The developers of the package for creating virtual private networks OpenVPN introduced the ovpn-dco kernel module, which can significantly speed up VPN performance. Despite the fact that the module is still being developed with an eye to the linux-next branch and has the status of experimental, it has already reached a level of stability that allows it to be used to provide the OpenVPN Cloud service.
Compared to the configuration based on the tun interface, the use of a module on the client and server sides using the AES-256-GCM cipher allowed for an 8-fold increase in throughput (from 370 Mbit/s to 2950 Mbit/s). When using the module only on the client side, the throughput increased three times for outgoing traffic and did not change for incoming traffic. When using the module only on the server side, the throughput increased by 4 times for incoming traffic and by 35% for outgoing.
The acceleration is achieved by moving all encryption operations, packet processing and communication channel management to the side of the Linux kernel, which allows you to get rid of the overhead associated with context switching, makes it possible to optimize work by directly accessing the internal kernel APIs and eliminates slow data transfer between kernel and user space (encryption, decryption and routing is done by the module without sending traffic to a handler in user space).
It is noted that the negative impact on VPN performance is mainly caused by resource-intensive encryption operations and delays caused by context switches. Processor extensions such as Intel AES-NI were used to speed up encryption, but context switches remained a bottleneck until the advent of ovpn-dco. In addition to using instructions provided by the processor to speed up encryption, the ovpn-dco module additionally provides for the division of encryption operations into separate segments and their processing in multi-threaded mode, which allows using all available CPU cores.
Of the current implementation limitations, which will be removed in the future, it supports only the AEAD and 'none' (no authentication) modes and the AES-GCM and CHACHA20POLY1305 ciphers. DCO support is planned to be included in the release of OpenVPN 2.6, scheduled for the 4th quarter of this year. The module is currently supported in the OpenVPN3 Linux beta client and experimental builds of the OpenVPN server for Linux. A similar module, ovpn-dco-win, is also being developed for the Windows kernel.
Source: opennet.ru