Tutorial: Turn on OpenVPN DCO in Access Server
Install and turn on OpenVPN DCO to enhance Access Server's performance. This module offloads the data channel to the Linux kernel.
Overview
Enabling OpenVPN DCO for your VPN server and clients can improve performance. This document describes how to enable it in Access Server and OpenVPN Connect for Windows.
Prerequisites
To deploy and use OpenVPN DCO on Access Server, you must meet the following requirements.
Supported Access Server version:
2.12.0 and newer
Supported platforms:
Debian 11
Debian 12
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 9
Ubuntu 20.04 LTS (x86_64 and ARM64 architectures)
Ubuntu 22.04 LTS (x86_64 and ARM64 architectures)
Ubuntu 24.04 LTS (x86_64 and ARM64 architectures)
Compatible clients:
OpenVPN3-based clients such as OpenVPN Connect v3 and OpenVPN3 Linux client
OpenVPN2-based clients that use OpenVPN 2.4 or newer (OpenVPN 2.3 and older are not supported)
Tip
The client does not need to use DCO to connect to a server that uses DCO. With only one side doing DCO, there is already a performance benefit. However, it is best if both sides use it. The following clients can utilize DCO on the client side, although it must be enabled separately within the client.
Clients with DCO capability:
OpenVPN3 Connect for Windows (as of 3.4.0).
OpenVPN3 Linux client (check with the community documentation for the supported Linux operating systems).
OpenVPN 2.6.0 or newer (check with the community documentation for the supported Linux operating systems).
OpenVPN GUI community client for Windows (refer to community downloads).
Follow these steps to install DCO on your Access Server server based on your Linux OS. Ensure your server has an officially supported kernel. We don't test or support DCO on custom-compiled kernels and can't guarantee it will work in your situation.
The steps below are for systems where your OS installs the latest kernel when available.
If your system requires staying on a specific kernel version, refer to the DCO troubleshooting page.
Tip
After installing the DCO module, you can verify its status on your server from the Admin Web UI Status page under Server Details.
Connect to your server's console and obtain root privileges.
Update and upgrade the operating system (recommended):
apt update apt upgrade
Reboot the OS:
reboot
Install the DCO module:
apt install openvpn-dco-dkms
Due to the various envrionments in which our customers deploy DCO, if you encounter installation issues with these steps, refer to our troubleshooting tips. We provide information about possible dependencies you may need to address.
Install the Extra Packages for Enterprise Linux (EPEL) repository.
Update and upgrade the OS (choose the command appropriate for your RHEL version):
yum upgrade
or
yum update
Reboot the OS.
Install the DCO module:
yum install kmod-ovpn-dco
After installing the DCO kernel module, you can enable DCO in Access Server's Admin Web UI.
Sign in to the Admin Web UI.
Click VPN Server.
The Network Settings tab displays.
Click the Data Channel Offload tab.
Click to turn DCO On.
Click Save and Restart.
Set VPN tunnel MTU (recommended)
Access Server has a maximum transmission unit (MTU), previously a background setting. With DCO, we provided a way for you to adjust it as needed.
We recommend setting the VPN tunnel MTU to 1420 when you enable DCO:
From the VPN Server page, click the Advanced tab.
Set the VPN tunnel MTU (maximum transmission unit) to 1420.
Click Save and Restart.
Note
For VPN tunnel MTU: the minimum allowable value is 576, and the maximum is 65536.
Instead of turning on OpenVPN DCO from the Admin Web UI, you can manage it from the command-line interface (CLI).
Connect to your console and get root privileges.
Run these commands:
sacli -k "vpn.server.daemon.ovpndco" -v "true" ConfigPut sacli start
From the Admin Web UI:
Click Status.
On the Overview tab, under Server Details, the DCO status is displayed.
From the CLI:
Connect to your server's console and obtain root privileges.
Run this command to verify ovpn-dco is in use:
ip -details link show
Note the interfaces that start with as0; you'll see these include ovpn-dco in the output.
Suppose you've enabled secure boot on the system running your Access Server. In that case, it will fail to boot correctly if you install the DCO loadable kernel module without adding its signature to the secure boot system.
Ensure you do one of two things:
Either add the module's signature to verify it and boot securely.
Or disable secure boot.
This situation will improve in the future as DCO is under review for inclusion in the Linux kernel itself. Once it is part of the Linux kernel, a separate loadable kernel module won't be required.