Modern NICs do a lot of invisible heavy lifting — TSO, GRO, and checksum offload keep the kernel's fast path lean. But what happens when your traffic has to traverse a VPN tunnel? Offload context is lost, and naively reimplementing it in software is the difference between a protocol that scales and one that doesn't.
This talk starts from first principles: how TCP Segmentation Offload (TSO) works in hardware, what software GSO and GRO do to replicate it, and how TCP flow coalescing is reflected at the wire format level. From there, we look at how a VPN actually works under the hood: TUN interfaces, the interplay between UDP/TCP sockets, and where performance typically dies.
The second half covers the design decisions behind a GSO/GRO prototype for Lightway, ExpressVPN's open-source VPN protocol: zero-copy buffer management, SIMD-accelerated processing, and thread load balancing to keep all cores busy without contention.
Samuel Tam / Hong Kong
ExpressVPN
Samuel is a Linux Infrastructure Engineer at ExpressVPN where he works on high-performance networking and systems infrastructure. He built a GSO/GRO prototype for Lightway, ExpressVPN's open-source VPN protocol. His work spans low-level systems programming, network protocol development, and Linux kernel networking.