diff --git a/local/Jenkinsfile b/local/Jenkinsfile
new file mode 100644
index 0000000..e33d985
--- /dev/null
+++ b/local/Jenkinsfile
@@ -0,0 +1,88 @@
+properties([
+    buildDiscarder(logRotator(artifactDaysToKeepStr: '90', artifactNumToKeepStr: '7', daysToKeepStr: '', numToKeepStr: '')),
+    disableConcurrentBuilds(),
+    disableResume(),
+    parameters([
+        text(defaultValue: '''# will be appended to terraform.tfvars
+# can be used to override openvpn/ovpn-dco source branches
+# e.g.
+# openvpn_branch=release/2.6''', name: 'TERRAFORM_VARIABLES'),
+        string(description: 'Set arguments for all iperf servers',
+               name: 'IPERF_GLOBAL_SERVER_ARGS', trim: true),
+        string(defaultValue: '-t10',
+               description: 'Set arguments for all iperf clients',
+               name: 'IPERF_GLOBAL_CLIENT_ARGS', trim: true),
+    ]),
+    pipelineTriggers([[$class: 'PeriodicFolderTrigger', interval: '30m']])
+])
+
+def terraform_config() {
+    sh(label: 'terraform.tfvars', script: '''
+SANE_NAME=$(perl -wE 'my $n=lc($ARGV[0]);$n=~s/^.*%2f//;$n=substr($n,-30);$n=~s/[^a-z0-9-]/-/g;$n=~s/^-*//;print($n)' "${JOB_BASE_NAME}")
+cat <<EOF | tee terraform.tfvars
+region="eu-west-1"
+owner="$JENKINS_URL"
+email="pkg@openvpn.net"
+dns_zone_name="${AWS_TEST_DNS_ZONE_NAME}"
+dns_host_name="${SANE_NAME}-${BUILD_NUMBER}"
+cluster_name="${SANE_NAME}-${BUILD_NUMBER}"
+ssh_pub_key="${AWS_TEST_SSH_PUBKEY}"
+assume_role="arn:aws:iam::${AWS_TEST_ACCOUNT}:role/${AWS_TEST_ROLE}"
+test_branch="${CHANGE_BRANCH:-${BRANCH_NAME}}"
+${TERRAFORM_VARIABLES}
+EOF
+''')
+}
+
+def terraform_apply() {
+    timeout(10) {
+        sh(label: 'terraform apply', script: '''
+#export TF_LOG=trace
+terraform init -no-color -lockfile=readonly
+terraform apply -auto-approve -no-color
+''')
+    }
+}
+
+def terraform_destroy() {
+    retry(2) {
+        sh(label: 'terraform destroy', script: '''
+terraform destroy -auto-approve -no-color
+''')
+    }
+}
+
+def git_checkout() {
+    stage("Git checkout") {
+        cleanWs()
+        checkout scm
+    }
+}
+
+node(env.AWS_TEST_TERRAFORM_NODE) {
+    git_checkout()
+    stage('Terraform Prepare') {
+        try {
+            dir('terraform/openvpn-server') {
+                terraform_config()
+                terraform_apply()
+            }
+            sshagent([env.AWS_TEST_SSH_SECRET]) {
+                stage('Run Tests') {
+                    dir('local') {
+                        sh(label: 'Run Tests',
+                           script: './local_test.sh')
+                    }
+                }
+            }
+        }
+        finally {
+            stage("Cleanup") {
+                archiveArtifacts(artifacts: 'local/testlogs-*/**', allowEmptyArchive: true)
+                dir('terraform/openvpn-server') {
+                    terraform_destroy()
+                }
+            }
+        }
+    }
+}
diff --git a/local/README.md b/local/README.md
new file mode 100644
index 0000000..7cde6ca
--- /dev/null
+++ b/local/README.md
@@ -0,0 +1,5 @@
+Local Tests
+===========
+
+This is intended to be run between the server and
+local client as set up by terraform.
