[thirdparty/openvpn.git] / README.dco.md

OpenVPN data channel offload
============================
2.6.0+ implements support for data-channel offloading where the data packets
are directly processed and forwarded in kernel space thanks to the ovpn-dco
kernel module. The userspace openvpn program acts purely as a control plane
application.


Overview of current release
---------------------------
- See the "Limitations by design" and "Current limitations" sections for
  features that are not and/or will not be supported by OpenVPN + ovpn-dco.


Getting started (Linux)
-----------------------
- Use a recent Linux kernel. Linux 5.4.0 and newer are known to work with
  ovpn-dco.

Get the ovpn-dco module from one these urls and build it:

* https://gitlab.com/openvpn/ovpn-dco
* https://github.com/OpenVPN/ovpn-dco

e.g.

    git clone https://github.com/OpenVPN/ovpn-dco
    cd ovpn-dco
    make
    sudo make install

If you want to report bugs please ensure to compile ovpn-dco with
`make DEBUG=1` and include any debug message being printed by the
kernel (you can view those messages with `dmesg`).

Clone and build OpenVPN (or use OpenVPN 2.6+). For example:

    git clone https://github.com/openvpn/openvpn.git
    cd openvpn
    autoreconf -vi
    ./configure --enable-dco
    make
    sudo make install # Or just run src/openvpn/openvpn

When starting openvpn it will automatically detect DCO support and use the
kernel module. Add the option `--disable-dco` to disable data channel offload
support. If the configuration contains an option that is incompatible with
data channel offloading, OpenVPN will automatically disable DCO support and
warn the user.

Should OpenVPN be configured to use a feature that is not supported by ovpn-dco
or should the ovpn-dco kernel module not be available on the system, you will
see a message like

    Note: Kernel support for ovpn-dco missing, disabling data channel offload.

in your log.


Getting started (Windows)
-------------------------
Official releases published at https://openvpn.net/community-downloads/
include ovpn-dco-win driver since 2.6.0.

There are also snapshot releases available at
https://build.openvpn.net/downloads/snapshots/github-actions/openvpn2/ .
This installer contains the latest OpenVPN code and the ovpn-dco-win driver.


DCO and P2P mode
----------------
DCO is also available when running OpenVPN in P2P mode without `--pull` /
`--client` option. P2P mode is useful for scenarios when the OpenVPN tunnel
should not interfere with overall routing and behave more like a "dumb" tunnel,
like GRE.

However, DCO requires DATA_V2 to be enabled, which is available for P2P mode
only in OpenVPN 2.6 and later.

OpenVPN prints a diagnostic message for the P2P NCP result when running in P2P
mode:

    P2P mode NCP negotiation result: TLS_export=1, DATA_v2=1, peer-id 9484735, cipher=AES-256-GCM

Double check that you have `DATA_v2=1` in your output and a supported AEAD
cipher (AES-XXX-GCM or CHACHA20POLY1305).


Routing with ovpn-dco
---------------------
The ovpn-dco kernel module implements a more transparent approach to
configuring routes to clients (aka "iroutes") and consults the main kernel
routing tables for forwarding decisions.

- Each client has a VPN IPv4 and/or a VPN IPv6 assigned to it;
- additional IP ranges can be routed to a client by adding a route with
  a client VPN IP as the gateway/nexthop (i.e. ip route add a.b.c.d/24 via
  $VPNIP);
- due to the point above, there is no real need to add a companion `--route` for
  each `--iroute` directive, unless you want to blackhole traffic when the
  specific client is not connected;
- no internal routing is available. If you need truly internal routes, this can
  be achieved either with filtering using `iptables` or using `ip rule`;
- client-to-client behaviour, as implemented in userspace, does not exist:
  packets always reach the tunnel interface and are then re-routed to the
  destination peer based on the system routing table.


Limitations by design
----------------------
- Layer 3 (dev tun) only;
- only the following AEAD ciphers are currently supported: Chacha20-Poly1305
  and AES-GCM-128/192/256;
- no support for compression or compression framing:
  - see also the `--compress migrate` option to move to a setup without
    compression;
- various features not implemented since they have better replacements:
  - `--shaper`, use tc instead;
  - packet manipulation, use nftables/iptables instead;
- OpenVPN 2.4.0 is the minimum version required for peers to connect:
  - older versions are missing support for the AEAD ciphers;
- topology subnet is the only supported `--topology` for servers;
- iroute directives install routes on the host operating system, see also
  Routing with ovpn-dco;
- (ovpn-dco-win) client and p2p mode only;
- (ovpn-dco-win) Chacha20-Poly1305 support available starting with Windows 11.


