Menu
What's new
By:
Filters Better Search

Anyone using Data Channel Offload (OVPN-DCO) on any of your client devices/networks yet?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I suppose 300 Mbps was too low on WAN side to even make a dent on CPU use with or without DCO. Was like 1-2%.
 
RMerlin said:
It depends on where the bottleneck is. If the bottleneck is the CPU, then DCO will help get higher throughput. But if the bottleneck is your WAN link, then DCO might only help in reduce CPU usage.
Click to expand...

Did you see they only support the AEAD ciphers?

AES-128-GCM and ChaCha20-Poly1305 - this isn't a bad thing to be honest...

I see this feature as more for the provider side, where supporting 1000's of connections per server makes this a lot more efficient, and perhaps easier to manage...
 
sfx2000 said:
AES-128-GCM and ChaCha20-Poly1305 - this isn't a bad thing to be honest...
Click to expand...
It`s moving forward, at least. Not that AES-128-CBC is bad, but it`s not as efficient since it requires a separate HMAC calculation.

sfx2000 said:
I see this feature as more for the provider side, where supporting 1000's of connections per server makes this a lot more efficient, and perhaps easier to manage...
Click to expand...
One thing I wanted to test myself was if I could efficiently start using bcmspu with crypto getting shifted to kernel space, getting rid of the expensive context switch that made bcmspu useless with OpenVPN. Sadly the newest BCM platform I have access to is still on kernel 4.19, so no DCO possible.

Better hardware acceleration support would be beneficial to those trying to scale such large numbers of simultaneous connections.
 
AES-256-GCM is also supported that’s what I used.

@RMerlin on their site it says it can be back ported to older kernels, not sure if 4.19 is too old?

Found this discussion:
https://www.reddit.com/r/OpenVPN/comments/12yfo4m

Also here’s the test results below from OpnVPN’s website:
openvpn.net

We Now Have OpenVPN Data Channel Offload: Here's What That Means

Security is one of the most important things to consider when you are online. The more data encryption available, the better.
openvpn.net openvpn.net

Their Test setup:
AMD ThreadRipper 3970x system running Hyper-V as the hypervisor with Linux and Windows guests.
IMG_0227.jpeg
 
Last edited:
avtella said:
AES-256-GCM is also supported that’s what I used.
Click to expand...
Keysize doesn't matter here, the point was more about CBC vs GCM.
 
RMerlin said:
It`s moving forward, at least. Not that AES-128-CBC is bad, but it`s not as efficient since it requires a separate HMAC calculation.
Click to expand...

Some comparison numbers on ARM - I think they made reasonable choices - AES-128-GCM for cores that have the instruction support, and chacha20-poly1305 for those that don't...

gnutls-bin v3.7.3, ubuntu 23.04 (Armbian)

Coretex-A35 - Amlogic S905Y4 - Khadas vim1s

AES-128-GCM 0.21 GB/sec
CHACHA20-POLY1305 75.13 MB/sec
AES-128-CBC-SHA1 0.27 GB/sec
AES-128-CBC-SHA256 0.25 GB/sec

Flags: fp asimd evtstrm aes pmull sha1 sha2 crc32 cpuid

Coretex-A17 - Rockchip RK3288 - Tinkerboard

AES-128-GCM 48.96 MB/sec
CHACHA20-POLY1305 125.20 MB/sec
AES-128-CBC-SHA1 48.21 MB/sec
AES-128-CBC-SHA256 38.30 MB/sec


Flags: half thumb fastmult vfp edsp thumbee neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm
 
avtella said:
AES-256-GCM is also supported that’s what I used.

@RMerlin on their site it says it can be back ported to older kernels, not sure if 4.19 is too old?

Found this discussion:
https://www.reddit.com/r/OpenVPN/comments/12yfo4m
Click to expand...



Linux version 4.1.27 (merlin@ubuntu-dev) (gcc version 5.3.0 (Buildroot 2016.02)
….would be a “no-go” then, eh??
Thank you!!

dazono
•21 hr. ago
Correct. 4.1 kernels are unsupported. Also by upstream Linux kernel.
There is support for RHEL-8's kernel (which is v4.18 based, but it's also carries a lot of support from newer kernels backported by Red Hat).

IMG_8037.jpeg
 
Good to see the OpnVPN dev respond. Pretty much in line with what RMerlin said.

As for my testing it’s probably useless at my ISP speeds. I no longer have a Comcast gigabit connection. I’m on Fios 300/300 which peaks at like 330 Mbps which the VPN test easily maxed out without breaking a sweat in CPU usage as previously mentioned. Maybe at multi gigabit and or lots of clients like sfx2000 mentioned DCO may make a bigger difference. Maybe could also make a difference with much lower clocked CPUs as DCO allows multi threaded encryption.
 
Last edited:
Well - it's a step forward for OVPN - but performance should be similar to non DCO - it will be more efficient however...

It keeps OVPN relevant compared to WG - and they've made some good choices with ciphering using a couple of good choices on AEAD... chacha20-poly1305 for cores that do not implement some kind of AES acceleration, and AES-128-GCM for those that do...

With DCO, there is a cost, and that cost is portability - as long as the OVPN team can support kernel modules/extensions/drivers across operating systems and core ISA's, they're good to go, but the burden is on them to keep it in sync...

Keep in mind that OVPN keeps the relative strengths they've had in the past - they're layer 3, whereas WG, like IPSeC is Layer 2 - which is useful in certain use cases...
 
avtella said:
Good to see the OpnVPN dev respond. Pretty much in line with what RMerlin said.

