OpenVPN dco how to enable?

Installing and Using OpenWrt
1

Hi everyone,

After successfully building kmod-ovpn-dco-v2:

root@ER605:~# opkg list-installed | grep -i dco
kmod-ovpn-dco-v2 - 6.1.79+0.2.20230426-1
root@ER605:~#

OpenVPN doesn't recognize it:

root@ER605:~# uname -a
Linux ER605 6.1.79 #0 SMP Wed Feb 28 23:12:30 2024 mips GNU/Linux
root@ER605:~# openvpn --version
OpenVPN 2.6.9 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2023 OpenVPN Inc sales@openvpn.net
root@ER605:~#

Any idea/clue how to enable (if it's possible)?

Many thanks,

2

As for now, you need to use snapshot and manually compile OpenVPN, as it's currently built without DCO support.

Here's the difference for anyone wondering. Not a 'clean' test: just curl http://...100MB from the remote server.

OpenVPN 2.6.10, OpenWrt Snapshot, ramips MT7620A 580 MHz (NEXX WT3020)
OpenVPN UDP connection, mssfix 0 on client, mssfix (auto) on server, auth SHA1

Cipher Mode Average DL speed
AES-128-GCM tun 563k
AES-128-GCM dco 1599k
CHACHA20-POLY1305 tun 1007k
CHACHA20-POLY1305 dco 2265k
CHACHA20-POLY1305 WireGuard 2311k

Ideal condition test (VPN server and remote curl destination all in LAN), mssfix 1500 on server, mssfix 0 on client.

Cipher Mode Average DL speed
AES-128-GCM tun 640k
AES-128-GCM dco 1622k
CHACHA20-POLY1305 tun 1467k
CHACHA20-POLY1305 dco 3686k
CHACHA20-POLY1305 WireGuard 4144k
4 Likes
3

Thank you for the useful info.

That's a pretty nice improvement in OpenVPN performance. I wonder why the package isn't compiled with DCO support and I hope that it will be in the not too distant future.

1 Like
4

I got ~twice speed on mt7621 with dco.

DL 28 / UP 33 mbit/s with AES-256-GCM.

5

But no one answer the actual question how to build, activate and install it…

6

Compile yourself and enable the option in the menu.

Note it is only available in main/snapshot

7

It isn’t me asking the question and it obviously didn’t work since we are her to begin with.

8

As others have said:

But I'll try to spell it out in easy-to-digest way:

  1. Install a main snapshot build for your device.
  2. Install kmod-ovpn-dco-v2 package.
  3. Download snapshot SDK package for your platform on a suitable build host.
  4. Use the SDK to compile a new openvpn package. Make sure to select "Enable support for data channel offload (NEW)"
  5. Copy the newly compiled openvpn package to your device and install it, overwriting any existing one.
  6. Done.

I'll leave it to the reader to dive into configuring a build host, how to use the SDK, etc. All of the specifics for this are documented fully in the Wiki under the Developer Guide.

1 Like
9

I tried to do it a few days ago but I got lost in the many options that have to be selected on the compiling menu. For some of them I didn't know what to select and I gave up.

For the people with little to no knowledge of self compiling (I'd guess the vast majority of OpenWRT users), it'd be much easier if the package were just compiled with DCO support by default, unless there are good reasons not to do it, like regressions and the like, but I don't think it'd be the case here, would it?

Could anyone please confirm if that's the case or if they know why DCO support isn't added by default?

2 Likes
10

I agree, that was why I tried to help by forcing out a answer.

To use a sdk compile…I have built from source many years now but I have never needed to use a sdk build.

Many packages already have multi options setup in menuconfig so why not do this formally with OpenVPN also?

11

OpenVPN has a setting in the menu (sorry for the mess):

                         --- openvpn-openssl................... Open source VPN solution using OpenSSL                   β”‚ β”‚  

  β”‚ β”‚                         [*]   Enable LZO compression support                                                            β”‚ β”‚  

  β”‚ β”‚                         [*]   Enable LZ4 compression support                                                            β”‚ β”‚  

  β”‚ β”‚                         [ ]   Enable the --x509-username-field feature                                                  β”‚ β”‚  

  β”‚ β”‚                         [ ]   Enable management server support                                                          β”‚ β”‚  

  β”‚ β”‚                         [*]   Enable internal fragmentation support (--fragment)                                        β”‚ β”‚  

  β”‚ β”‚                         [*]   Enable TCP server port-share support (--port-share)                                       β”‚ β”‚  

  β”‚ β”‚                         [ ]   Enable support for iproute2                                                               β”‚ β”‚  

  β”‚ β”‚                         **[*]     Enable support for data channel offload**                                                 β”‚ β”‚  

  β”‚ β”‚                         [*]   Enable size optimization                                                                  β”‚ β”‚

Or is that not what you are after?

1 Like
12

Then the easiest way must be to build a complete image from source with the kmod package and OpenVPN with data channel offloading installed right away.

Using SDK for this just seems to be a lot of unnecessary work.

2 Likes
13

I checked and if you enable this open in the menu you automatically get: kmod-ovpn-dco-v2 - 6.6.30.0.2.20240320-r1

So I think you should be good with just enabling this option.

Why it is not enabled by default it is just guessing, but it adds size to the build, DCO is not compatible with some options which should be removed, DCO is still in its infancy there have been frequent updates and if you want a fast VPN you use WireGuard.
But still I can imagine that at some point it will/should be enabled by default.
Also because you can easily disable it in the openvpn config just add: disable-dco

I have tested DCO on an other platform and WireGuard is still faster than OpenVPN with DCO at least in my limited testing on low end (e.g. routers like R7800) hardware

2 Likes
14

Thanks, makes sense. Hopefully by the time the new OpenWrt major stable release is out it will be.

15

mt7621, CHACHA20-POLY1305, tun-mtu 1320
DL 48 / UP 57 mbit/s

16

Actually, I had got confused with the different compiling methods. When I tried a few days ago I used the Building a single package guide, not the SDK method.

I've now tried the actual SDK method following this guide and I did make it! :wink: I'm already running the self built OpenVPN package with DCO support enabled.

The first quick tests on an MT7621, using the OpenVPN for Android app as client and AES-256-GCM, seem to show a small speed improvement, but I'll look into that part better in the next few days.

I'm more and more convinced that the best thing about OpenWrt is the learning opportunities it offers. Getting to use and benefit from the best router firmware ever is just a bonus :wink:

1 Like
17

Bravo, @grifo. Remember to check your logs to verify that DCO is actually being used for the connection, simply having it compiled in and the kernel module loaded does not guarantee it's on and active.

A handy chart is here:
https://community.openvpn.net/openvpn/wiki/DataChannelOffload/Features

18

+1 my friend

After building system with dco + enabling support for data... in my mt7621 I can't reach more than 25 mbit/s, before building/dco... I could reach about 17 mbit/s (both with GCM-128)

Edit: Tested with Win11 as client

19

A 50% increase using aes-128-gcm - not bad. As indicated by csharper2005:

You'll likely get better results with chapoly cipher on mt7621.

20

Not everything is compatible with DCO see:
https://community.openvpn.net/openvpn/wiki/DataChannelOffload/Features

Set verb 5 and look in the log if DCO is enabled.
I have heard mixed reports about the speed increase, but it could well be users using incompatible settings causing openvpn to fallback to non DCO