How to enable OpenVPN DCO on Access Server

Introduction

Access Server 2.12 and newer supports OpenVPN Data Channel Offload (DCO). You can benefit from performance improvements when you enable DCO for your VPN server and clients.

This document describes what DCO is, how it works, and how you can enable it.

What is OpenVPN DCO?

OpenVPN DCO changes how Access Server handles the data flowing through the VPN tunnel. With DCO, the data channel encryption and decryption are offloaded to kernel space, letting the kernel do the work instead of dealing with it in user space. This saves on copy operations from kernel to user space and back and uses multi-threading.

OpenVPN DCO is a loadable kernel module that can optionally be installed and used with the Access Server.

To understand the change, here's how the OpenVPN protocol handles data without implementing DCO. This process is called context-switching:

1. Data packets arrive in the kernel space.
2. OpenVPN copies the packets to the user space.
3. OpenVPN decrypts and encrypts packets in the user space.
4. OpenVPN copies those packets back to the kernel space.
5. The data packets then get sent to their destination.

In contrast, DCO has a more efficient process:

1. Data packets arrive in the kernel space.
2. OpenVPN DCO processes the packets in the kernel space.
3. The data packets then get sent to their destination.

The OpenVPN daemons run in user space for default Access Server installations without DCO. To use multiple CPU cores, Access Server must manage multiple OpenVPN daemons with load-balanced connections.

The solution to improving performance is moving the data channel handling to the kernel space, where it can be handled more efficiently and with multi-threading:  OpenVPN Data Channel Offload (DCO).

Note: While DCO on only one side can increase performance, both Access Server and the client software should use DCO to achieve optimal improvement. 

How to enable DCO on Access Server

You can see whether DCO is enabled on Access Server from the Status Overview on the Admin Web UI. The Kernel data channel offloading shows inactive or active and whether the kernel module is loaded on the server.

Use compatible servers and clients

The following requirements must be met to deploy and use DCO on OpenVPN Access Server.

Supported Access Server version:

• 2.12.0 and newer

Supported platforms:

• Debian 11
• Debian 12
• Red Hat Enterprise Linux 8
• Red Hat Enterprise Linux 9
• Ubuntu 20.04 LTS (x86_64 and ARM64 architectures)
• Ubuntu 22.04 LTS (x86_64 and ARM64 architectures)

Compatible clients:

• OpenVPN2 based clients that use OpenVPN 2.4 or newer (OpenVPN 2.3 and older are not supported)
• OpenVPN3 based clients such as OpenVPN Connect v3 and OpenVPN3 Linux client

DCO support on client side

The client does not need to use DCO to connect to a server that uses DCO. With only one side doing DCO there is already a performance benefit. However, it is best if both sides use it. The following clients are capable of using DCO on the client side, although it will have to be enabled separately in the client.

Clients with DCO capability:

• OpenVPN3 Connect for Windows (as of 3.4.0).
• OpenVPN3 Linux client (check with the community documentation for the supported Linux operating systems).
• OpenVPN 2.6.0 or newer (check with the community documentation for the supported Linux operating systems).
• OpenVPN GUI community client for Windows (refer to community downloads).

Install DCO from the console

Follow these steps to install DCO on your Access Server server based on your Linux OS. Ensure your server has an officially supported kernel. We don't test or support DCO on custom-compiled kernels and can't guarantee it works for your situation.

The steps below are for systems where your OS installs the latest kernel when available.

If you have a system that requires staying on one specific kernel version, refer to the information about your use case in the troubleshooting section.

Tip: After installing the DCO module, you can see it's installed on your server from the Admin Web UI Status Overview page — check the row for kernel data channel offloading. The field displays the ovpn-dco version.

Ubuntu/Debian

1. Connect to your server's console and obtain root privileges.
2. Update and upgrade the operating system (recommended):
   

   apt update
   apt upgrade

3. Reboot the OS:
   

   reboot

4. Upgrade Access Server to 2.12.0 or newer or do a fresh install of 2.12.0 with the install commands in the Access Server portal. (Refer to our detailed instructions for updating Access Server, if helpful.)
5. Install the DCO module:
   

   apt install openvpn-dco-dkms

Due to the many different environments for our customers' deployments, if you encounter issues installing DCO with these steps, refer to our troubleshooting tips. We provide information about possible dependencies you may need to address.

