Hi
I just wondered if support for OpenVPN DCO was in scope?
ping …
I have created a package pritunl-openvpn-dco-dkms that will be added to the unstable repositories after some more testing. It will also require an update to both the Pritunl server and client to add an option to enable DCO which will have the effect of removing some fallback ciphers that are added to support older OpenVPN clients. It also requires an update to the pritunl-openvpn package to enable DCO. This will only be made available on the following repositories.
almalinux-8
almalinux-9
almalinux-10
amazonlinux-2023
oraclelinux-8
oraclelinux-9
oraclelinux-10
The tests that I have done show about about a 3x performance improvement. Although this is only the case when both the client and the server have DCO. WireGuard is slightly faster than OpenVPN DCO. I could only get a Linux DCO client to work with the pritunl-openvpn and pritunl-openvpn-dco-dkms packages. Even Fedora 42 with the ovpn kernel module does not have DCO working.
Edit: After additional testing OpenVPN DCO with CHACHA20-POLY1305 matches the performance of WireGuard.
Baseline Connection
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 9.37 GBytes 80.4 Gbits/sec 871 2.82 MBytes
[ 5] 1.00-2.00 sec 9.29 GBytes 79.8 Gbits/sec 196 3.14 MBytes
[ 5] 2.00-3.00 sec 9.61 GBytes 82.6 Gbits/sec 145 3.15 MBytes
[ 5] 3.00-4.00 sec 9.72 GBytes 83.6 Gbits/sec 15 3.16 MBytes
[ 5] 4.00-5.00 sec 8.65 GBytes 74.3 Gbits/sec 107 3.24 MBytes
[ 5] 5.00-6.00 sec 8.90 GBytes 76.3 Gbits/sec 65 3.24 MBytes
[ 5] 6.00-7.00 sec 9.16 GBytes 78.7 Gbits/sec 100 3.38 MBytes
[ 5] 7.00-8.00 sec 8.78 GBytes 75.4 Gbits/sec 173 3.47 MBytes
[ 5] 8.00-9.00 sec 8.02 GBytes 68.9 Gbits/sec 16 3.47 MBytes
[ 5] 9.00-10.00 sec 8.90 GBytes 76.4 Gbits/sec 36 3.54 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 90.4 GBytes 77.6 Gbits/sec 1724 sender
[ 5] 0.00-10.00 sec 90.4 GBytes 77.6 Gbits/sec receiver
DCO Disabled Client + DCO Disabled Server (AES-128-GCM)
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 89.4 MBytes 749 Mbits/sec 168 550 KBytes
[ 5] 1.00-2.00 sec 93.0 MBytes 780 Mbits/sec 23 661 KBytes
[ 5] 2.00-3.00 sec 93.8 MBytes 786 Mbits/sec 63 412 KBytes
[ 5] 3.00-4.00 sec 92.0 MBytes 772 Mbits/sec 23 466 KBytes
[ 5] 4.00-5.00 sec 87.1 MBytes 730 Mbits/sec 67 431 KBytes
[ 5] 5.00-6.00 sec 91.9 MBytes 771 Mbits/sec 1 563 KBytes
[ 5] 6.00-7.00 sec 91.8 MBytes 770 Mbits/sec 74 362 KBytes
[ 5] 7.00-8.00 sec 84.8 MBytes 711 Mbits/sec 0 510 KBytes
[ 5] 8.00-9.00 sec 89.4 MBytes 750 Mbits/sec 20 483 KBytes
[ 5] 9.00-10.00 sec 91.6 MBytes 768 Mbits/sec 135 460 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 905 MBytes 759 Mbits/sec 574 sender
[ 5] 0.00-10.00 sec 901 MBytes 756 Mbits/sec receiver
DCO Disabled Client + DCO Enabled Server (AES-128-GCM)
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 97.2 MBytes 815 Mbits/sec 31 609 KBytes
[ 5] 1.00-2.00 sec 88.6 MBytes 743 Mbits/sec 2 520 KBytes
[ 5] 2.00-3.00 sec 86.0 MBytes 721 Mbits/sec 3 625 KBytes
