OpenVPN DCO with 23.01

mikey_s

Good morning,

My understanding is DCO is not experimental within the 23.01 release. I'm fairly new to pfsense, so just reviewing documentation etc.

I did the original OpenVPN setup by following the Netgate documentation and LTS videos. Prior to this I had VPNs running via Sophos XG Home etc.

My understanding is for the real benefit of DCO it needs to be supported for both client and server? My VPN clients are atm IOS based devices.

When I enable DCO on the VPN tunnel setup, connections still work fine, little change in CPU etc. AES is enabled (active) within the configuration of the firewall. There is no QAT support on the CPU.

CPU is Intel(R) Xeon(R) CPU E3-1240L v3 @ 2.00GHz, but I'm considering dropping to an Atom system I have spare as this system just sits idle 98% of the time.

The connection is only a 200/20 connection, so nothing that would stress a system.

SteveITS

@mikey_s I haven’t had the opportunity to try it yet but per https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/dco.html:

“Thus, DCO is beneficial even when only one endpoint is capable of DCO. That said, tunnels employing DCO on all peers will see the most benefit. With DCO on only one peer the performance improvement can still be notable but not as significant as the gains with DCO support on both endpoints.”

That page also says it’s (still) experimental.