. This module offloads the data channel to the Linux kernel.
Overview
OpenVPN Data Channel Offload (DCO) improves VPN performance by moving data-channel processing from the user space into the Linux kernel. This reduces CPU overhead and can provide:
Higher throughput.
Lower latency.
Better performance under load.
In Access Server 3.x, OpenVPN DCO is enabled by default.
If you install or upgrade Access Server using the installation script (
install.sh), the DCO module is installed and enabled automatically.If you install or upgrade Access Server using your system package manager (
apt,yum, etc.), the DCO module may not be installed and may need to be installed manually.
If DCO isn't installed or active, you may see errors such as:
DCO not in use
Not installed
OpenVPN data-channel offloading was requested but failed to activate
False, Kernel module not loaded
This tutorial shows how to:
Verify that DCO is in use.
Install or enable it if needed.
Optimize your configuration for best performance.
Tip
If you used the installation script, you likely don't need to install anything; you can skip to the step where you verify that DCO is active.
Prerequisites
To deploy and use OpenVPN DCO on Access Server, you need to meet the following requirements.
Supported Access Server version:
Access Server 3.x (DCO installs automatically using the current install/upgrade script)
Supported platforms:
Debian 12
Debian 13
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 10
Ubuntu 22.04 LTS (x86_64 and ARM64 architectures)
Ubuntu 24.04 LTS (x86_64 and ARM64 architectures)
Compatible clients:
OpenVPN3-based clients such as OpenVPN Connect v3 and OpenVPN3 Linux client
OpenVPN2-based clients that use OpenVPN 2.4 or newer (OpenVPN 2.3 and older are not supported)
Tip
The client doesn't need to use DCO to connect to a server that uses DCO. With only one side doing DCO, there is already a performance benefit. However, it is best if both sides use it. The following clients can utilize DCO on the client side, although it must be enabled separately within the client.
Clients with DCO capability:
OpenVPN3 Connect for Windows (as of 3.4.0).
OpenVPN3 Linux client (check with the community documentation for the supported Linux operating systems).
OpenVPN 2.6.0 or newer (check with the community documentation for the supported Linux operating systems).
OpenVPN GUI community client for Windows (refer to community downloads).
DCO installation depends on how you installed or upgraded Access Server.
If you used the installation script (recommended)
If you installed or upgraded Access Server using the installation script, you don't need to install DCO manually.
DCO is installed and configured automatically. Skip to ???.
If you used your system package manager
If you installed or upgraded Access Server using your system package manager (apt, yum, etc.), you need to install the DCO module manually.
Continue with the steps below.
Important notes for Access Server 3.2.0
Access Server 3.2.0 includes OpenVPN 2.7.2, which uses the updated DCO kernel module based on upstream Linux kernel 6.16+.
If your system runs Linux kernel 6.16 or newer and includes DCO support, it can use DCO without installing an additional module.
For older kernels, you need to install the DCO module manually to enable DCO and access the latest features.
Important
Ensure your system uses an officially supported kernel. DCO isn't tested or supported on custom-compiled kernels, and behavior may vary.
Install DCO on Ubuntu or Debian
Connect to the console and get root privileges.
Update the system (recommended):
apt update apt upgrade
Reboot: the OS
reboot
Install the DCO module:
For Access Server 3.2.0 or newer:
apt install ovpn-dkms
For Access Server 3.1.0 or earlier:
apt install openvpn-dco-dkms
Note
If you run into issues, refer to our troubleshooting tips for dependency requirements.
Install DCO on Red Hat Enterprise Linux
Install the EPEL repository.
Update the system (using the command appropriate for your RHEL version):
yum update
or
yum upgrade
Reboot the OS.
Install the DCO module:
For Access Server 3.2.0 or newer:
yum install kmod-ovpn
For Access Server 3.1.0 or earlier:
yum install kmod-ovpn-dco
After installation, confirm that DCO is active.
From the Admin Web UI
Sign in to the Admin Web UI.
Click Status.
On the Overview tab, locate Server Details.
Confirm that DCO is shown as enabled. Result:
✅ Pass: DCO is shown as enabled → no further action needed.
❌ Fail: DCO is not enabled → return to Step 1 or review troubleshooting.
Click VPN Server.
The Network Settings tab is displayed.
Click the Data Channel Offload tab.
The DCO status displays with additional details.
From the CLI
You can also confirm DCO availability and usage from the command line.
Connect to the console and get root privileges.
Check DCO availability:
sacli support | grep 'ovpn-dco availability'
Example output for Access Server 3.2.0 or newer:
ovpn-dco availability: True, ovpn version: ovpn-net-next/main-7.x
Example output for Access Server 3.1.0 or earlier:
ovpn-dco availability: True, ovpn-dco version 0.2.x
Verify that DCO is actively in use by the OpenVPN daemon:
ip -details link show
Look for:
3.2.0 or newer:
ovpn3.1.0 or earlier:
ovpn-dco
Tip
If DCO is available but not active, it may not be enabled or loaded correctly.