As for my testing it’s probably useless at my ISP speeds. I no longer have a Comcast gigabit connection. I’m on Fios 300/300 which peaks at like 330 Mbps which the VPN test easily maxed out without breaking a sweat in CPU usage as previously mentioned. Maybe at multi gigabit and or lots of clients like sfx2000 mentioned DCO may make a bigger difference. Maybe could also make a difference with much lower clocked CPUs as DCO allows multi threaded encryption.
Click to expand...
What is your OVPN client device?
 
A Windows PC with a Ryzen 5800 (non x ie essentially an OEM 5700X), later tested on my 2023 MBP 16" and iPhone 14 Pro as well, latter two don't have DCO support on the OpenVPN app.
 
avtella said:
tested on my 2023 MBP 16" and iPhone 14 Pro as well, latter two don't have DCO support on the OpenVPN app.
Click to expand...

Probably for the best - Apple is very protective of their kernel for security reasons.

Client side there isn't really any improvement, IMHO, this is more for the server side...
 
sfx2000 said:
Probably for the best - Apple is very protective of their kernel for security reasons.

Client side there isn't really any improvement, IMHO, this is more for the server side...
Click to expand...
How is it not for the client side?
People using underpowered Pfsense/opnsense hardware, other firewall hardware/vpn appliance, vpn router, etc , (AKA, CPU bottlenecks), as OVPN clients … could all benefit from running OVPN-DCO
 
Last edited:
Looking at OpenVPNs own results it definitely looks like it helps client side, but probably not useful just yet for the average end user with relatively low WAN speeds like myself. Servers/Routers dealing with many clients and large loads will likely see a more immediate effect. It’s still a welcome improvement.
 
Last edited:
JTnola said:
People using underpowered Pfsense/opnsense hardware, other firewall hardware/vpn appliance, vpn router, etc , (AKA, CPU bottlenecks), as OVPN clients … could all benefit from running OVPN-DCO
Click to expand...

Folks running OpenWRT can load up the kernel module and kick the tires..

[OpenWrt Wiki] package: kmod-ovpn-dco

openwrt.org openwrt.org

I've got a QCA-Dakota based board on the shelf - GL-Inet B1300, but I'd have to spin up a build environment as I'm not actively working on that one...

Dakota - IPQ4028 which is a Cortex-A7 Quad @ 717MHz

Last time I check it with OVPN, it was around 25Mbps, where WG was around 190 Mbps...
 
avtella said:
Servers/Routers dealing with many clients and large loads will likely see a more immediate effect. It’s still a welcome improvement.
Click to expand...

I agree - for an enterprise security GW, esp with the work-from-home situation, DCO improvements could be profound here for capacity reasons - same as it would be for the commercial VPN service providers...

Think about it - if one is running that security gateway on a 2U server on a big AMD Eypc or Intel Xeon - it's got plenty of BW on the wire, and tons of CPU resources, but the session overhead drops dramatically with DCO - which is my point...
 
sfx2000 said:
Folks running OpenWRT can load up the kernel module and kick the tires..

[OpenWrt Wiki] package: kmod-ovpn-dco

openwrt.org openwrt.org
I've got a QCA-Dakota based board on the shelf - GL-Inet B1300, but I'd have to spin up a build environment as I'm not actively working on that one...
Click to expand...

Hm... so I did spin up a B1300/Dakota build with DCO, but the results are inconclusive, and with a limited number of tests, I'd rather not share results as they really don't prove or disprove the advantages of DCO...

I tihnk if someone wants to tinker with this, it's best to go first into configuring debian (or whatever) as a router, and enabling/disabling the feature there...

Remember, router SoC's add a layer of complexity with the built in switch, so when doing A/B testing, best to keep things as simple as possible...

Here's a couple of diagrams that might illustrate the complexity...

ovpn-classic as a user space implementation...

Screenshot_2023-06-13_at_10.37.55_AM.original.png


Now here's DCO...

Screenshot_2023-06-13_at_10.39.27_AM.original.png


It's down in the network stack where the other dragons live - flow accelerators, QoS management, task offloaders, etc... both HW and SW...

So full integration into something like AsusWRT (if the kernel was new enough) or similar, well, that's a pretty big task, and a lot of testing across different configurations...
 
What is this Open VPn data channel offload? My wife was having issues with her connectivity and I noticed a network adapter called Open VPN data channel offload. How did that get installed?
Is that a Windows update thing?
 
You must log in or register to reply here.

Similar threads

J
VPN Gateway Hardware requirements? (& recommendations?)
Replies
10
Views
1K
Tech9
Tech9
S
AC68U Merlin 386.11, 386.12 OVPN Server Connects but no data throughput
Replies
9
Views
1K
lazyme
L
P
I think my BE98 might be dying?! (Edit: It's fine)
Replies
4
Views
617
pdixon0
P
R
OpenVPN not saving the custom configuration for client-connect on ASUS GT-AX6000
Replies
5
Views
635
eibgrad
eibgrad
M
Any workaround to expand Guest Network 'features' on Mesh for IoT Devices | AX86U
Replies
2
Views
417
ChatmanR
ChatmanR
Similar threads
Thread starter Title Forum Replies Date
L Client to client disabled when using static IP on OpenVPN ASUS RT-AC3200 VPN 31
S Offload OpenVPN to Raspberry Pi 5 versus using my AXE16000 for site-site? VPN 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 622 (members: 19, guests: 603)
Top