Erhm, yes that’s essentially what I posted here:
But never hurts to hammer the point home I suppose 
DCO does NOT WORK.. the few Mbps improvements that your seeing is ONLY because the DCO data encryption is spawning in a different thread.. which relieves "some" overhead.. and improves latency slightly.. DCO works nothing like it should compared to a full standard x86_64 distro package.
I'm only getting maybe 400-450Mbps when I should be hitting almost a full 1Gbps(1000Mbps).
OK guys, so DCO wasn't being used on my initial tests, probably I hadn't installed the self built package correctly (I had just used opkg install from the CLI, this time I've used the GUI and I first removed the installed openvpn-openssl package, keeping dependencies, then installed the self built one), or it could have been something else as I played with settings.
Anyway the logs are now showing that DCO is loaded:
OpenVPN 2.6.10 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
DCO version: N/A
net_iface_new: add tun0 type ovpn-dco
DCO device tun0 opened
and I'm getting a good speed increase, from about 15 to about 22 Mbps, MT7621 with AES-256-GCM, so about 50% better, as expected. For me that is a nice improvement and good enough to use on my phone.
On my travel router I use Wireguard (with OpenVPN as fallback in case tcp/443 is needed), but on my phone I prefer to use OpenVPN as I like the OpenVPN for Android app a lot, with all its settings and proper logs, and it seems to be more reliable when switching networks, from mobile to WiFi and back, compared to Wireguard.
So, job done, all thanks to you guys and of course to the OpenWrt project, all its developers and contributors and all the helpful people on the forum. Well done everyone!
Glad to hear of your success! If you’re inclined to tinker a little more I’d be keen to see if switching to chacha20-poly1305 cipher gets you to 50Mbps or so.
Since your main client sounds like Android it would probably work well on your phone too.
I changed from AES-128-GCM to CHACHA20-POLY1305 and I get the same speed. No improvement at all.
I've tried to configure CHACHA20-POLY1305 only as data-ciphers and also to put it first on the list (at both the client and the server's end) but I'm getting connection refused on the client and a bunch of the below errors on the server.
Thu May 23 12:55:25 2024 daemon.err openvpn(server)[19550]: TLS Error: could not determine wrapping from [AF_INET]192.168.1.20:48113
If I put things back to default it connects fine. It could be a problem on the client side, not sure.
2 Likes
Nice catch csharper2005. I hadn’t checked git about this in a while — good to see work is already ongoing in the background to get this situation properly sorted out.
Nice one, you spared me some digging time that I'd have spent at my next chance at looking into this.
I was actually looking at that thread recently, but before your posts on it.
I'm keen to see what the speed improvement is on a platform that supports AES in hardware, like the NanoPi routers. In theory OpenVPN performance should then be higher than wireguard..
I enabled CONFIG_OPENVPN_openssl_ENABLE_DCO=y and built a new snapshot image but it still does not show [DCO] after booting the new image.
Model: r7800
CONFIG_PACKAGE_kmod-ovpn-dco-v2=y
CONFIG_OPENVPN_openssl_ENABLE_DCO=y
# openvpn --version
OpenVPN 2.6.10 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
You haven even given us the OpenVPN start up log?
And what verbosity setting do you have?
There's nothing special in OpenVPN start up log at verbose 7.
Mon May 27 06:40:46 2024 daemon.notice openvpn(openvpn_server_tcp)[12002]: OpenVPN 2.6.10 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Mon May 27 06:40:46 2024 daemon.notice openvpn(openvpn_server_tcp)[12002]: library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
Yea, that is because you ain't supposed to have verb 7.
We don't need to look at the log. Using the --version option would show whether openvpn is built with DCO or not.
Yea, that seems to work good for you.
But it isn’t really a version, it is only a build add-on for the version.
I did a "make distclean" and recompiled the image. Now it shows [DCO] properly.
openvpn --version
OpenVPN 2.6.10 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
DCO version: N/A
However, I did not see the string "net_iface_new: add tun0 type ovpn-dco" in the log (verbose 5). Do I need to do any additional config?
