Experiences of Integrating OPENVPN-DCO (Data Channel Offloading) with OpenVPN

OpenVPN has been a well-established VPN solution for many years, providing security, flexibility, and widespread platform support. Unfortunately, one of its long-standing performance bottlenecks has been for high-throughput applications which is using 10G and 100G network.

We run an application, Let’s say a web browser or WGET or an FTP server or any sort of application runs in user space. It wants to transmit a packet that has to go over the VPN. So it does a send  system call usually. Things that we do when we transmit data over the network is  that data gets copied into the kernel. The kernel hands that over to the network stack. The network stack makes routing decisions, eventually decides that  this has to be routed through from the Open VPN tunnel, which means it goes out over an TUN interface. This TUN interface then copies that data back into user space so that OpenVPN can encrypt the packet, can do all of the magic that it needs to do to provide the VPN functionality, and then it will copy this data back into the Kernel and then kernel can route it out onto the Internet.This leads to lot of data copying operations between kernel and userspace, So there is a latency hit which is unnecessary.As shown in diagram above.

To Solve this, ovpn-dco (OpenVPN Data Channel Offload) was implemented, which greatly enhances packet processing efficiency through kernel-based acceleration.

What is ovpn-dco?

ovpn-dco is an in-kernel implementation of OpenVPN’s data channel, intended to offload packet processing from user space to kernel space. This reduces context switching between user space and kernel space, resulting in reduced latency, less CPU usage, and higher throughput than in conventional OpenVPN implementations.It is a virtual device driver which has below capabilities

• Encryption and Decryption via Crypto API: AES-GCM and ChaCha20Poly1305 supported, extendible
• Configuration via Netlink
• For routing it uses system routing table
• DCO is responsible for Data channel
• Parameters like IP Address , Encryption and Decryption Keys , Peer Socket are passed from userspace to DCO through a socket
• Netlink API is used to sync with DCO ,following operations done are
  • Interface creation/destruction: OVPN_CMD_{NEW,DEL}_IFACE
  • Peer management: OVPN_CMD_{NEW,SET,GET,DEL}_PEER
  • Key management: OVPN_CMD_{NEW,DEL}_KEY and OVPN_CMD_SWAP_KEYS , **Note: These operations are atomic in nature
  • Userspace maintains its own state of the tunnel(peer and key status)
• Each peer can use a different cipher

Non-capabilities as of now:

• Compression
• Fragmentation
• Traffic Shaping (supports kernel’s traffic shaping)

How is ovpn-dco integrated with OpenVPN?

The integration of ovpn-dco with OpenVPN is module-based, so OpenVPN users can easily toggle between normal user-space processing and kernel-acceleration where supported. The integration exists as follows:

• Kernel Module (ovpn-dco) – It gets installed and loaded into the Linux  kernel. It processes the data path of OpenVPN packets optimally in the kernel.
• OpenVPN User-Space Process – OpenVPN continues to manage the control plane, including authentication, session establishment, and encryption keys.
• Netlink Communication – OpenVPN communicates with the kernel module via Netlink sockets to set up tunnel parameters and transfer required control information.
• Improved Packet Processing – Rather than forwarding packets via the OpenVPN user-space daemon, they are processed directly in the kernel, minimizing the performance overhead.

How Does OpenVPN Use ovpn-dco

When ovpn-dco is activated, OpenVPN can detect its existence and offload data channel encryption/decryption and packet forwarding to the kernel. The advantages are:

• Increased Throughput – Much better data transmission rates due to effective kernel processing.
• Reduced CPU Usage – Minimizes the CPU cycles consumed in encrypting and forwarding packets.
• Better Latency – Faster processing results in less latency, which is useful for real-time applications such as VoIP or video conferencing.
• Improved Scalability – Ideal for high-bandwidth setups and large-scale installations.

OpenVPN DCO Interface can be configured in 2 Modes:

• Peer to Peer (P2P) in case of normal tunnel
• Peer to Multi Peer (P2MP)  in case of SERVER

Enabling ovpn-dco on OpenVPN

To utilize ovpn-dco, make sure that:

• You have the ovpn-dco kernel module installed and loaded.
• OpenVPN has been compiled with ovpn-dco support (usually part of newer versions).
• The OpenVPN configuration file has ‘–enable-dco’ with the help of .spec file

%configure \
%if %{with dco}
        --enable-dco                    \
        --disable-plugin-down-root      \
        --disable-plugin-auth-pam       \
%else
        --enable-iproute2               \
	--enable-plugin-down-root	\
	--enable-plugin-auth-pam	\
%endif

Conclusion

ovpn-dco is a major step up for OpenVPN, offering performance benefits  but without sacrificing OpenVPN’s flexibility and security. OpenVPN is able to support greater throughput workloads with reduced CPU overhead by handing off data processing to the kernel. As a result, it is an attractive option for new VPN deployments.In addition to this as there is a pros and cons of each solution , we have experienced that ovpn-dco cannot be used as normal user , it should be root user. To solve this problem we have taken up multi build approach. In addition,please note that  its not a  protocol change , its an implementation change .