OpenVPN dco how to enable?

With latest master snapshot (private build)

Pixel 5 <=OpenVPN-TCP(AES-128-GCM)=> R7800 <=> Speedtest server

Without DCO:   D/U ~ 60 Mbps / 50 Mbps
With DCO:   D/U ~ 90 Mbps / 60 Mbps

Pixel 5 <=OpenVPN-TCP(chacha20poly1305)=> R7800 <=> Speedtest server

Without DCO:   D/U ~  77 Mbps / 56 Mbps
With DCO:   D/U ~ 135 Mbps / 60 Mbps

Pixel 5 <=Strongswan(chacha20poly1305)=> R7800 <=> Speedtest server

D/U ~ 73 Mbps / 72 Mbps

Pixel 5 <=WireGuard(chacha20poly1305)=> R7800 <=> Speedtest server

D/U ~ 150 Mbps / 180 Mbps

My ER605v2 + OpenVPN with DCO + CHACHA20-POLY1305:

Download 48 Mbps / Upload 38 Mbps.

Anyone know if DCO is compiled in to openvpn in 24.10?

It is already explained in the thread this is for my DDWRT router with DCO enabled note the DCO at the end :

root@EA6900:~# openvpn --version
OpenVPN 2.6.12 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 1.1.1w  11 Sep 2023, LZO 2.10

It is a compile time option and probably not enabled yet, of course only for OpenVPN 2.6

MT6000 custom build with LuCi and some optimization - kernel 6.6.x - #2004 by romanovj this post was hidden in another topic for some reason and it helped me with dco on my router (ax3000t with MT7981): turns out that kmod-crypto-hw-safexcel package completely broke aes encryption in my case, dco now works fine after removing it.

And it still requires manual building, dco is not enabled in 24.10.1.

Since June 20th, DCO is enabled by default as option in the OpenVPN package. Using DCO now only requires kmod-ovpn-dco-v2 to be installed.

On my x86-based system, it works with a significant speed increase. But when I push a lot of traffic, I get around 3% packet loss with the system log showing a lot of errors:

Wed Jul  9 01:10:57 2025 kern.err kernel: [  257.640484] ovpn_udp_encap_recv: cannot handle incoming packet from peer 4: -28
Wed Jul  9 01:10:57 2025 kern.err kernel: [  257.647889] ovpn_udp_encap_recv: cannot handle incoming packet from peer 4: -28
Wed Jul  9 01:10:57 2025 kern.err kernel: [  257.655258] ovpn_udp_encap_recv: cannot handle incoming packet from peer 4: -28
Wed Jul  9 01:10:57 2025 kern.err kernel: [  257.662616] ovpn_udp_encap_recv: cannot handle incoming packet from peer 4: -28
Wed Jul  9 01:10:57 2025 kern.err kernel: [  257.669946] ovpn_udp_encap_recv: cannot handle incoming packet from peer 4: -28
Wed Jul  9 01:10:57 2025 kern.err kernel: [  257.677290] ovpn_udp_encap_recv: cannot handle incoming packet from peer 4: -28
Wed Jul  9 01:10:57 2025 kern.err kernel: [  257.684650] ovpn_udp_encap_recv: cannot handle incoming packet from peer 4: -28
Wed Jul  9 01:10:57 2025 kern.err kernel: [  257.693249] ovpn_udp_encap_recv: cannot handle incoming packet from peer 4: -28
Wed Jul  9 01:10:57 2025 kern.err kernel: [  257.700583] ovpn_udp_encap_recv: cannot handle incoming packet from peer 4: -28
Wed Jul  9 01:10:57 2025 kern.err kernel: [  257.707924] ovpn_udp_encap_recv: cannot handle incoming packet from peer 4: -28
Wed Jul  9 01:11:50 2025 kern.warn kernel: [  310.404130] net_ratelimit: 3929 callbacks suppressed
Wed Jul  9 01:11:50 2025 kern.err kernel: [  310.404146] ovpn_queue_skb: cannot queue packet to TX ring
Wed Jul  9 01:11:50 2025 kern.err kernel: [  310.414682] ovpn_queue_skb: cannot queue packet to TX ring
Wed Jul  9 01:11:50 2025 kern.err kernel: [  310.420210] ovpn_queue_skb: cannot queue packet to TX ring
Wed Jul  9 01:11:50 2025 kern.err kernel: [  310.425722] ovpn_queue_skb: cannot queue packet to TX ring
Wed Jul  9 01:11:50 2025 kern.err kernel: [  310.431239] ovpn_queue_skb: cannot queue packet to TX ring
Wed Jul  9 01:11:50 2025 kern.err kernel: [  310.436743] ovpn_queue_skb: cannot queue packet to TX ring
Wed Jul  9 01:11:50 2025 kern.err kernel: [  310.442257] ovpn_queue_skb: cannot queue packet to TX ring
Wed Jul  9 01:11:50 2025 kern.err kernel: [  310.447755] ovpn_queue_skb: cannot queue packet to TX ring
Wed Jul  9 01:11:50 2025 kern.err kernel: [  310.453270] ovpn_queue_skb: cannot queue packet to TX ring
Wed Jul  9 01:11:50 2025 kern.err kernel: [  310.458764] ovpn_queue_skb: cannot queue packet to TX ring
Wed Jul  9 01:11:56 2025 kern.warn kernel: [  316.678573] net_ratelimit: 1391 callbacks suppresse

