dco: allow user to disable it at runtime

Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220718221923.2033-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24702.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

2 files changed, 13 insertions, 0 deletions

diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst
index 9060a23..394c218 100644
--- a/doc/man-sections/generic-options.rst
+++ b/doc/man-sections/generic-options.rst
@@ -171,6 +171,15 @@ which mode OpenVPN is configured as.
   on console) and ``--auth-nocache`` will fail as soon as key
   renegotiation (and reauthentication) occurs.
 
+--disable-dco
+  Disable "data channel offload" (DCO).
+
+  On Linux don't use the ovpn-dco device driver, but rather rely on the
+  legacy tun module.
+
+  You may want to use this option if your server needs to allow clients
+  older than version 2.4 to connect.
+
 --disable-occ
   Disable "options consistency check" (OCC).
 
diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst
index 08ee7bd..04f4b4fb 100644
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -146,6 +146,10 @@ fast hardware. SSL/TLS authentication must be used in this mode.
   server. Don't use this option if you want to firewall tunnel traffic
   using custom, per-client rules.
 
+  Please note that when using data channel offload this option has no
+  effect. Packets are always sent to the tunnel interface and then
+  routed based on the system routing table.
+
 --disable
   Disable a particular client (based on the common name) from connecting.
   Don't use this option to disable a client due to key or password