The following parameters are executed in order as the connection is brought up (from the OpenVPN manual page):

1. –up, executed after TCP/UDP socket bind and TUN/TAP is opened,
2. –tls-verify, executed when there is still and entrusted remote peer,
3. –ipchange, executed after connection authentication or remote IP address change,
4. –client-connect, executed in –mode server mode immediately after client authentication,
5. –route-up, executed after connection authentication, either immediately after, or some number of seconds after as defined by the –route-delay option,

and then torn down:

1. –route-pre-down, executed right before the routes are removed,
2. –client-disconnect, executed in –mode servermode on client instance shutdown,
3. –down, executed after TCP/UDP and TUN/TAP close.

Data Channel Offload (DCO) is a module that allow OpenVPN to optimize packet flow by switching some of the operations to execute in kernel space.

In order to use DCO, the OpenVPN DCO kernel module has to be installed. For example, using DKMS on Debian, the following command should install the required module:

apt-get install openvpn-dco-dkms

Note that for DCO to work, OpenVPN has to be configured in TUN mode and use TUN adapters not TAP because TAP is not supported for DCO.