You've successfully subscribed to Nuvotex Blog
Great! Next, complete checkout for full access to Nuvotex Blog
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

openvpn data channel offload

openvpn is working on offloading the data channel to kernel space. This is improving throughput by an order of magnitude according tests.

Daniel Nachtrub
Daniel Nachtrub

Working heavily with VPN, I'm quite a fan of openvpn. openvpn is very flexible, powerful and secure, especially if you utilize the features it offers to you.

But - depending on your needs and environment - openvpn might not satisfy your performance requirements, especially on devices with less processing power.

One reason for that might be that openvpn is running in usermode and as it happens, it's not that good to run heavy I/O workloads this mode, because there might be a bunch of context switches related to the regular operations. And well, context switches are expensive.

OpenVPN Data Channel Offload

Luckily, openvpn devs are working on data channel offload which is going to provide a kernel module that handles the data processing and reduces the context switches by far.

The benefits of this are truly amazing and show that you should be keen on getting this on your environment.

openvpn shows this on their blog: We Now Have OpenVPN Data Channel Offload: Here's What That Means | OpenVPN

The benchmarks look like this:

comparison on windows (source: openvpn.net)
comparison on windows (source: openvpn.net)

How about security?

Running applications  in usermode is for sure the best choice for critical environments, because you have an additional layer of security in place. But you need to pay the price by accepting lower performance if there are many context switches in place, just like any I/O bound workload introduces.

In case you have a workload that might have a higher importance on security than throughput, running in usermode without DCO might be a valid choice. In case you need throughput DCO is the way to go.

How to get it?

According to openvpn's blog (We Now Have OpenVPN Data Channel Offload: Here's What That Means | OpenVPN) it seems to be planned to release it to public - but the timeline is not yet clear. It's especially interesting to see if the DCO module will be integrated into the linux kernel which might be an important factor to drive adoption as adding custom modules is nothing that can be done and maintained easily, especially not if system is running secureboot enabled.

So, let's hope well see some more on DCO soon and we will be able to utilize it to kick VPN speeds.

NetworkVPN
Daniel Nachtrub

Daniel Nachtrub

Kind of likes computers. Linux foundation certified: LFCS / CKA / CKAD / CKS. Microsoft certified: Cybersecurity Architect Expert & Azure Solutions Architect Expert.

You might also like

Linux kernel keyrings, container isolation and maybe some kerberos

Linux kernel keyrings, container isolation and maybe some kerberos

On a recent project I've been stumbling on the case that kerberos tickets have been inadvertently shared across containers on a node - which obviously caught my attention as I'm not keen on sharing such secrets across workloads. This post describes why this happens and what to do to prevent this.

Daniel Nachtrub
Daniel Nachtrub
Kubernetes
openvpn 2.6.0 released

openvpn 2.6.0 released

The new openvpn 2.6.0 has some very nice and shiny features you might want to starting using soon. This post highlights some of them.

Daniel Nachtrub
Daniel Nachtrub
Linux

Authors →

Daniel Nachtrub

Kind of likes computers. Linux foundation certified: LFCS / CKA / CKAD / CKS. Microsoft certified: Cybersecurity Architect Expert & Azure Solutions Architect Expert.

Sebastian Augustin

Lorenz Maier