Dear VPNGate Team,
I request upgrading the default OpenVPN version to at least 2.6, or preferably 2.7, for performance and security improvements.
VPNGate currently uses OpenVPN 2.0 with AES-128-CBC, which is incompatible with DCO (Data Channel Offload). This prevents DCO from being enabled, causing slow speeds—often under 1 Mbps—on high-bandwidth connections. With DCO enabled in OpenVPN 2.6 and later, speeds improve 3-5 times, especially on Windows and Linux platforms.
Additionally, AES-128-CBC is outdated and vulnerable. OpenVPN 2.7 not only supports DCO by default but also integrates stronger ciphers like AES-256-GCM, offering better security and performance. While TAP-Windows6 is available in 2.7, DCO provides a significant performance advantage.
OpenVPN 2.6 and 2.7 also bring improvements such as better network adapter management on Windows and improved stability. Common Linux distributions (Ubuntu, Debian, CentOS, etc.) support these versions, ensuring compatibility across platforms.
Staying with OpenVPN 2.0 is now a performance bottleneck. Upgrading is necessary for better performance, security, and reliability.
It's time to Upgrade OpenVPN to 2.6/2.7 for Performance and Security
-
evelynice
- Posts: 2
- Joined: Wed Jul 02, 2025 5:46 am
-
solo
- Posts: 1674
- Joined: Sun Feb 14, 2021 10:31 am
Re: It's time to Upgrade OpenVPN to 2.6/2.7 for Performance and Security
SoftEther supports all OpenVPN client versions but requires a minor "data-ciphers" config change, and SE server v5 also supports AES-256-GCM.
As for DCO, check this log of OpenVPN 2.6.10 connecting to SE v5...
So, Windows' OpenVPN client has no driver for DCO anyway (although it can be fixed).
As for DCO, check this log of OpenVPN 2.6.10 connecting to SE v5...
Code: Select all
2025-07-03 13:32:04 Note: ovpn-dco-win driver is missing, disabling data channel offload.
2025-07-03 13:32:04 OpenVPN 2.6.10 [git:v2.6.10/ba0f62fb950c56a0] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Mar 20 2024
2025-07-03 13:32:04 Windows version 10.0 (Windows 10 or greater), amd64 executable
2025-07-03 13:32:04 library versions: OpenSSL 3.2.1 30 Jan 2024, LZO 2.10
2025-07-03 13:32:04 DCO version: N/A
...
2025-07-03 13:32:07 Using peer cipher 'AES-256-GCM'
...
2025-07-03 13:32:12 Initialization Sequence Completed
2025-07-03 13:32:12 MANAGEMENT: >STATE:1751513532,CONNECTED,SUCCESS,,,
-
evelynice
- Posts: 2
- Joined: Wed Jul 02, 2025 5:46 am
Re: It's time to Upgrade OpenVPN to 2.6/2.7 for Performance and Security
It seems that OpenVPN 2.6 on Windows supports DCO (Data Channel Offload) with version 1.3.1.
I wasn’t aware that the default configuration supports AES-256-GCM via the --data-ciphers option.
Apparently, if you use --data-ciphers AES-128-CBC, OpenVPN will automatically disable DCO.
I plan to test this behavior further in the future.
Currently, my network seems to be having issues. A VPN connection can reach "Initialization Sequence Completed",
but it disconnects after a few seconds. I'm not sure why—I'll look into it another time.
I’m currently working on a Python program that uses the VPNGate API to connect to VPN servers.
Due to network restrictions, most servers are currently unavailable and need to filter.
My current approach is: for servers that support TCP, I perform latency checks to filter usable IPs;
for servers that only support UDP, I skip the latency check and assume they are available by default, since TCP-based probing isn't possible.
Then, I attempt OpenVPN connections sequentially until I find one that successfully completes initialization.
However, this method is inefficient, as sequential connection attempts take too much time.
So I'm experimenting with launching multiple OpenVPN instances in parallel, and selecting among the ones that complete the "Initialization Sequence".
One problem I'm facing is that the configuration files obtained via the VPNGate API default to cipher AES-128-CBC, which disables DCO sometimes.
Also, the TAP-Windows6 adapter seems to perform poorly.
To address this, I'm testing OpenVPN 2.7, which provides better DCO support and can automatically manage virtual adapters,
simplifying the program logic and improving overall performance.
Unfortunately, I’m now encountering issues such as unstable connections, routing table setup failures, and DCO not being properly enabled.
Given my goals and the challenges I’m facing, I would greatly appreciate any suggestions or advice. Thank you!
Code: Select all
2025-07-14 18:52:03 OpenVPN 2.6.14 [git:none/0169b4ad2bb35d2c] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 19 2025
2025-07-14 18:52:03 Windows version 10.0 (Windows 10 or greater), amd64 executable
2025-07-14 18:52:03 library versions: OpenSSL 3.5.0 8 Apr 2025, LZO 2.10
2025-07-14 18:52:03 DCO version: 1.3.1Apparently, if you use --data-ciphers AES-128-CBC, OpenVPN will automatically disable DCO.
I plan to test this behavior further in the future.
Currently, my network seems to be having issues. A VPN connection can reach "Initialization Sequence Completed",
but it disconnects after a few seconds. I'm not sure why—I'll look into it another time.
I’m currently working on a Python program that uses the VPNGate API to connect to VPN servers.
Due to network restrictions, most servers are currently unavailable and need to filter.
My current approach is: for servers that support TCP, I perform latency checks to filter usable IPs;
for servers that only support UDP, I skip the latency check and assume they are available by default, since TCP-based probing isn't possible.
Then, I attempt OpenVPN connections sequentially until I find one that successfully completes initialization.
However, this method is inefficient, as sequential connection attempts take too much time.
So I'm experimenting with launching multiple OpenVPN instances in parallel, and selecting among the ones that complete the "Initialization Sequence".
One problem I'm facing is that the configuration files obtained via the VPNGate API default to cipher AES-128-CBC, which disables DCO sometimes.
Also, the TAP-Windows6 adapter seems to perform poorly.
To address this, I'm testing OpenVPN 2.7, which provides better DCO support and can automatically manage virtual adapters,
simplifying the program logic and improving overall performance.
Unfortunately, I’m now encountering issues such as unstable connections, routing table setup failures, and DCO not being properly enabled.
Given my goals and the challenges I’m facing, I would greatly appreciate any suggestions or advice. Thank you!