Check DKMS module status:
dkms status
Example output for 3.2.0 or newer:
ovpn/7.x.x, <kernel>, x86_64: installed
Example output for 3.1.0 or earlier:
ovpn-dco/0.2.x, <kernel>, x86_64: installed
Check module details:
For 3.2.0 or newer, run:
modinfo ovpn
For 3.1.0 or earlier, run:
modinfo ovpn-dco-v2
Result:
Review the outputs from the commands above and use them to determine whether DCO is active:
✅ Pass:
ovpn-dco availability: TrueThe correct module appears (
ovpnfor 3.2.0+, orovpn-dcofor earlier versions).The DKMS module shows as installed.
❌ Fail:
Availability is
FalseThe DCO module is missing or not loaded.
No DCO interface appears in the output.
When using DCO, adjusting the MTU can improve performance and reduce fragmentation. We recommend setting the VPN tunnel MTU to 1420 bytes:
Sign in to the Admin Web UI.
Click VPN Server.
The Network Settings tab is displayed.
Click the Advanced tab.
Set the MTU (Maximum Transmission Unit) value to 1420.
Note
The minimum allowable MTU is 576. The maximum is 65536.
Click Save and Restart.
Result:
VPN traffic uses a more efficient MTU for DCO.
This helps avoid fragmentation issues in some environments.
Troubleshooting
If DCO isn't enabled or not in use, check the common issues below. For more troubleshooting tips, refer to Troubleshooting Tips for OpenVPN DCO.
DCO installation after upgrading Access Server requires a full system reboot.
Run:
reboot
After the system comes back online, verify DCO again from the Admin Web UI Status page.
Ensure your system is running a supported kernel.
Run:
uname -a
Verify that:
You are running a supported Linux distribution.
You're not using a custom-compiled kernel (not supported for DCO).
If Secure Boot is enabled, the DCO kernel module may fail to load unless properly signed.
Run:
mokutil --sb-state
Output when Secure Boot is enabled:
root@openvpnas:~# mokutil --sb-state SecureBoot enabled
If Secure Boot is enabled, you must either:
Sign the DCO module for Secure Boot validation, or
Important
Refer to your selected operating system or platform documentation for specific instructions on this process.
Disable Secure Boot.
OpenVPN DCO uses DKMS (Dynamic Kernel Module Support) to build and install the kernel module.
Run:
dkms status
Review the output for the DCO module installed for your current kernel.
Example output for Access Server 3.2.0 or newer:
ovpn/7.x.x, <kernel-version>, x86_64: installed
Example output for Access Server 3.1.0 or earlier:
ovpn-dco/0.2.x, <kernel-version>, x86_64: installed
Result:
✅ Pass: The module (
ovpnorovpn-dco) is listed as installed for your running kernel.❌ Fail: The module is missing or not listed as installed for your current kernel.
If the module isn't installed for your running kernel, DCO won't function. Return to the installation steps to install or rebuild the module.
Access Server uses DCO-compatible data ciphers by default. However, if legacy ciphers are configured, DCO will fail.
OpenVPN DCO doesn't support legacy CBC-type ciphers. It only supports modern AEAD ciphers such as:
AES-256-GCMAES-128-GCMCHACHA20-POLY1305
If a legacy cipher is configured, you may see the following warning:
"[Warning] OpenVPN data-channel offloading was requested but failed to activate: OpenVPN data-channel offloading was requested but failed to activate. This typically happens if there is a configuration option that is incompatible with DCO or if the DCO kernel module could not be loaded. (dco_not_active)"
Check both data cipher and legacy cipher settings:
sacli ConfigQuery | egrep "vpn.server.data_ciphers|vpn.server.cipher"
If the output includes CBC-type ciphers (such as
AES-256-CBCor Blowfish), DCO won't be enabled.To use DCO, ensure both server and clients are configured to use AEAD ciphers only. Refer to the following tutorial for instructions on updating encryption settings in Access Server:
Ensure you select DCO-supported AEAD ciphers mentioned here.
Important details
Access Server uses
AES-256-CBCby default, with automatic negotiation toAES-256-GCMwhen supported.OpenVPN 2.4 and newer clients default to
AES-256-CBCwith automatic upgrade toAES-256-GCM.OpenVPN3-based client ssupport AEAD ciphers and are compatible with DCO.
OpenVPN 2.3 and older clients require CBC-type ciphers and are incompatible with DCO.
If you must support OpenVPN 2.3 or older clients, you may need to retain CBC-type cipher support, which prevents DCO from being used.