Red Hat Linux Enterprise

1. Install the Extra Packages for Enterprise Linux (EPEL) repository.
2. Update and upgrade the OS (choose the command  appropriate for your RHEL version):
   

   yum upgrade

   or

   yum update

3. Reboot the OS.
4. Upgrade Access Server to 2.12.0 or newer or do a fresh install of 2.12.0 with the install commands in the Access Server portal. (Refer to our detailed instructions for updating Access Server, if helpful.)
5. Install the DCO module:
   

   yum install kmod-ovpn-dco

Enable OpenVPN DCO in Admin Web UI

After installing the DCO kernel module, you can enable DCO in Access Server's Admin Web UI.

1. Sign in to the Admin Web UI.
2. Click Configuration > Advanced VPN.
3. Click Prefer kernel Openvpn data channel offloading if available (ovpn-dco) to set data channel offloading to Yes.
4. Click Save Settings and Update Running Server.
5. Access Server now displays a message on the Status Overview page that the ovpn-dco module is active.

Set VPN tunnel MTU (optional)

Access Server has a maximum transmission unit (MTU), previously a background setting. With DCO, we provided a way for you to adjust it as needed.

We recommend setting the VPN tunnel MTU to 1420 when you enable DCO:

1. Sign in to the Admin Web UI.
2. Click Configuration > Advanced VPN.
3. Enter '1420' as the value in the field, VPN tunnel MTU.
4. Click Save Settings and Update Running Server.

Note: For VPN tunnel MTU: the minimum allowable value is 576, and the maximum is 65536. 

Verify OpenVPN DCO is now in use (optional):

From the Admin Web UI:

1. Click Status > Status Overview.
2. Under Kernel data channel offloading, the status displays as active and lists the ovpn-dco version.

From the command line interface (CLI):

1. Connect to your server's console and obtain root privileges.
2. Run this command to verify ovpn-dco is in use:
   

   ip -details link show

3. Note the interfaces that start with as0; you'll see these include ovpn-dco in the output.

Enable OpenVPN DCO from CLI

Instead of turning on OpenVPN DCO from the Admin Web UI, you can manage it from the CLI.

1. Connect to your console with root privileges.
2. Switch to the Access Server scripts directory:
   

   cd /usr/local/openvpn_as/scripts/

3. Run these commands:
   

   sacli -k "vpn.server.daemon.ovpndco" -v "true" ConfigPut
   sacli start

Upgrade the OpenVPN DCO module

This section provides information about upgrading the OpenVPN DCO module on your server to the latest version.

Before you begin

The following must exist:

1. Access Server 2.12 and newer installed.
2. Previous version of the DCO kernel module installed.

Commands to upgrade the DCO module

After you've ensured the above conditions, follow these steps to upgrade OpenVPN DCO:

1. Connect to your console with root privileges.
2. Run your OS update/upgrade commands (Ubuntu shown):
   

   apt update
   apt upgrade

   • The OpenVPN DCO module should be updated.
3. Reboot your OS:
   

   reboot

Note: If you don't want to reboot the server (or can't), you can run these commands to stop the Access Server service, remove the previous OpenVPN DCO module, load the new module, and restart the Access Server service:

service openvpnas stop
modprobe -r ovpn_dco_v2
modprobe ovpn_dco_v2
service openvpnas start

Note about Access Server with Secure Boot

Suppose you've enabled secure boot on the system running your Access Server. In that case, it will fail to boot correctly if you install the DCO loadable kernel module without adding its signature to the secure boot system. 

Ensure you do one of two things:

1. Either add the module's signature to verify it and boot securely.
2. Or disable secure boot.

This situation will improve in the future as DCO is under review for inclusion in the Linux kernel itself. Once it is part of the Linux kernel, a separate loadable kernel module won't be required.

