It depends on where the bottleneck is. If the bottleneck is the CPU, then DCO will help get higher throughput. But if the bottleneck is your WAN link, then DCO might only help in reduce CPU usage.
It`s moving forward, at least. Not that AES-128-CBC is bad, but it`s not as efficient since it requires a separate HMAC calculation.AES-128-GCM and ChaCha20-Poly1305 - this isn't a bad thing to be honest...
One thing I wanted to test myself was if I could efficiently start using bcmspu with crypto getting shifted to kernel space, getting rid of the expensive context switch that made bcmspu useless with OpenVPN. Sadly the newest BCM platform I have access to is still on kernel 4.19, so no DCO possible.I see this feature as more for the provider side, where supporting 1000's of connections per server makes this a lot more efficient, and perhaps easier to manage...
@RMerlin on their site it says it can be back ported to older kernels, not sure if 4.19 is too old?
Thanks for the clarification![ 388.2 alpha Build(s) ] Testing available build(s)
AX56U - 27 days of uptime, 0 issuez watched. Waiting for my main AX88U to get its own new GPL.www.snbforums.com
Keysize doesn't matter here, the point was more about CBC vs GCM.AES-256-GCM is also supported that’s what I used.
It`s moving forward, at least. Not that AES-128-CBC is bad, but it`s not as efficient since it requires a separate HMAC calculation.
AES-256-GCM is also supported that’s what I used.
@RMerlin on their site it says it can be back ported to older kernels, not sure if 4.19 is too old?
Found this discussion:
What is your OVPN client device?Good to see the OpnVPN dev respond. Pretty much in line with what RMerlin said.
As for my testing it’s probably useless at my ISP speeds. I no longer have a Comcast gigabit connection. I’m on Fios 300/300 which peaks at like 330 Mbps which the VPN test easily maxed out without breaking a sweat in CPU usage as previously mentioned. Maybe at multi gigabit and or lots of clients like sfx2000 mentioned DCO may make a bigger difference. Maybe could also make a difference with much lower clocked CPUs as DCO allows multi threaded encryption.
tested on my 2023 MBP 16" and iPhone 14 Pro as well, latter two don't have DCO support on the OpenVPN app.
How is it not for the client side?Probably for the best - Apple is very protective of their kernel for security reasons.
Client side there isn't really any improvement, IMHO, this is more for the server side...
People using underpowered Pfsense/opnsense hardware, other firewall hardware/vpn appliance, vpn router, etc , (AKA, CPU bottlenecks), as OVPN clients … could all benefit from running OVPN-DCO
Servers/Routers dealing with many clients and large loads will likely see a more immediate effect. It’s still a welcome improvement.
Folks running OpenWRT can load up the kernel module and kick the tires..
I've got a QCA-Dakota based board on the shelf - GL-Inet B1300, but I'd have to spin up a build environment as I'm not actively working on that one...[OpenWrt Wiki] package: kmod-ovpn-dco
openwrt.org
Thread starter | Title | Forum | Replies | Date |
---|---|---|---|---|
L | Client to client disabled when using static IP on OpenVPN ASUS RT-AC3200 | VPN | 31 | |
S | Offload OpenVPN to Raspberry Pi 5 versus using my AXE16000 for site-site? | VPN | 2 |
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!