openvpn data channel offload
openvpn is working on offloading the data channel to kernel space. This is improving throughput by an order of magnitude according tests.
Working heavily with VPN, I'm quite a fan of openvpn. openvpn is very flexible, powerful and secure, especially if you utilize the features it offers to you.
But - depending on your needs and environment - openvpn might not satisfy your performance requirements, especially on devices with less processing power.
One reason for that might be that openvpn is running in usermode and as it happens, it's not that good to run heavy I/O workloads this mode, because there might be a bunch of context switches related to the regular operations. And well, context switches are expensive.
OpenVPN Data Channel Offload
Luckily, openvpn devs are working on data channel offload which is going to provide a kernel module that handles the data processing and reduces the context switches by far.
The benefits of this are truly amazing and show that you should be keen on getting this on your environment.
openvpn shows this on their blog: We Now Have OpenVPN Data Channel Offload: Here's What That Means | OpenVPN
The benchmarks look like this:
How about security?
Running applications Â in usermode is for sure the best choice for critical environments, because you have an additional layer of security in place. But you need to pay the price by accepting lower performance if there are many context switches in place, just like any I/O bound workload introduces.
In case you have a workload that might have a higher importance on security than throughput, running in usermode without DCO might be a valid choice. In case you need throughput DCO is the way to go.
How to get it?
According to openvpn's blog (We Now Have OpenVPN Data Channel Offload: Here's What That Means | OpenVPN) it seems to be planned to release it to public - but the timeline is not yet clear. It's especially interesting to see if the DCO module will be integrated into the linux kernel which might be an important factor to drive adoption as adding custom modules is nothing that can be done and maintained easily, especially not if system is running secureboot enabled.
So, let's hope well see some more on DCO soon and we will be able to utilize it to kick VPN speeds.