I use a quad-core J5005 with 4GB RAM and an Intel X520 on a 1Gbit symmetrical connection. I achieve around 600Mbps throughput over the OpenVPN tunnel, with htop showing around 60% CPU utilization.

Are others seeing anything similar when using DCO? I'd like to understand if this is a teething issue with DCO in OpenWrt, or if it's something with my machine and/or OpenVPN provider.

To be clear, without DCO there is no packet loss and no errors.

I did some speedtest (not with Openwrt but DDWRT which has DCO already for a longer time) and did only find a very moderate increase in speed on lower end routers (the dual core 1.2 GHz) but no packet loss.

You can simply disable it in the openvpn config just add:

disable-dco

then test again

Yes without DCO there is no packet loss and no errors, I forgot to mention that explicitly.

I have recently installed Ubuntu 25.10 Beta with 6.18 kernel and built OpenVPN 2.7_Beta1 from source. From my experience, this is the first combination that can properly show DCO Version in “openvpn --version” call. Official docs say, that mainline kernels will be supported only in 2.7 and only starting from 6.16. Given that next major release of OpenWRT is expected to use 6.12, we can only hope that snapshot builds will quickly switch to some fresh kernel. Also 6.12 is expected to be super LTS, so there is a chance that OVPN module from new kernels will be backported.

On a snapshot from this weekend:

root@openWrt:~# openvpn --version
OpenVPN 2.6.14 x86_64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.5.2 5 Aug 2025, LZO 2.10
DCO version: 2.0.0
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>

My provider supports DCO, and when I load a config with DCO enabled, the logs show:

daemon.notice openvpn(airvpn)[3187]: net_iface_new: add tun0 type ovpn-dco
daemon.notice openvpn(airvpn)[3187]: DCO device tun0 opened

I have installed fresh build today, and I get DCO version: N/A. But despite this UI issue, DCO works! Previously I was getting speeds around 150 Mbit/s in perfect conditions, but now I get over 900 Mbit/s in the same tests. Very promising results. Can’t wait next major release of OpenWRT.

Tested x86 Snapshot today. work out of the box, but the luci webinterface not support all settings to set dco to work so i use manual config file.

up to 100MegaByte/s over smb share without dco 8 MB/s

Updated info (anyone interested):

root@ER605v2:~# openvpn --version
OpenVPN 2.6.19 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.5.5 27 Jan 2026, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
root@ER605v2:~# uname -a
Linux ER605v2 6.12.79 #0 SMP Tue Mar 31 10:56:24 2026 mips GNU/Linux
root@ER605v2:~#

My ER605v2 + OpenVPN with DCO + CHACHA20-POLY1305

imagen735×130 10.4 KB

New super-update (is almost magic)

root@ER605v2:~# openvpn --version
OpenVPN 2.7.1 mipsel-openwrt-linux-gnu [SSL (mbed TLS)] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
library versions: mbed TLS 3.6.6
DCO version: 6.12.80 #0 SMP Tue Apr 14 09:52:35 2026
Originally developed by James Yonan
Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>
root@ER605v2:~# uname -a
Linux ER605v2 6.12.80 #0 SMP Tue Apr 14 09:52:35 2026 mips GNU/Linux
root@ER605v2:~#

My ER605v2 + OpenVPN (mbedTLS) with DCO + CHACHA20-POLY1305

imagen395×130 9.74 KB

For comparison, can you run the same tests with --disable-dco added on server side? I am curious how much of an improvement DCO really is on such hardware.

Same test, same devices... with disable-dco enabled by server side

Result:

imagen510×134 10.1 KB

Enabling DCO once again

How did you get 2.7.1?

Thanks

snapshots.

Thank you.

Own build from master branch.