I had a similar problem with Hide.me using an OpenVPN connection on pfSense. I was getting 60mbps on a 360mbps connection. The solution was to check the box for “Enable Data Channel Offload (DCO) for this instance” under VPN/OpenVPN/Clients/Edit/Mode Configuration. I then got the full download speed.
You need to check that has actually been enabled on the server.
I could not find it on my CE software. It is only available on Plus. I used Plus in the past but seem to remember having an issue. Is there any reason not to move to Plus?
If you have it then you’ll see it under Mode Configuration.
Sure you can move to Plus, but if the VPN provider hasn’t enabled DCO it won’t do anything, I happen to just noticed AirVPN have an option for selecting servers with this feature, they only have one, I don’t know the reason.
I moved to Plus. I ticked the DCO box. Now PIA will not connect. I am not sure what all this means. I would appreciate some insights. TIA. With DCO un ticked it works fine.
Jan 10 19:16:25 openvpn 66653 [chicago417] Peer Connection Initiated with [AF_INET]181.214.166.68:1198
Jan 10 19:16:25 openvpn 66653 Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Jan 10 19:16:25 openvpn 66653 Options error: option 'route-ipv6' cannot be used in this context ([PUSH-OPTIONS])
Jan 10 19:16:25 openvpn 66653 Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jan 10 19:16:25 openvpn 66653 Compression or compression stub framing is not allowed since data-channel offloading is enabled.
Jan 10 19:16:25 openvpn 66653 OPTIONS ERROR: server pushed compression settings that are not allowed and will result in a non-working connection. See also allow-compression in the manual.
Jan 10 19:16:25 openvpn 66653 ERROR: Failed to apply push options
Jan 10 19:16:25 openvpn 66653 Failed to open tun/tap interface
Jan 10 19:16:25 openvpn 66653 SIGUSR1[soft,process-push-msg-failed] received, process restarting
They haven’t enabled DCO on the server.
Thanks for the reply.
You can have DCO on one side and not the other that shouldn’t be the issue, you won’t see the full benefit if it’s not enabled both sides that’s all. Try turning compression off if you haven’t already, under the ‘Allow Compression’ setting change the setting to ‘Refuse any non-stub compression’. DCO isn’t compatible with compression and some legacy features and ciphers. ChaCha20-Poly1305 and AES-GCM are the only ciphers compatible with DCO so make sure you’re using one of them, both are supported by Mullvad. ChaCha20-Poly1305 is more modern and is as fast or faster than AES-GCM in most cases, it’s also less vulnerable to timing attacks. It’s the same cipher WireGuard uses. Here are a list of the ‘Limitations’ of using DCO. It lists the OpenVPN settings that aren’t compatible with DCO turned on.
As a new user I’m not able to reply again so I’m editing this comment instead. I just did some reading and from your logs it seems that compression is being pushed server-side. As far as I’m aware this can’t be turned off client-side if it’s being pushed by the server so unfortunately I don’t think DCO can be turned on in your case. I’m surprised compression is being pushed by the server as this is now a deprecated feature.
@Jimbo that is a good link on DCO, I hadn’t realised that DCO can work in one direction. Though, I have tried it with AirVPN with the other conditions fulfilled but the client wouldn’t connect with DCO checked. However, I see that AirVPN have enabled one server with DCO enabled, I would guess when DCO is enabled it breaks backwards compatibility. Though I can test this easily enough on my own setup.
Thanks for all the information. Super helpful.