Page MenuHomeVyOS Platform
Create Task
Maniphest T4974

OpenVPN- Data Channel Offload(DCO)
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

ovpn-dco is essentially a device driver that allows creating a virtual network interface to handle the OpenVPN data channel.et. DCO accomplishes this by keeping most of the data handling tasks in the kernel rather than repeatedly switching between kernel and user space for encryption and packet handling, also, it adds support for multi-threaded encryption, allowing for even more performance gains.

https://community.openvpn.net/openvpn/wiki/DataChannelOffload

this new type of tunnel requires a compiled kernel module, it can work with openvpn tunnels or uses the new ones. below I share the official repository :

https://github.com/OpenVPN/ovpn-dco

i've tested it on debian 11 with this kernel module 5.10.0-16-amd64 :

openvpn --version
OpenVPN 2.6.0 [git:release/2.6/680ba43355f6d9e4] x86_64-pc-linux-gnu [SSL (OpenSSL)] [EPOLL] [MH/PKTINFO] [AEAD] [DCO] built on Feb  1 2023
library versions: OpenSSL 1.1.1n  15 Mar 2022
Originally developed by James Yonan
Copyright (C) 2002-2023 OpenVPN Inc <[email protected]>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_debug=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=no enable_lzo=no enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no

here's an introduction and extra repository , that are necessary:

https://github.com/purum-pum-pum/openvpn-DCO-conf

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Related Objects

Event Timeline

fernando created this task.Feb 1 2023, 7:14 PM
Viacheslav added a subscriber: Viacheslav.Feb 1 2023, 7:58 PM

There are some limitations

In particular, this is a list (may not be complete) of features that are not available when using ovpn-dco:

ciphers other than AES-GCM and CHACHA20-POLY1305;
due to the above, when using ovpn-dco peers must use OpenVPN 2.4 or greater (AEAD ciphers are not supported in earlier versions);
compression or compression framing;
fragmentation;
TAP/Ethernet mode;
topologies other than subnet;
traffic shaping or any other sort of data packets manipulation (system tools should be used when available).
pasik added a subscriber: pasik.Feb 1 2023, 9:09 PM
fernando added a comment.EditedFeb 1 2023, 9:30 PM

pfsense implements it , however , they explain that it has some limitations :

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/dco.html

ordex added a subscriber: ordex.Feb 4 2023, 3:54 PM

when an incompatible option is found, OpenVPN will simply disable DCO and go back to tun (this info will be logged). Therefore the limitations should not be a reason for not including DCO in VyOS.

This said I am developing ovpn-dco and I am also a VyOS user :) so I’d be more than happy to test.

Viacheslav added a subscriber: c-po.Feb 5 2023, 9:54 AM

@c-po @ordex Do you know how to integrate sources with our build system?

ordex added a comment.Feb 5 2023, 9:42 PM

@Viacheslav unfortunately I am not too familiar with your build system, but basically you need to clone the ovpn-dco repository (https://github.com/OpenVPN/ovpn-dco.git) and compile it against your kernel, as you would normally do for any other out-of-tree kernel module.

The next step is to pass the --enable-dco flag to the configure script when building OpenVPN. Future versions will not require this step as we are enabling dco by default, but for now you need it.

sarthurdev mentioned this in T5003: Upgrade base system to Debian 12 "Bookworm".Feb 13 2023, 12:41 AM
fernando added a comment.Feb 23 2023, 3:16 PM

@ordex nice your reply here , we're planning to introduce it in our last upgrade version( we need to upgrade openvpn version to work with opvn-dco ) , Di you try it on Debian 12? My current environment was over Debian 11, if you have any suggestion it will good to know.

here's the reference pkg :

https://vyos.dev/T5003

ordex added a comment.Feb 23 2023, 3:21 PM

Hey @fernando thanks for your comment.
Personally I haven't tried openvpn2.6.0 + ovpn-dco on Debian 12 yet. However, there should be no real difference as ovpn-dco can happily run up to linux-6.1/6.2 as well.