Current implementation limitations
-------------------
- `--persist-tun` not tested;
- IPv6 mapped IPv4 addresses need Linux 5.4.189+/5.10.110+/5.12+ to work;
- some incompatible options may not properly fallback to non-dco;
- no per client statistics. Only total statistics available on the interface.
Commit	Line	Data
fba724e3 AQ	1	OpenVPN data channel offload
	2	============================
	3	2.6.0+ implements support for data-channel offloading where the data packets
	4	are directly processed and forwarded in kernel space thanks to the ovpn-dco
	5	kernel module. The userspace openvpn program acts purely as a control plane
	6	application.
	7
	8
	9	Overview of current release
	10	---------------------------
	11	- See the "Limitations by design" and "Current limitations" sections for
	12	features that are not and/or will not be supported by OpenVPN + ovpn-dco.
	13
	14
	15	Getting started (Linux)
	16	-----------------------
	17	- Use a recent Linux kernel. Linux 5.4.0 and newer are known to work with
	18	ovpn-dco.
	19
	20	Get the ovpn-dco module from one these urls and build it:
	21
	22	* https://gitlab.com/openvpn/ovpn-dco
	23	* https://github.com/OpenVPN/ovpn-dco
	24
	25	e.g.
	26
	27	git clone https://github.com/OpenVPN/ovpn-dco
	28	cd ovpn-dco
	29	make
	30	sudo make install
	31
	32	If you want to report bugs please ensure to compile ovpn-dco with
	33	`make DEBUG=1` and include any debug message being printed by the
	34	kernel (you can view those messages with `dmesg`).
	35
	36	Clone and build OpenVPN (or use OpenVPN 2.6+). For example:
	37
	38	git clone https://github.com/openvpn/openvpn.git
	39	cd openvpn
	40	autoreconf -vi
	41	./configure --enable-dco
	42	make
	43	sudo make install # Or just run src/openvpn/openvpn
	44
	45	When starting openvpn it will automatically detect DCO support and use the
	46	kernel module. Add the option `--disable-dco` to disable data channel offload
	47	support. If the configuration contains an option that is incompatible with
	48	data channel offloading, OpenVPN will automatically disable DCO support and
	49	warn the user.
	50
	51	Should OpenVPN be configured to use a feature that is not supported by ovpn-dco
	52	or should the ovpn-dco kernel module not be available on the system, you will
	53	see a message like
	54
	55	Note: Kernel support for ovpn-dco missing, disabling data channel offload.
	56
	57	in your log.
	58
	59
a8b00c90 AQ	60	Getting started (Windows)
a8b00c90 AQ	61	-------------------------
53055fd2 FL	62	Official releases published at https://openvpn.net/community-downloads/
	63	include ovpn-dco-win driver since 2.6.0.
	64
	65	There are also snapshot releases available at
	66	https://build.openvpn.net/downloads/snapshots/github-actions/openvpn2/ .
a8b00c90 AQ	67	This installer contains the latest OpenVPN code and the ovpn-dco-win driver.
	68
	69
fba724e3 AQ	70	DCO and P2P mode
	71	----------------
	72	DCO is also available when running OpenVPN in P2P mode without `--pull` /
	73	`--client` option. P2P mode is useful for scenarios when the OpenVPN tunnel
	74	should not interfere with overall routing and behave more like a "dumb" tunnel,
	75	like GRE.
	76
	77	However, DCO requires DATA_V2 to be enabled, which is available for P2P mode
	78	only in OpenVPN 2.6 and later.
	79
	80	OpenVPN prints a diagnostic message for the P2P NCP result when running in P2P
	81	mode:
	82
	83	P2P mode NCP negotiation result: TLS_export=1, DATA_v2=1, peer-id 9484735, cipher=AES-256-GCM
	84
	85	Double check that you have `DATA_v2=1` in your output and a supported AEAD
	86	cipher (AES-XXX-GCM or CHACHA20POLY1305).
	87
	88
	89	Routing with ovpn-dco
	90	---------------------
	91	The ovpn-dco kernel module implements a more transparent approach to
	92	configuring routes to clients (aka "iroutes") and consults the main kernel
	93	routing tables for forwarding decisions.
	94
	95	- Each client has a VPN IPv4 and/or a VPN IPv6 assigned to it;
	96	- additional IP ranges can be routed to a client by adding a route with
	97	a client VPN IP as the gateway/nexthop (i.e. ip route add a.b.c.d/24 via
	98	$VPNIP);
	99	- due to the point above, there is no real need to add a companion `--route` for
	100	each `--iroute` directive, unless you want to blackhole traffic when the
	101	specific client is not connected;
	102	- no internal routing is available. If you need truly internal routes, this can
	103	be achieved either with filtering using `iptables` or using `ip rule`;
	104	- client-to-client behaviour, as implemented in userspace, does not exist:
	105	packets always reach the tunnel interface and are then re-routed to the
	106	destination peer based on the system routing table.
	107
	108
	109	Limitations by design
	110	----------------------
	111	- Layer 3 (dev tun) only;
	112	- only the following AEAD ciphers are currently supported: Chacha20-Poly1305
	113	and AES-GCM-128/192/256;
	114	- no support for compression or compression framing:
	115	- see also the `--compress migrate` option to move to a setup without
	116	compression;
	117	- various features not implemented since they have better replacements:
	118	- `--shaper`, use tc instead;
	119	- packet manipulation, use nftables/iptables instead;
	120	- OpenVPN 2.4.0 is the minimum version required for peers to connect:
	121	- older versions are missing support for the AEAD ciphers;
	122	- topology subnet is the only supported `--topology` for servers;
	123	- iroute directives install routes on the host operating system, see also
a8b00c90 AQ	124	Routing with ovpn-dco;
	125	- (ovpn-dco-win) client and p2p mode only;
	126	- (ovpn-dco-win) Chacha20-Poly1305 support available starting with Windows 11.
fba724e3 AQ	127
	128
	129	Current implementation limitations
	130	-------------------
	131	- `--persist-tun` not tested;
	132	- IPv6 mapped IPv4 addresses need Linux 5.4.189+/5.10.110+/5.12+ to work;
	133	- some incompatible options may not properly fallback to non-dco;
	134	- no per client statistics. Only total statistics available on the interface.