Mon May 27 19:09:33 2024 daemon.notice openvpn(openvpn_server_tcp)[25499]: OpenVPN 2.6.10 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
Mon May 27 19:09:33 2024 daemon.notice openvpn(openvpn_server_tcp)[25499]: library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
Mon May 27 19:09:33 2024 daemon.notice openvpn(openvpn_server_tcp)[25499]: DCO version: N/A
Mon May 27 19:09:33 2024 daemon.notice openvpn(openvpn_server_tcp)[25499]: net_route_v4_best_gw query: dst 0.0.0.0
Mon May 27 19:09:33 2024 daemon.notice openvpn(openvpn_server_tcp)[25499]: net_route_v4_best_gw result: via x.x.x.x dev wan
Mon May 27 19:09:33 2024 daemon.warn openvpn(openvpn_server_tcp)[25499]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon May 27 19:09:33 2024 daemon.notice openvpn(openvpn_server_tcp)[25499]: Diffie-Hellman initialized with 2048 bit key
Mon May 27 19:09:33 2024 daemon.notice openvpn(openvpn_server_tcp)[25499]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon May 27 19:09:33 2024 daemon.notice openvpn(openvpn_server_tcp)[25499]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon May 27 19:09:33 2024 daemon.notice openvpn(openvpn_server_tcp)[25499]: TLS-Auth MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
Mon May 27 19:09:33 2024 daemon.notice openvpn(openvpn_server_tcp)[25499]: net_route_v4_best_gw query: dst 0.0.0.0
Mon May 27 19:09:33 2024 daemon.notice openvpn(openvpn_server_tcp)[25499]: net_route_v4_best_gw result: via x.x.x.x
dev wan
Mon May 27 19:09:33 2024 daemon.info avahi-daemon[3276]: Joining mDNS multicast group on interface tun0.IPv6 with address fe80::6f39:3abc:e95f:e086.
Mon May 27 19:09:33 2024 daemon.info avahi-daemon[3276]: New relevant interface tun0.IPv6 for mDNS.
Mon May 27 19:09:33 2024 daemon.info avahi-daemon[3276]: Registering new address record for fe80::6f39:3abc:e95f:e086 on tun0.*.
Mon May 27 19:09:33 2024 daemon.notice openvpn(openvpn_server_tcp)[25499]: TUN/TAP device tun0 opened
Mon May 27 19:09:33 2024 daemon.notice openvpn(openvpn_server_tcp)[25499]: do_ifconfig, ipv4=1, ipv6=0
Mon May 27 19:09:33 2024 daemon.notice openvpn(openvpn_server_tcp)[25499]: net_iface_mtu_set: mtu 1500 for tun0
Mon May 27 19:09:33 2024 daemon.notice openvpn(openvpn_server_tcp)[25499]: net_iface_up: set tun0 up
Mon May 27 19:09:33 2024 daemon.notice openvpn(openvpn_server_tcp)[25499]: net_addr_ptp_v4_add: 10.1.1.1 peer 10.1.1.2 dev tun0
CONFIG
config openvpn 'openvpn_server'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/xxx-openvpn-server.crt'
option key '/etc/openvpn/xxx-openvpn-server.key'
option dh '/etc/openvpn/dh.pem'
option tls_auth '/etc/openvpn/ta.key 0'
option ncp_ciphers 'CHACHA20-POLY1305:AES-128-GCM'
option data_ciphers 'CHACHA20-POLY1305'
option ifconfig_pool_persist '/tmp/ipp.txt'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-status.log'
option port '4430'
option enabled '1'
option tun_mtu '1500'
option verb '5'
option duplicate_cn '0'
option proto 'udp'
option server '10.1.1.0 255.255.255.0'
option keepalive '25 150'
option disable_dco '0'
OpenVPN has 11 verbose levels. The higher the level is, the more information will be generated, so there is more debug log info at 7 than 5.
It's not using DCO.
There should be a DCO device %s opened message on the very top about DCO with verb 4 if I remember correctly.
Your log has:
The kernel module doesn't seem to be loaded. modprobe ovpn-dco.
That is normal and does not mean dco is not available.
openvpn --versions should show DCO
Whether the dco tun is loaded is dependant on settings, not all settings are compatible.
This has been discussed earlier