Troubleshooting

Refer to the subsections below to troubleshoot DCO issues.

DCO doesn't load

The Access Server status page states, "ovpn-dco module is available but inactive." Step through the installation again to ensure you have all the necessary pieces when you encounter this message. This message means that DCO didn't load. Refer to these troubleshooting tips to resolve it, or send us a support ticket.

Linux headers not installed

DCO requires the latest Linux kernel headers. Follow these steps to install the headers and set them to install with updates automatically. If you need to stay with a specific kernel header, refer to the next troubleshooting section.

1. Check the current kernel version for your OS:
   

   uname -r

   • Our example output was 5.15.0-75-generic. In place of "generic" you may see "cloud," "aws," and others, which you enter in your install command.
2. Install the latest kernel header:
   

   install linux-headers-[generic/aws/cloud/etc]

   • For our example, we enter the command install linux-headers-generic. Take note of your kernel uname to enter the correct kernel header package name.
3. Mark the headers to install automatically:
   

   apt-mark auto linux-headers-generic

With DCO installed and the kernel headers set to automatically install, running apt update and apt upgrade will always give you the latest kernel and headers, keeping DCO working.

DCO with an OS that stays on a specific kernel version

Follow these steps for installing DCO on a Linux OS where you want to stay on a specific kernel version:

1. Follow the steps above to install openvpn-dco.
2. Check your current kernel type (our example uses 5.15.0-1025-aws kernel):
   

   uname -r

3. The results display your kernel information such as this:
   

   5.15.0-1025-aws

4. Install the necessary kernel headers for your kernel:
   

   apt install linux-headers-5.19.0-1025-aws

5. If you upgrade your kernel, ensure you install the needed kernel headers for the new kernel.

EFI variables not found

During installation, you may receive the message, "EFI variables are not supported on this system. /sys/firmware/efi/efivars not found, aborting." Access Server may not display ovpn-dco available on the Status Overview without EFI variables. Resolve this by installing efivar:

apt-get install efivar

Advanced VPN directives

If you encounter errors or can't verify that DCO is running, check for any advanced VPN directives:

1. Sign in to the Admin Web UI.
2. Click Configuration > Advanced VPN.
3. Scroll down to Additional OpenVPN Config Directives (Advanced).
4. If you have any server or client config directives, review them one by one. You may need to remove them for DCO to work correctly.

Legacy OpenVPN features

If you want to enable DCO with an older Access Server configuration, be aware that certain legacy features aren't compatible with DCO. Specifically, if your configuration supports any of the below features, refer to the following subsections for details.

Legacy features that aren't DCO-compatible:

1. Compression.
2. Legacy data ciphers.
3. Bridging.
4. Legacy DHCP options.

Compression

We deprecated support for compression due to the Voracle vulnerability. Access Server 2.6.1 and newer disable compression during upgrades, so this should be fine unless you specifically re-enable compression.

If you enable DCO, Access Server turns compression off forcibly as it's not and won't be implemented.

Legacy data ciphers

Blowfish and other CBC-type ciphers are not supported. DCO only supports AEAD ciphers such as AES-256-GCM, AES-128-GCM, and ChaCha20-Poly1305.

Access Server 2.5 and newer implements AES-256-CBC by default with an automatic upgrade to AES-256-GCM.

For clients, OpenVPN 2.4 and newer uses AES-256-CBC with an automatic upgrade to AES-256-GCM. OpenVPN3-based clients can also do this. However, if you support OpenVPN 2.3 and older clients, you may need to maintain support for CBC-type ciphers and can't use DCO.

Bridging

Access Server bridging functionality is deprecated. While it can still be used (without DCO), we don't fully support it. Since DCO is new, we didn't implement bridging functionality there, but it may be implemented in the future.

Legacy DHCP options

Some options can be passed using the DHCP options mechanism in the TAP Windows driver that isn't implemented in the DCO for Windows driver. An example of this is Netbios over TCP/IP, as this is a legacy option that will be phased out.