DCO (data channel offload) offering

Suggestions/comments/criticisms are welcome here

johnpi

Posts: 1
Joined: Wed Jun 22, 2022 4:20 am

Post by johnpi » Wed Jun 22, 2022 4:27 am
Once OpenVPN 2.6.0 stable version is released, will Viscosity make available an option to enable DCO for the client?
Why I ask is because it's soon to be released with my OpenVPN server once 2.6.0 is released, and it looks very beneficial in efficiency.
"OpenVPN DCO allows for huge performance gains when processing encrypted OpenVPN data by reducing the amount of context switching that happens for each packet. "

ref: https://openvpn.net/blog/openvpn-data-channel-offload/

Thanks,
John

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Jun 24, 2022 9:15 am
Hi John,

We have no current plans to adopt the DCO driver. While that may change in the future, for now we don't feel it'll offer a major benefit to Viscosity users. There are a number of reasons behind this:

- It's not possible to implement DCO on macOS. Apple have deprecated "kernel extensions" and replaced them with "system extensions". System extensions run in user-space, offering no performance benefit from having a user-space process do the work.
- Viscosity's Windows driver already outperforms the OpenVPN TAP driver in performance and is capable of saturating almost all client-side network connections.
- Much of the performance gain is reportedly from multithreading the encryption/decryption, rather than from it being in-kernel. We're looking into whether we can introduce this multithreading into the OpenVPN implementation itself without the need of a dedicated driver (which would benefit both macOS and Windows versions).
- DCO is primarily of benefit on the OpenVPN server. You'll still be able to connect to servers using the DCO driver/module without needing to also be using the DCO driver client-side.
- DCO's cipher support is limited to a very small number of available ciphers, which raises tricky issues when Viscosity needs to load a network driver to use (as it may not know in advance while ciphers can be used).

As mentioned above, we try not to lock ourselves into decisions and this may change in the future.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
2 posts Page 1 of 1