Road to OpenVPN 2.6 - VPN servers migration

This topic is targeted ONLY to OpenVPN users OpenVPN

The OpenVPN DCO incorporates the entire OpenVPN data channel into the kernel module while keeping the control channel outside the kernel. See more here
Also, on Windows systems, DCO is a new, alternative driver that will replace wintun and tap-windows6.
DCO is an OpenVPN 2.6 feature that can be activated either server-side, client-side or both sides.
Our VPN servers currently (2023/05) run OpenVPN 2.5 series. We are starting to upgrade our servers to OpenVPN 2.6.x series.

Migration Plan

START June 2023 	Release of new Configuration Generator with OpenVPN 2.6 support in advanced settings Release of Eddie version 2.23 with OpenVPN 2.6 bundled and DCO support as EXPERIMENTAL Opening at least one server with OpenVPN 2.6 (Marsic)
 Beta Testing Phase starting on June 2023 	Duration: Until openvpn-dco stable version is released for our systems and Eddie 2.23 stable version is released During this period, we'll be searching for a better approach to pending OpenVPN 2.6 issues if not fixed on the main branch
 Migration Phase start: when the Beta Testing Phase ends 	Each server will be upgraded to OpenVPN 2.6 with DCO server-side During this period, upgraded server will disappear from old Eddie version. Simply upgrade Eddie to the latest stable release.
 END	All of our servers will feature OpenVPN 2.6 or higher version and DCO Eddie Desktop edition users are expected to run Eddie 2.23 or higher version. Freedom to run third party software will be of course preserved (check "Config Generator" box) In Config Generator, 2.6 profile by default, selection of continents or countries allowed

Specific instruction based on customers Operating System and Software used

Config Generator / Other software

Go to Config Generator
Check Advanced
in OpenVPN Profile choose 2.6 or higher version

This will generate client-side configuration compatible with DCO. It can work ONLY with servers already running OpenVPN 2.6 or higher version, hence available servers will be filtered, and country/continent selection won't be available.

Refer to help icon near the OpenVPN Profile for more information.

Eddie Desktop - Windows

Eddie will use wintun as driver by default, and will not currently install ovpn-dco driver or create adapter.
During the Beta Testing Phase, run the official OpenVPN Installer (which installs the driver and create the adapter) and in Eddie specify in Preferences > Advanced > Driver the value ovpn-dco
Future releases in the beta phase will install and manage automatically ovpn-dco driver and network adapter (WIP).

Linux

OpenVPN 2.6 to work with DCO needs a kernel module called ovpn-dco-v2. Users need to install on their own. Use

modinfo ovpn-dco-v2

to check if it is installed correctly.
Eddie Desktop portable edition doesn't automatically install it. Eddie distribution edition (.deb, .rpm, arch etc) uses openvpn or additional dependencies correctly as package manager dependencies, and openvpn-dco is not in any official repo yet.
Also note that Eddie Desktop edition uses the OpenVPN installed in the system (openvpn is a dependency in package manager), so you need to wait for OpenVPN 2.6 in your package manager or update manually to use DCO.

macOS

Currently, DCO drivers are not available. Standard TUN without DCO will be used. FreeBSD team is working on it.

AirVPN Suite

The Suite is based on OpenVPN3-AirVPN which currently provides unstable DCO support. Only after a stable support is reached the Suite will be able to offer the option to take advantage of it accordingly. Before, during and after the migration, Suite users can connect normally to every Air VPN server.

Eddie Android edition

DCO kernel module, in this unstable phase, is not accepted in Linux kernel trees Android is based on, or any other Linux kernel tree. DCO support client-side is therefore not possible in Android stock kernels. We will consider what happens when DCO reaches a stable release. Before, during and after the migration, Eddie Android edition users can connect normally to every Air VPN server both over WireGuard and OpenVPN3-AirVPN.

How to know if DCO is in use

Remember: Only OpenVPN 2.6 and higher versions can use DCO.
If Eddie or OpenVPN log:

OpenVPN > DCO device tun0 opened

then you are connected with DCO active to a VPN server upgraded to 2.6.
Otherwise, if Eddie or OpenVPN log

Note: (various reasons): disabling data channel offload.

then you are trying to connect to a VPN server not upgraded to 2.6 or through some feature unsupported by DCO. DCO will not be used.

Why do I see some WARNING about 'link-mtu' and 'auth'?

Why older Eddie Desktop before 2.23 hide already-upgraded servers?

Old OpenVPN 2.5 versions can throw the following warnings when connecting to already-migrated servers running with OpenVPN 2.6:

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1604', remote='link-mtu 1552'
WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]'

You can ignore them as false positives, or use 2.6 or higher versions, which do not show these warnings (confirming them as false positives)
This is why we will hide OpenVPN 2.6 based servers to older Eddie Desktop versions: they throw [when running OpenVPN 2.5 or older versions] this kind of warnings as OS notification.

Sign In