If you do sooner than me, please fell free to share any finding, I'd be more than happy to assist in case of issues.

spion06 added a subscriber: spion06.Apr 28 2023, 12:39 AM

I made an attempt at integrating openvpn-dco into the build here https://github.com/spion06/vyos-build/tree/ovpn-dco. This works fine for me in my testing so far. The kernel module loaded, verified in the logs that it detected and used the dco tunnel. I'm not super familiar with the build system or what else would need to be done for contributing this. I'm just and end-user who would like to see this feature :)

fernando added subscribers: syncer, dmbaturin.EditedMay 6 2023, 5:07 PM

thanks for the contribution , I've done some test , it seems to work like a champ . @dmbaturin @c-po this script to do the steps necessary to compile the kernel module to use ovpn-dco . Could you check if it's correct or something needs to be improved :

https://github.com/spion06/vyos-build/commit/7c6940b4aa501051a3b7ab72aeda47dd03847c30#diff-c7a443a8e7649d92d66cca482cd6b143cd0bed3a2269dc3df9bc5c1b8895c947

it works as expected , download and compile with our kernel version/openvpn version :

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
100 69866    0 69866    0     0  37745      0 --:--:--  0:00:01 --:--:-- 37745
I: Compile Kernel module for ovpn-dco driver
/vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206/gen-compat-autoconf.sh /vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206/compat-autoconf.h
make -C /vyos/packages/linux-kernel/linux M=/vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206 PWD=/vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206 REVISION=0.1.20230206 CONFIG_OVPN_DCO=m INSTALL_MOD_DIR=updates/	modules
make[1]: Entering directory '/vyos/packages/linux-kernel/linux'
  CC [M]  /vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206/drivers/net/ovpn-dco/bind.o
  CC [M]  /vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206/drivers/net/ovpn-dco/main.o
  CC [M]  /vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206/drivers/net/ovpn-dco/crypto.o
  CC [M]  /vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206/drivers/net/ovpn-dco/ovpn.o
  CC [M]  /vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206/drivers/net/ovpn-dco/peer.o
  CC [M]  /vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206/drivers/net/ovpn-dco/sock.o
  CC [M]  /vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206/drivers/net/ovpn-dco/stats.o
  CC [M]  /vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206/drivers/net/ovpn-dco/netlink.o
  CC [M]  /vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206/drivers/net/ovpn-dco/crypto_aead.o
  CC [M]  /vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206/drivers/net/ovpn-dco/pktid.o
  CC [M]  /vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206/drivers/net/ovpn-dco/tcp.o
  CC [M]  /vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206/drivers/net/ovpn-dco/udp.o
  LD [M]  /vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206/drivers/net/ovpn-dco/ovpn-dco.o
  MODPOST /vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206/Module.symvers
  CC [M]  /vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206/drivers/net/ovpn-dco/ovpn-dco.mod.o
  LD [M]  /vyos/packages/linux-kernel/ovpn-dco-v0.1.20230206/drivers/net/ovpn-dco/ovpn-dco.ko
make[1]: Leaving directory '/vyos/packages/linux-kernel/linux'
I: Building Debian package vyos-kmod-ovpn-dco
Created package {:path=>"vyos-kmod-ovpn-dco_0.1.20230206-0_amd64.deb"}
I: Cleanup ovpn-dco source

files :

vyos_bld@2098eff8a640:/vyos/packages/linux-kernel$ ls | grep dco
build-openvpn-dco.sh
vyos-kmod-ovpn-dco_0.1.20230206-0_amd64.deb

#bluid with those pkg: 
P: Begin unmounting /sys...
[2023-05-06 16:43:12] lb chroot_selinuxfs remove
[2023-05-06 16:43:12] lb chroot_proc remove
P: Begin unmounting /proc...
[2023-05-06 16:43:12] lb chroot_devpts remove
P: Begin unmounting /dev/pts...
P: Binary stage completed
P: Begin unmounting filesystems...
P: Saving caches...
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
[2023-05-06 16:43:12] lb source

also if it's necessary we can add a option in our CLI to OpenVPN will simply disable @syncer

c-po claimed this task.Jun 8 2023, 2:31 PM
c-po added a comment.EditedJul 16 2023, 7:59 PM
[ 4065.850013] ovpn_dco_v2: loading out-of-tree module taints kernel.
[ 4065.852874] OpenVPN data channel offload (ovpn-dco) 0.2.20230426 -- (C) 2020-2023 OpenVPN, Inc