[ 5] 3.00-4.00 sec 92.2 MBytes 774 Mbits/sec 2 546 KBytes
[ 5] 4.00-5.00 sec 87.0 MBytes 730 Mbits/sec 14 641 KBytes
[ 5] 5.00-6.00 sec 89.2 MBytes 749 Mbits/sec 8 546 KBytes
[ 5] 6.00-7.00 sec 89.4 MBytes 750 Mbits/sec 0 656 KBytes
[ 5] 7.00-8.00 sec 83.5 MBytes 700 Mbits/sec 4 571 KBytes
[ 5] 8.00-9.00 sec 87.2 MBytes 732 Mbits/sec 3 470 KBytes
[ 5] 9.00-10.00 sec 88.9 MBytes 745 Mbits/sec 8 581 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 889 MBytes 746 Mbits/sec 75 sender
[ 5] 0.00-10.01 sec 886 MBytes 743 Mbits/sec receiver
DCO Enabled Client + DCO Enabled Server (AES-128-GCM)
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 241 MBytes 2.02 Gbits/sec 10 568 KBytes
[ 5] 1.00-2.00 sec 257 MBytes 2.16 Gbits/sec 122 761 KBytes
[ 5] 2.00-3.00 sec 317 MBytes 2.66 Gbits/sec 1 963 KBytes
[ 5] 3.00-4.00 sec 312 MBytes 2.61 Gbits/sec 22 1.07 MBytes
[ 5] 4.00-5.00 sec 305 MBytes 2.56 Gbits/sec 2 1.15 MBytes
[ 5] 5.00-6.00 sec 305 MBytes 2.56 Gbits/sec 0 1.15 MBytes
[ 5] 6.00-7.00 sec 308 MBytes 2.58 Gbits/sec 1 1.15 MBytes
[ 5] 7.00-8.00 sec 305 MBytes 2.56 Gbits/sec 2 1.15 MBytes
[ 5] 8.00-9.00 sec 304 MBytes 2.55 Gbits/sec 2 1.15 MBytes
[ 5] 9.00-10.00 sec 277 MBytes 2.32 Gbits/sec 5 1.15 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 2.86 GBytes 2.46 Gbits/sec 167 sender
[ 5] 0.00-10.01 sec 2.86 GBytes 2.45 Gbits/sec receiver
DCO Enabled Client + DCO Enabled Server (CHACHA20-POLY1305)
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 326 MBytes 2.73 Gbits/sec 47 1.03 MBytes
[ 5] 1.00-2.00 sec 328 MBytes 2.75 Gbits/sec 21 1.11 MBytes
[ 5] 2.00-3.00 sec 343 MBytes 2.87 Gbits/sec 30 636 KBytes
[ 5] 3.00-4.00 sec 343 MBytes 2.88 Gbits/sec 22 1.15 MBytes
[ 5] 4.00-5.00 sec 337 MBytes 2.83 Gbits/sec 0 1.15 MBytes
[ 5] 5.00-6.00 sec 338 MBytes 2.84 Gbits/sec 1 1.15 MBytes
[ 5] 6.00-7.00 sec 351 MBytes 2.95 Gbits/sec 3 1.15 MBytes
[ 5] 7.00-8.00 sec 314 MBytes 2.64 Gbits/sec 50 1.15 MBytes
[ 5] 8.00-9.00 sec 333 MBytes 2.80 Gbits/sec 0 1.15 MBytes
[ 5] 9.00-10.00 sec 341 MBytes 2.86 Gbits/sec 0 1.15 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 3.28 GBytes 2.82 Gbits/sec 174 sender
[ 5] 0.00-10.00 sec 3.28 GBytes 2.81 Gbits/sec receiver
WireGuard
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 300 MBytes 2.51 Gbits/sec 165 691 KBytes
[ 5] 1.00-2.00 sec 329 MBytes 2.76 Gbits/sec 2 811 KBytes
[ 5] 2.00-3.00 sec 332 MBytes 2.78 Gbits/sec 36 858 KBytes
[ 5] 3.00-4.00 sec 352 MBytes 2.95 Gbits/sec 1 892 KBytes
[ 5] 4.00-5.00 sec 339 MBytes 2.84 Gbits/sec 1 912 KBytes
[ 5] 5.00-6.00 sec 359 MBytes 3.01 Gbits/sec 0 923 KBytes
[ 5] 6.00-7.00 sec 342 MBytes 2.87 Gbits/sec 1 938 KBytes
[ 5] 7.00-8.00 sec 340 MBytes 2.85 Gbits/sec 0 962 KBytes
[ 5] 8.00-9.00 sec 332 MBytes 2.78 Gbits/sec 0 986 KBytes
[ 5] 9.00-10.00 sec 341 MBytes 2.86 Gbits/sec 0 994 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 3.29 GBytes 2.82 Gbits/sec 206 sender
[ 5] 0.00-10.00 sec 3.28 GBytes 2.82 Gbits/sec receiver
2 Likes
wow ! can’t wait for this to be added in the stable repository !
