OpenVPN DCO part of linux kernel

I'm a huge fan of openvpn to be honest. It's robust, versatile, can be extremely hardened and has proven it's purpose for many years now.

One limitation of openvpn for a long time has been that it's running entirely in user-mode (which also has a good thing on the other hand).

• Packets arrive in kernel
• Packets are copied to user mode
• Traffic is decrypted
• Traffic is copied back to kernel
• Kernel sends out the traffic

In this path we've twice a copy between kernel and user mode - which is quite costly and limits overall the throughput of the connection. Having increasing bandwidths on the connections, this becomes a limitation.

openvpn dco runs a kernel module

The approach of data channel offload (DCO) is that the processing of the data channel itself happens entirely inside the kernel and is multithreaded.

This avoids the transitions between kernel and user mode - decent!

Another improvement is the focus on multithreaded processing of data. This is also a reason that the cipher suites are more limited to for example AES-GCM which itself has an encryption approach that allows parallel processing of the costly computations (basically in incrementing number is encrypted [which can be done in parallel] and the plaintext is then XOR'ed on the encrypted data steam [which is serialized]).

So, you're hopefully convinced to consider openvpn dco!

Check out the article from phoronix on the performance: https://www.phoronix.com/news/OpenVPN-Linux-OVPN-v8

This improvement is stunning!

added to linux kernel starting 6.16

The good news now is that the openvpn dco module will be part of the linux kernel starting with release 6.16: https://blog.openvpn.net/openvpn-dco-added-to-linux-kernel-2025

This shows the maturity of the DCO and eases adoption as you don't need to integrate the build into the update process.

So - be sure to check to consider testing out DCO whenever you're on a kernel that ships with it.