Bottlenecked No More

With support from OTF’s Internet Freedom Fund, the OpenVPN community unites to unlock faster VPN connection speeds and performance through the finalization of a data channel offload
Tue, 2023-06-13 14:54

OpenVPN is one of the oldest and most-established virtual private network (VPN) systems in the world. First released in 2001 by James Yonan, the pioneering open source software has been downloaded tens of millions of times by users looking to enhance their online security. But VPN-provided data encryption necessarily comes with an overhead tradeoff: decreased speed and performance. And as user expectations and application bandwidths continue to increase year-over-year, this tradeoff has become more noticeable for user-space VPNs, like OpenVPN, which send data packets back and forth from the user space down to the kernel space. Although OpenVPN community members have been aware of this issue for years, they were unable to address it until recently due to the complexity of OpenVPN’s existing codebase and developer booking constraints. A recent OTF-supported effort, however, helped to solve the long-standing bottleneck problem by enabling support for an innovative data channel offload (“DCO”).

Officially dubbed OpenVPN2.x support for Data Channel Offload in the Linux Kernel (or “ovpn-dco support in OpenVPN2” for short), the community-based project ran from late 2021 to early 2023 and received funding from OTF’s Internet Freedom Fund (IFF). The independence afforded by the IFF funding allowed the OpenVPN community to lead, set priorities, and expand the software’s overall testing framework while developing the long-awaited revamp. As a result, the project was a natural fit for OTF’s commitment to championing collaborative and community-based solutions in the fight against online censorship and surveillance. 

Project Background

As a well-established and mature open source software, OpenVPN is incredibly complex – meaning there are increasingly fewer and fewer people today who can review, propose, and implement changes to its extensive codebase. And of those people, even fewer are available to provide the essential support due to pre-existing bookings and obligations. This unique combination of expert-level codebase constraints and commitments has led to several proposed projects withering on the vine prior to full development and implementation. 

Complications like these are unfortunately not uncommon in the open source space, which affords users many benefits but also poses persistent funding challenges regarding who will put in the necessary work to maintain the online freeways on which everyone else relies. Though the OpenVPN community is filled with helpful users eager to report bugs or test new features, there are ultimately only a limited number of individuals capable of developing and sending patches for inclusion in the codebase. When one of those individuals learned of OTF and the IFF, they seized the opportunity to secure the funding necessary to help enable support for a DCO update that would increase OpenVPN’s performance and speed.

Prior to OTF’s involvement, a support framework already existed to move OpenVPN’s two primary functions (routing and crypto) down to the kernel space via a DCO. The proposed solution would solve the bottleneck problem by eliminating the need for continuous back-and-forth packet exchanges with the user space – but the concept had yet to be merged into the existing codebase due to a lack of funding. Once this missing link was secured through a successful IFF application, the project team quickly moved to update and convert the existing draft into something the community writ large could review as it was implemented in the codebase. 

Technical Overview

From a technical perspective, the new DCO is a kernel module that relocates the processing of data packets from the OpenVP›N user space program down to the kernel space in an effort to boost the speed and performance of active OpenVPN connections. As demonstrated in Figure A, below, prior iterations of OpenVPN continuously passed data packets back and forth from the kernel space up to the user space, where decryption and re-routing would occur. 

Figure A: Data packet flow on a traditional OpenVPN server (pre-DCO implementation). Source.

Because the fastest processing speeds occur down at the kernel space (which is closest to a computer’s hardware), the inter-space approach depicted above results in an operating performance slowdown when using OpenVPN. By contrast, the implementation of the new DCO configuration utilizes a set of components to offload OpenVPN’s primary routing and crypto work down to the kernel space alone – dramatically increasing speeds and eliminating the need for the majority of user space packet processing. This hyper-efficient, intra-space solution relieves the traditional approach’s bottleneck problem and is illustrated in Figure B, below.

Figure B: Data packet flow on OpenVPN2.6 or later (post-DCO implementation). Source.

Although the new DCO configuration moves data packet processing down to the kernel space, the OpenVPN user space program still handles critical operations such as the TLS handshake and data channel key (re-)negotiations. This strategic design advantage works to keep the ovpn-dco kernel module remarkably simple in structure, further bolstering security and reducing the potential attack space. 

The conclusion of the community-led project coincided with the release of OpenVPN2.6.3, which incorporates ovpn-dco for all users. With the new DCO, VPN connections will now be significantly faster and servers will be able to handle more users without sacrificing performance. Unlocking the bottleneck issue will also allow those who lack access to faster hardware, or are running OpenVPN on small/inexpensive embedded routers, to finally get better speeds when going online. And although the ovpn-dco Linux kernel module is currently an out-of-tree module that must be installed separately, there are also plans in the works to have the new module merged into the Linux base kernel itself – at which time every person running Linux will get to enjoy the benefits of ovpn-dco by default.

Looking to the Future

OTF’s support for the innovative DCO project allowed the OpenVPN community to independently prioritize and focus on the realization of a critical software update. Many core open source developers are also in-demand contractors, making it difficult for them to allocate sufficient “free time” to follow through on large implementations and reviews like the ovpn-dco support in OpenVPN2 project. In situations such as these, independent funding – like that which came from the IFF – serves as an important option to empower online communities to support and steer their own projects. 

Throughout the course of the multi-year endeavor, the OpenVPN community relied on its members to lead the development, support, and implementation of the new DCO. The most challenging part of the process was getting the code into an easily-reviewable shape – a task that proved to be quite onerous given the significant size and invasive nature of the required code change. Yet in doing so, one of the greatest sources of pride came from how the effort ended up giving the community an opportunity to extend its testing framework. Proper testing always takes a significant amount of time, often without much visible impact. This essential piece of development can therefore be overlooked or dismissed. Yet the project’s organization and funding allowed the testing aspect of development to get the full attention that it deserves, resulting in the OpenVPN community extending its testing framework in order to accommodate new test-cases from the DCO components.

New users can download OpenVPN here for Windows installer (Linux users can simply use the package manager shipped with their system). The source code is also available on Github. As a reminder, user feedback is vital for projects like this, so community members are encouraged to use the new tool and report any bugs or issues here. OpenVPN is always evolving and improving – interested parties can read about what the community has in store for version 2.7 here.

About the program: The Internet Freedom Fund (IFF) is OTF’s primary way to support projects and people working on open and accessible technology-focused projects that promote human rights, Internet freedom, and open societies. The IFF accepts applications on a rolling basis through a two-step process. Applications are first submitted as concept notes. Upon positive review of an application, OTF then invites applicants to submit a full proposal. Click here to learn more and begin the application process.

***