Back to Blog

pfSense, VPN, OpenVPN

OpenVPN DCO at Netdev 0x16 in Lisbon, Portugal

OpenVPN DCO at Netdev 0x16 in Lisbon, Portugal

Netgate is looking forward to Antonio Quartulli’s talk, “Pushing OpenVPN down the stack: Data Channel Offload (DCO),” at Netdev 0x16 in Lisbon, Portugal. OpenVPN DCO is the fastest VPN technology in pfSense Plus. OpenVPN Data Channel Offload allows for performance gains when processing encrypted OpenVPN data by reducing the amount of context switching for each packet. Data Channel Offload maintains a majority of data handling tasks in the kernel rather than repeatedly switching between kernel and user space for encryption and packet handling. Intending to include DCO in the Linux kernel, Quartulli and Open VPN have been working on this project for the past two years.

We have covered User Space vs. Kernel Space in a previous post, but first, here is a quick review of this concept. Kernel Space is generally code and memory running with direct access to the processor and memory. The kernel is typically responsible for managing calls from user space processes and allotting processor time and memory access. User space is where applications you might regularly interact with exist and operate. When you need to access a USB drive to open a file, your application in User Space asks the Kernel Space for the file on the USB drive. These requests require a context switch between kernel and user space.

Netgate worked with OpenVPN to develop and integrate support for OpenVPN Data Channel Offload (DCO) into FreeBSD and pfSense® Plus software version 22.05 and later. By handing data in the kernel, Data Channel Offload reduces the repeated context switching between kernel and user space for encryption and packet handling, and saves processor time, thus improving throughput. Operating in kernel space also provides the potential of hardware encryption offloading support in the kernel and multi-threaded encryption.

Enabling OpenVPN DCO in pfSense Plus can be achieved as a per-tunnel option. DCO is not enabled automatically by default for new or upgraded tunnels. Existing tunnels will continue to function as they have in the past. 

TNSR leverages Vector Packet Processing (VPP) and integrates it with Data Plane Development Kit (DPDK), which utilizes the User Space for processing. VPP, an open-source technology supported by the Linux Foundation FD.io project, performs packet processing in user space instead of kernel space. DPDK/VPP speeds up packet processing by grabbing multiple data packets and processing them as a group, a vector, reducing context switching and improving the measurable throughput.

By keeping data together in the kernel space, OpenVPN DCO offers significant speed improvements to OpenVPN by no longer needing to switch between user space and kernel space.  We look forward to learning about the gains in speed and feature set Quartulli, and the OpenVPN community, have made since its inclusion in OpenVPN 2.6.0 in 2021.