A few days ago lOpenVPN developers released the news that they have introduced a kernel module called "ovpn-dco" whose main task is to significantly accelerate the performance of the VPN.
Although the module is still developing in the linux-next branch and has the status of an experimental one, it has already reached a level of stability that made it possible to use it to ensure the operation of OpenVPN.
Compared to the tun interface-based configuration, the use of the module on the client and server side with the use of AES-256-GCM encryption allowed an 8-fold increase in performance (from 370 Mbit / s to 2950 Mbit s).
When using the module only on the client side, performance triples for outbound traffic and does not change for inbound traffic. When using the module only on the server side, the throughput is multiplied by 4 for inbound traffic and by 35% for outbound traffic.
Security is one of the most important things to consider when online. The more secure your online communications are with encryption, the better. Data encryption has slowed down computing speed in the past, which has improved with modern CPUs. But we can do more. OpenVPN has just introduced a new development that will increase the speed for its users when running out of kernel space: OpenVPN Data Channel Offload (DCO).
Acceleration is achieved by moving all crypto operations, package processing and channel management to the Linux kernel, eliminating the associated overhead With the context switch, it makes it possible to optimize work by directly accessing the internal kernel APIs and eliminates the slow transfer of data between the kernel and user space. (The module performs encryption, decryption, and routing without sending traffic to a controller in user space.)
Note that the negative impact on VPN performance it is mainly due to encryption operations that consume a lot of resources and the delays caused by the context change. Processor extensions such as Intel AES-NI were used to speed up encryption, but context switches were still a bottleneck before ovpn-dco.
In addition to using the instructions provided by the processor to speed up encryption, the ovpn-dco module also provides for the division of encryption operations into separate segments and their processing in multithreaded mode, which makes it possible to use all available CPU cores.
For a user-space VPN, like OpenVPN, encryption overhead and context switches limit speeds. With modern CPUs, encryption overhead has improved through extensions like Intel AES-NI, which in turn improves speeds for OpenVPN users.
But overload with context switches still needs to be addressed. As personal and business Internet speeds increase and applications use more bandwidth, users expect faster speeds with online communications. Therefore, the impact of these overheads has become more noticeable.
Of the current limitations that are mentioned from the implementation and that will also be eliminated in the future, only the AEAD and 'none' modes (without authentication) and AES-GCM and CHACHA20POLY1305 ciphers.
It is also mentioned that DCO support is planned to be included in the release of the version of OpenVPN2.6, scheduled for the fourth quarter of this year. Currently, the module supports the OpenVPN3 open beta Linux client and the experimental builds of the OpenVPN server for Linux. A similar module ovpn-dco-win is also being developed for the Windows kernel.
Finally if you are interested in knowing more about it about the note, you can check the details In the following link.