That is a great improvement of the OpenVPN experience, i did not expect that “DCO Enabled Client + DCO Enabled Server (CHACHA20-POLY1305)” was so close to “WireGuard (CHACHA20-POLY1305)” also the “DCO Enabled Client + DCO Enabled Server (AES-128-GCM)” is great, I think many will benefit from this, and the option to have similar performance on both OpenVPN and WireGuard.
Great work, and many thanks for sharing your results, this post is then also a great reference for the performance of Pritunl overall and that a single user can expect in a absolut best case scenario.
For the sake of completion, what was the system specs used for the server and client, are you willing to share that. 
Those tests were done between two virtual machines on the same server using a AMD Ryzen 9955HX. The test were going from the iperf on the VPN client to iperf on the VPN server. Running iperf3 on the VPN server seemed to cause WireGuard to become single thread bound.
I did another test with 3 virtual machines with 8 virtual cores running on 3 different AMD EPYC 9124 physical servers and 20gb bonded networking. This tested iperf on the VPN client → switch → VPN server → switch → iperf server. This showed significantly better performance with WireGuard. OpenVPN DCO appears to still be single thread bound for a single connection. During the OpenVPN test one core was at 100% with WireGuard there was equal distribution across all 8 cores. This test won’t reflect most VPN deployments as there will be multiple clients that can be spread across different CPU cores. The OpenVPN results here are slower than the Ryzen one due to the significantly slower core speed on server processors.
My understanding is OpenVPN DCO won’t be single thread bound. It’s possible there’s some issue with my configuration but both adapters are shown as ovpn-dco type. The DCO going into the kernel is different then the DKMS code available. I did go back and check the development server on the AMD Ryzen 9955HX and it is also single thread bound. There is the message below in the ovpn-dco repository. It’s likely all development has been moved to the in-tree module and when that is ready it will not have these issues.
** MAINTENANCE MODE **
This repository is currently in maintenance mode and we only accept important
and meaningful bugfixes.
It’s likely that OpenVPN DCO support without needing DKMS modules is still at least a year away as it will take time for the in-tree module to become widespread in distributions, currently even Fedora does not appear to have a working DCO. Below is Fedora 43 which has a kernel with the in-tree ovpn module and the OpenVPN build is not detecting it. When I was looking through the OpenVPN source I noticed the current code in the OpenVPN repository appears to have updated all references from the ovpn-dco-v2 module to the in-tree ovpn module. The source for version 2.6.17 still references ovpn-dco-v2.
