François' Blog

OpenVPN and DCO on Upcoming Linux Distributions

Published on 2026-04-01

OpenVPN since version 2.7, together with the Linux kernel >= 6.16, support OpenVPN with DCO (Data Channel Offloading). This will perform encryption/decryption in kernel space results in improved performance and hopefully reduce battery use.

Let's look at support for it in the upcoming Linux distribution releases, specifically Ubuntu 26.04 LTS and Fedora 44.

It turns out it is still a bit rough around the edges, and requires some work to get it going. We will only focus on using NetworkManager with the OpenVPN plugin here, which is the default on both distributions for using OpenVPN as a client.

Let's start with Ubuntu. There are currently three issues, where the first one prevents OpenVPN from working at all in client mode, and the last two prevent DCO from working.

  1. OpenVPN certificate can't be loaded due to AppArmor
  2. OpenVPN can't load the ovpn kernel module when running as non-root user due to AppArmor;
  3. OpenVPN process can't load the ovpn kernel module when started through NetworkManager.

There are upstream issues for all of these: (1, 2, 3). Let's hope they will be fixed before the final releases!

For Ubuntu the script below will fix all of these issues for you automatically:

#!/bin/sh

# fix AppArmor (1, 2)
cat << EOF | sudo tee /etc/apparmor.d/local/openvpn > /dev/null
file r @{run}/NetworkManager/cert/@{rand6},
capability setpcap,
EOF
sudo apparmor_parser -r /etc/apparmor.d/openvpn

# fix NetworkManager (3)
# make sure we have the CAP_SETPCAP capability
cat << EOF | sudo systemctl edit --stdin NetworkManager
[Service]
CapabilityBoundingSet=CAP_SETPCAP
EOF
sudo systemctl restart NetworkManager

Now on to Fedora. It is a bit better here, there's no AppArmor, and I feel the SELinux issues have been resolved a decade ago, so only the above issue number 3 applies.

#!/bin/sh

# fix NetworkManager (3)
# make sure we have the CAP_SETPCAP capability
cat << EOF | sudo systemctl edit --stdin NetworkManager
[Service]
CapabilityBoundingSet=CAP_SETPCAP
EOF
sudo systemctl restart NetworkManager

In order to verify that DCO actually works, you can follow the NetworkManager OpenVPN plugin log, and start the OpenVPN connection:

$ journalctl -f -t nm-openvpn

You'll see something like the following scroll by on your screen:

OpenVPN 2.7.1 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
library versions: OpenSSL 3.5.5 27 Jan 2026, LZO 2.10
DCO version: 6.19.10-300.fc44.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 25 18:23:49 UTC 2026

The important line is DCO version. If it mentions the currently running kernel, you are fine. If it shows N/A, it does NOT use DCO (yet), e.g. before applying the fixes mentioned above.

I don't know if these are the best possible fixes, but they do work!

History

Point your feed reader to the RSS Feed to keep up to date with new posts.