Data Channel Offload (DCO)¶

Overview¶

Data Channel Offload (DCO) moves OpenVPN data channel processing from userspace to the kernel, significantly improving throughput and reducing CPU usage.

Requirements¶

Component	Minimum Version
OpenVPN	2.6+
Linux kernel	6.16+
Protocol	UDP only
Cipher	AEAD (AES-GCM or CHACHA20-POLY1305)

Limitations

DCO does not work with:

TCP protocol
Non-AEAD ciphers (CBC modes)
Compression (disabled by default)

How It Works¶

Without DCO, all VPN traffic passes through userspace:

graph LR
    A[Network] --> B[Kernel TUN]
    B --> C[OpenVPN Userspace]
    C --> D[Encrypt/Decrypt]
    D --> C
    C --> B
    B --> A

With DCO, encryption happens directly in the kernel:

graph LR
    A[Network] --> B[Kernel DCO Module]
    B --> C[Kernel Encrypt/Decrypt]
    C --> B
    B --> A

Usage¶

DCO is used automatically when all requirements are met. No additional configuration is needed.

To verify DCO is active, check the server logs:

grep -i "dco" /var/log/openvpn/server.log

Recommended Configuration for DCO¶

sudo ./openvpn-install.sh install \
  --protocol udp \
  --cipher AES-128-GCM \
  --client mydevice

Or with ChaCha20 (better for devices without AES-NI hardware acceleration):

sudo ./openvpn-install.sh install \
  --protocol udp \
  --cipher CHACHA20-POLY1305 \
  --client mydevice