Kernel module will be available in rolling releases starting 2023-07-17. No CLI config (yet)

fernando added a comment.Jul 19 2023, 6:20 PM

@c-po thanks for compiled the kernel module and @spion06 for your contribution script , now we've DCO rolling releases starting on 1.4-rolling-202307190317

vyos@open-dco-1:~$ sudo openvpn --version
OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.0.9 30 May 2023, LZO 2.10
DCO version: 0.2.20230426
Originally developed by James Yonan

vyos@open-dco-1:~$ show version
Version:          VyOS 1.4-rolling-202307190317
Release train:    current

Built by:         [email protected]
Built on:         Wed 19 Jul 2023 03:17 UTC
Build UUID:       53f4c806-cc4f-458e-94a8-459e1de0ac6c
Build commit ID:  fe533f7605c794

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID:    f43fe103-46a7-4915-babd-f43c46f8d462

Copyright:        VyOS maintainers and contributor

Jul 19 17:40:19 open-dco-1 kernel: OpenVPN data channel offload (ovpn-dco) 0.2.20230426 -- (C) 2020-2023 OpenVPN, Inc.
Jul 19 17:40:19 open-dco-1 openvpn-vtun10[1875]: OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
Jul 19 17:40:19 open-dco-1 openvpn-vtun10[1875]: library versions: OpenSSL 3.0.9 30 May 2023, LZO 2.10
Jul 19 17:40:19 open-dco-1 openvpn-vtun10[1875]: DCO version: 0.2.20230426
Jul 19 17:40:19 open-dco-1 openvpn-vtun10[1875]: MANAGEMENT: unix domain socket listening on /run/openvpn/openvpn-mgmt-intfs

vyos@open-dco-1:~$ sudo  ip -d link show dev vtun10
6: vtun10: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/none  promiscuity 0  allmulti 0 minmtu 68 maxmtu 65463
    ovpn-dco addrgenmode none numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 tso_max_size 65536 tso_max_segs 65535 gro_max_size 65536

regarding the cli , we should disable it by default (in our openvpn version is enabled by default) because it has some limitations . I will update our documentation : https://community.openvpn.net/openvpn/wiki/DataChannelOffload/Features

fernando changed the task status from Open to Needs testing.Jul 19 2023, 6:20 PM
fernando added a comment.Jul 21 2023, 9:49 PM

PR : https://github.com/vyos/vyos-1x/pull/2107/commits

Apachez added a subscriber: Apachez.Jul 22 2023, 11:47 PM

Out of the blue I think its a bad thing to throw stuff into the kernelmode for the fun of it.

Arguing that pfsense did this isnt really a valid argument.

Debian seems to have this as a loadable DKMS module so it can made optional if one want to sacrifice security over openvpn performance.

If the security have been vetted of this driver then I would expect it to show up in the vanilla kernel.

Which means if it havent there might be some security or quality considerations for why its still absent from the vanilla kernel.

I found this RFC thread from last year but it doesnt seem to have been approved (yet): https://lore.kernel.org/lkml/[email protected]/T/

syncer triaged this task as Normal priority.Jul 22 2023, 11:50 PM
c-po added a comment.Jul 25 2023, 9:15 PM

We probably wan't to load/unload the Kernel Module given what the user want's to do

c-po closed this task as Resolved.Jul 26 2023, 9:14 PM
c-po added a comment.Jul 27 2023, 9:23 AM

CLI adjusted to:

set interfaces openvpn <name> offload dco to match Ethernet interface offload style

c-po added a comment.Jul 27 2023, 9:26 AM

From the VyOS documentation and https://community.openvpn.net/openvpn/wiki/DataChannelOffload

image.png (490×895 px, 64 KB)