OpenVPN is a battle-tested but somewhat aging VPN protocol. WireGuard is a new lightweight VPN protocol that security experts agree is as secure as OpenVPN but much more efficient and, therefore, faster.
However, a new implementation of OpenVPN, OpenVPN Data Channel Offload (DCO), improves OpenVPN to match WireGuard’s speed performance.
OpenVPN DCO is supported on our new Linux app, meaning it can match WireGuard’s performance on other platforms. Please note that WireGuard support on our Linux app is also coming.
Why OpenVPN DCO is fast
On a modern operating system (OS), code runs in either user space or kernel space. Code that is strictly essential for running the operating system runs in kernel space. This includes the operating system kernel, kernel extensions, and most device drivers. Everything else runs in user space, including normal user interactions with the OS, such as the apps, utilities, and programming languages they use.
WireGuard support is built-in to the Linux kernel and runs purely inside the kernel space. This helps to make it as fast as it is on Linux devices.
OpenVPN (without DCO) on the other hand, has to copy its data packets from the kernel space to the user space to decrypt them. It must then re-encrypt them and copy them back to the kernel space to send them on to their final destination.
Needless to say, these extra steps slow the whole process down considerably. An additional problem is that OpenVPN uses single-threaded processing in the user space, meaning that instructions are processed one at a time.
OpenVPN DCO is a loadable kernel module that (much like WireGuard) allows the entire operation to happen inside the kernel space. Not only does this remove the need to copy data into and out of the user space, but it also reduces the number of system calls needed. Each such system call adds delay, a problem exacerbated by an increasing need in recent years to patch CPU vulnerabilities.
An additional benefit is that processing inside the kernel space allows OpenVPN to use multi-threaded processing (many processes run at once).
What does this mean?
The result is that OpenVPN DCO performance matches that of WireGuard. And because we support OpenVPN DCO on our Linux app, OpenVPN performance when using the app should match that of using WireGuard on other platforms.
OpenVPN without DCO
OpenVPN with DCO
WireGuard
Will we use OpenVPN DCO on other platforms?
OpenVPN DCO is currently available for the Linux and Windows kernels. If you wish to use it on Windows, OpenVPN DCO is supported on our manual OpenVPN configuration files.
