When you surf the Internet, safety is one of the most important things. The more protection your online communication gets through encryption, the better. Data encryption has reduced the computing speed in the past, while modern CPU has improved the computing speed. But we can do more. Opendco has just run out of VPN kernel to improve the speed of user development through opendco.

What is nuclear space?

The kernel is what is loaded when you turn on the computer (regardless of the operating system). It is the base layer of all other layers. Hardware constitutes the foundation, kernel space is on the foundation, and then user space. At the top is the program you use. The higher the level, the farther away you are from the hardware, and the slower your program runs. Therefore, it can be a challenge when you consider encrypting data. Exchanging data between these two layers will consume processing power, which brings a bottleneck to the speed of OpenVPN.

For user space VPNs such as OpenVPN, encryption overhead and context switching will limit the speed. In modern CPUs, the encryption overhead has been improved through extensions such as Intel aes-ni, which in turn improves the speed of OpenVPN users. However, the overhead of context switching still needs to be addressed. As personal and commercial network speeds increase and applications use more bandwidth, users want faster online communication. Therefore, the impact of this overhead becomes more obvious.

Subvert traditional wisdom: OpenVPN DCO

We now have the OpenVPN data channel offload (ovpn DCO for short). OpenVPN DCO implements the Linux kernel module for handling OpenVPN data channel. OpenVPN no longer sends data traffic for routing and encryption / decryption between users and kernel space. Operations on the payload occur in the Linux kernel to optimize performance. This reduces the delay and cost of load transfer between the user and kernel space.

In addition, encryption is now multithreaded. Multithreading is the process of dividing a task or job into smaller units and assigning them to different CPUs. What does this mean for end users? The data transmission speed is much faster.

Chief Technology Officer James yonan OpenVPN talked about the importance of uninstallation. “Uninstallation is the Holy Grail of security and performance, because it allows us to embrace industry standard protocols such as SSL / TLS. Instead, the uninstallation package handles kernel space or hardware, and we can promote the ultimate linear speed of performance.”

OpenVPN DCO integrates the whole OpenVPN data channel into the kernel module, keeps the control channel outside the kernel, and continues to use the standard SSL / TLS protocol, including support for TLS 1.3 features.

Test speed

In order to let you know the speed improvement, the following are the test results of OpenVPN 2.6 DCO development version under three different configurations:

The following performance data are the iperf3 test results executed on the AMD threadripper 3970x system running Hyper-V, which takes Linux and windows clients as the hypervisor of virtual machines. The cryptographic algorithm used is aes-256-gcm.

OpenVPN DCO availability

OpenVPN cloud, our next generation VPN has launched DCO in production. We have seen an order of magnitude performance improvement on the server side, and we hope to see similar performance improvement on the client side when ovpn DCO is widely used on the client side.

This development is very exciting because eliminating this notorious bottleneck is not a noble long-term goal – it has been achieved.

Openvpn3 Linux client beta.

Ovpn DCO win is currently a technical preview and will be officially released as part of version 2.6 in the fourth quarter of 2021.

Linux OpenVPN server plus DCO module can achieve really impressive speed. Technology preview and developers are working on a wide release now.

OpenVPN believes in open source and fully supports it. Openvpn3 and OpenVPN cloud developers will take advantage of these impressive new features and give them back to the community. We will release OpenVPN 2.6.0 in the fourth quarter of this year, including DCO support. As long as you are using OpenVPN 2.6 development version, when you install the open source DCO module on windows or Linux platform, you can enjoy the great improvement of data transmission speed. We will also integrate the DCO module of windows into OpenVPN connect V3 in the future version; In this way, all windows users can benefit from the speed increase. When we introduce this feature in the future version of OpenVPN access server, OpenVPN access server will also benefit from the DCO module of Linux.