cloud@test-f43:~$ sudo modprobe ovpn
cloud@test-f43:~$ openvpn --version
OpenVPN 2.6.17 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.5.4 30 Sep 2025, LZO 2.10
DCO version: N/A
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=yes enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_dco=yes enable_dco_arg=yes enable_debug=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_pam_dlopen=no enable_pedantic=no enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=yes enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_wolfssl_options_h=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_openssl_engine=auto with_sysroot=no
OpenVPN DCO (AES-128-GCM)
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 117 MBytes 977 Mbits/sec 12 1.20 MBytes
[ 5] 1.00-2.00 sec 116 MBytes 970 Mbits/sec 0 1.27 MBytes
[ 5] 2.00-3.00 sec 114 MBytes 958 Mbits/sec 0 1.34 MBytes
[ 5] 3.00-4.00 sec 113 MBytes 945 Mbits/sec 0 1.40 MBytes
[ 5] 4.00-5.00 sec 123 MBytes 1.03 Gbits/sec 0 1.46 MBytes
[ 5] 5.00-6.00 sec 108 MBytes 901 Mbits/sec 47 1.14 MBytes
[ 5] 6.00-7.00 sec 112 MBytes 938 Mbits/sec 0 1.24 MBytes
[ 5] 7.00-8.00 sec 120 MBytes 1.01 Gbits/sec 0 1.32 MBytes
[ 5] 8.00-9.00 sec 122 MBytes 1.02 Gbits/sec 0 1.38 MBytes
[ 5] 9.00-10.00 sec 118 MBytes 993 Mbits/sec 0 1.42 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 1.13 GBytes 974 Mbits/sec 59 sender
[ 5] 0.00-10.01 sec 1.13 GBytes 971 Mbits/sec receiver
OpenVPN DCO (CHACHA20-POLY1305)
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 119 MBytes 994 Mbits/sec 57 1.20 MBytes
[ 5] 1.00-2.00 sec 121 MBytes 1.02 Gbits/sec 0 1.31 MBytes
[ 5] 2.00-3.00 sec 119 MBytes 1.00 Gbits/sec 0 1.40 MBytes
[ 5] 3.00-4.00 sec 119 MBytes 995 Mbits/sec 0 1.47 MBytes
[ 5] 4.00-5.00 sec 120 MBytes 1.00 Gbits/sec 3 1.10 MBytes
[ 5] 5.00-6.00 sec 120 MBytes 1.00 Gbits/sec 1 1.17 MBytes
[ 5] 6.00-7.00 sec 121 MBytes 1.02 Gbits/sec 0 1.24 MBytes
[ 5] 7.00-8.00 sec 121 MBytes 1.01 Gbits/sec 0 1.31 MBytes
[ 5] 8.00-9.00 sec 120 MBytes 1.01 Gbits/sec 0 1.38 MBytes
[ 5] 9.00-10.00 sec 120 MBytes 1.01 Gbits/sec 0 1.44 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 1.17 GBytes 1.01 Gbits/sec 61 sender
[ 5] 0.00-10.01 sec 1.17 GBytes 1.00 Gbits/sec receiver
WireGuard
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 734 MBytes 6.15 Gbits/sec 12 2.34 MBytes
[ 5] 1.00-2.00 sec 831 MBytes 6.97 Gbits/sec 23 3.14 MBytes
[ 5] 2.00-3.00 sec 849 MBytes 7.12 Gbits/sec 7 3.32 MBytes
[ 5] 3.00-4.00 sec 841 MBytes 7.05 Gbits/sec 0 3.50 MBytes
[ 5] 4.00-5.00 sec 814 MBytes 6.83 Gbits/sec 29 3.70 MBytes
[ 5] 5.00-6.00 sec 829 MBytes 6.95 Gbits/sec 1 3.79 MBytes
[ 5] 6.00-7.00 sec 844 MBytes 7.08 Gbits/sec 0 3.86 MBytes
[ 5] 7.00-8.00 sec 845 MBytes 7.08 Gbits/sec 0 3.90 MBytes
[ 5] 8.00-9.00 sec 846 MBytes 7.10 Gbits/sec 0 3.92 MBytes
[ 5] 9.00-10.00 sec 839 MBytes 7.04 Gbits/sec 4 3.98 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 8.08 GBytes 6.94 Gbits/sec 76 sender
[ 5] 0.00-10.00 sec 8.08 GBytes 6.94 Gbits/sec receiver