]>
Commit | Line | Data |
---|---|---|
fba724e3 AQ |
1 | OpenVPN data channel offload |
2 | ============================ | |
3 | 2.6.0+ implements support for data-channel offloading where the data packets | |
4 | are directly processed and forwarded in kernel space thanks to the ovpn-dco | |
5 | kernel module. The userspace openvpn program acts purely as a control plane | |
6 | application. | |
7 | ||
8 | ||
9 | Overview of current release | |
10 | --------------------------- | |
11 | - See the "Limitations by design" and "Current limitations" sections for | |
12 | features that are not and/or will not be supported by OpenVPN + ovpn-dco. | |
13 | ||
14 | ||
15 | Getting started (Linux) | |
16 | ----------------------- | |
17 | - Use a recent Linux kernel. Linux 5.4.0 and newer are known to work with | |
18 | ovpn-dco. | |
19 | ||
20 | Get the ovpn-dco module from one these urls and build it: | |
21 | ||
22 | * https://gitlab.com/openvpn/ovpn-dco | |
23 | * https://github.com/OpenVPN/ovpn-dco | |
24 | ||
25 | e.g. | |
26 | ||
27 | git clone https://github.com/OpenVPN/ovpn-dco | |
28 | cd ovpn-dco | |
29 | make | |
30 | sudo make install | |
31 | ||
32 | If you want to report bugs please ensure to compile ovpn-dco with | |
33 | `make DEBUG=1` and include any debug message being printed by the | |
34 | kernel (you can view those messages with `dmesg`). | |
35 | ||
36 | Clone and build OpenVPN (or use OpenVPN 2.6+). For example: | |
37 | ||
38 | git clone https://github.com/openvpn/openvpn.git | |
39 | cd openvpn | |
40 | autoreconf -vi | |
41 | ./configure --enable-dco | |
42 | make | |
43 | sudo make install # Or just run src/openvpn/openvpn | |
44 | ||
45 | When starting openvpn it will automatically detect DCO support and use the | |
46 | kernel module. Add the option `--disable-dco` to disable data channel offload | |
47 | support. If the configuration contains an option that is incompatible with | |
48 | data channel offloading, OpenVPN will automatically disable DCO support and | |
49 | warn the user. | |
50 | ||
51 | Should OpenVPN be configured to use a feature that is not supported by ovpn-dco | |
52 | or should the ovpn-dco kernel module not be available on the system, you will | |
53 | see a message like | |
54 | ||
55 | Note: Kernel support for ovpn-dco missing, disabling data channel offload. | |
56 | ||
57 | in your log. | |
58 | ||
59 | ||
a8b00c90 AQ |
60 | Getting started (Windows) |
61 | ------------------------- | |
53055fd2 FL |
62 | Official releases published at https://openvpn.net/community-downloads/ |
63 | include ovpn-dco-win driver since 2.6.0. | |
64 | ||
65 | There are also snapshot releases available at | |
66 | https://build.openvpn.net/downloads/snapshots/github-actions/openvpn2/ . | |
a8b00c90 AQ |
67 | This installer contains the latest OpenVPN code and the ovpn-dco-win driver. |
68 | ||
69 | ||
fba724e3 AQ |
70 | DCO and P2P mode |
71 | ---------------- | |
72 | DCO is also available when running OpenVPN in P2P mode without `--pull` / | |
73 | `--client` option. P2P mode is useful for scenarios when the OpenVPN tunnel | |
74 | should not interfere with overall routing and behave more like a "dumb" tunnel, | |
75 | like GRE. | |
76 | ||
77 | However, DCO requires DATA_V2 to be enabled, which is available for P2P mode | |
78 | only in OpenVPN 2.6 and later. | |
79 | ||
80 | OpenVPN prints a diagnostic message for the P2P NCP result when running in P2P | |
81 | mode: | |
82 | ||
83 | P2P mode NCP negotiation result: TLS_export=1, DATA_v2=1, peer-id 9484735, cipher=AES-256-GCM | |
84 | ||
85 | Double check that you have `DATA_v2=1` in your output and a supported AEAD | |
86 | cipher (AES-XXX-GCM or CHACHA20POLY1305). | |
87 | ||
88 | ||
89 | Routing with ovpn-dco | |
90 | --------------------- | |
91 | The ovpn-dco kernel module implements a more transparent approach to | |
92 | configuring routes to clients (aka "iroutes") and consults the main kernel | |
93 | routing tables for forwarding decisions. | |
94 | ||
95 | - Each client has a VPN IPv4 and/or a VPN IPv6 assigned to it; | |
96 | - additional IP ranges can be routed to a client by adding a route with | |
97 | a client VPN IP as the gateway/nexthop (i.e. ip route add a.b.c.d/24 via | |
98 | $VPNIP); | |
99 | - due to the point above, there is no real need to add a companion `--route` for | |
100 | each `--iroute` directive, unless you want to blackhole traffic when the | |
101 | specific client is not connected; | |
102 | - no internal routing is available. If you need truly internal routes, this can | |
103 | be achieved either with filtering using `iptables` or using `ip rule`; | |
104 | - client-to-client behaviour, as implemented in userspace, does not exist: | |
105 | packets always reach the tunnel interface and are then re-routed to the | |
106 | destination peer based on the system routing table. | |
107 | ||
108 | ||
109 | Limitations by design | |
110 | ---------------------- | |
111 | - Layer 3 (dev tun) only; | |
112 | - only the following AEAD ciphers are currently supported: Chacha20-Poly1305 | |
113 | and AES-GCM-128/192/256; | |
114 | - no support for compression or compression framing: | |
115 | - see also the `--compress migrate` option to move to a setup without | |
116 | compression; | |
117 | - various features not implemented since they have better replacements: | |
118 | - `--shaper`, use tc instead; | |
119 | - packet manipulation, use nftables/iptables instead; | |
120 | - OpenVPN 2.4.0 is the minimum version required for peers to connect: | |
121 | - older versions are missing support for the AEAD ciphers; | |
122 | - topology subnet is the only supported `--topology` for servers; | |
123 | - iroute directives install routes on the host operating system, see also | |
a8b00c90 AQ |
124 | Routing with ovpn-dco; |
125 | - (ovpn-dco-win) client and p2p mode only; | |
126 | - (ovpn-dco-win) Chacha20-Poly1305 support available starting with Windows 11. | |
fba724e3 AQ |
127 | |
128 | ||
129 | Current implementation limitations | |
130 | ------------------- | |
131 | - `--persist-tun` not tested; | |
132 | - IPv6 mapped IPv4 addresses need Linux 5.4.189+/5.10.110+/5.12+ to work; | |
133 | - some incompatible options may not properly fallback to non-dco; | |
134 | - no per client statistics. Only total statistics available on the interface. |