diff --git a/local/client/client.conf b/local/client/client.conf
new file mode 100644
index 0000000..f019d67
--- /dev/null
+++ b/local/client/client.conf
@@ -0,0 +1,10 @@
+port 51199
+client
+nobind
+dev tun
+ca /root/openvpn-test-server/keys/ca.crt
+cert /root/openvpn-test-server/keys/client.crt
+key /root/openvpn-test-server/keys/client.key
+remote-cert-tls server
+writepid openvpn.pid
+verb 4
diff --git a/local/local_test.sh b/local/local_test.sh
new file mode 100755
index 0000000..71f0db0
--- /dev/null
+++ b/local/local_test.sh
@@ -0,0 +1,97 @@
+#!/bin/bash
+
+set -eux
+
+pushd ../terraform/openvpn-server
+CLIENT=$(terraform output -raw cn_client)
+SERVER=$(terraform output -raw cn_server)
+popd
+
+OPENVPN_TESTS_PATH=/root/openvpn-test-server/openvpn-tests/local
+SSH="ssh -o UserKnownHostsFile=known_hosts"
+
+$SSH -o StrictHostKeyChecking=no "ubuntu@$SERVER" true
+$SSH -o StrictHostKeyChecking=no "ubuntu@$CLIENT" true
+$SSH "ubuntu@$SERVER" cloud-init status --wait
+$SSH "ubuntu@$CLIENT" cloud-init status --wait
+
+: ${IPERF_GLOBAL_SERVER_ARGS:=}
+: ${IPERF_GLOBAL_CLIENT_ARGS:=-t10}
+: ${RUN_NODCO:=true}
+: ${RUN_DCO:=true}
+
+LOG_DIR="testlogs-$(hostname)-$(date +%Y%m%d-%H%M%S)"
+mkdir "$LOG_DIR"
+
+TEST_COUNT=1
+
+start_server() {
+    TEST_NAME="$TEST_COUNT:$1"
+    OVPN_ARGS="$2"
+    $SSH "ubuntu@$SERVER" sudo $OPENVPN_TESTS_PATH/openvpn --cd $OPENVPN_TESTS_PATH/server \
+        --config server.conf $OVPN_ARGS >"$LOG_DIR"/$TEST_NAME.ovpn_server.log 2>&1 &
+    ovpn_server_ssh_pid=$!
+    sleep 1
+    $SSH "ubuntu@$SERVER" sudo iperf $IPERF_GLOBAL_SERVER_ARGS -s >"$LOG_DIR"/$TEST_NAME.iperf_server_tcp.log 2>&1 &
+    $SSH "ubuntu@$SERVER" sudo iperf $IPERF_GLOBAL_SERVER_ARGS -u -s >"$LOG_DIR"/$TEST_NAME.iperf_server_udp.log 2>&1 &
+}
+
+start_client() {
+    TEST_NAME="$TEST_COUNT:$1"
+    OVPN_ARGS="$2"
+    $SSH "ubuntu@$CLIENT" sudo $OPENVPN_TESTS_PATH/openvpn --cd $OPENVPN_TESTS_PATH/client \
+        --config client.conf $OVPN_ARGS --remote "$SERVER" \
+        >"$LOG_DIR"/$TEST_NAME.ovpn_client.log 2>&1 &
+    ovpn_client_ssh_pid=$!
+    sleep 5
+    $SSH "ubuntu@$CLIENT" sudo iperf $IPERF_GLOBAL_CLIENT_ARGS -c 10.199.2.1 >"$LOG_DIR"/$TEST_NAME.iperf_client_tcp.log 2>&1
+    $SSH "ubuntu@$CLIENT" sudo iperf $IPERF_GLOBAL_CLIENT_ARGS -u -c 10.199.2.1 >"$LOG_DIR"/$TEST_NAME.iperf_client_udp.log 2>&1
+    $SSH "ubuntu@$CLIENT" sudo iperf $IPERF_GLOBAL_CLIENT_ARGS -c "$SERVER" >"$LOG_DIR"/$TEST_NAME.iperf_client_novpn_tcp.log 2>&1
+    $SSH "ubuntu@$CLIENT" sudo iperf $IPERF_GLOBAL_CLIENT_ARGS -u -c "$SERVER" >"$LOG_DIR"/$TEST_NAME.iperf_client_novpn_udp.log 2>&1
+}
+
+deep_cleanup() {
+    $SSH "ubuntu@$SERVER" sudo killall $OPENVPN_TESTS_PATH/openvpn || true
+    $SSH "ubuntu@$SERVER" sudo killall iperf || true
+    $SSH "ubuntu@$CLIENT" sudo killall $OPENVPN_TESTS_PATH/openvpn || true
+    $SSH "ubuntu@$CLIENT" sudo killall iperf || true
+    sleep 5
+}
+
+post_test_handler() {
+    deep_cleanup
+    echo "Test $TEST_COUNT COMPLETED"
+    TEST_COUNT=$(( TEST_COUNT + 1 ))
+}
+
+retrieve_logs() {
+    for log in syslog cloud-init-output.log; do
+        scp -o UserKnownHostsFile=known_hosts "ubuntu@$SERVER":/var/log/$log "$LOG_DIR"/server.$log
+        scp -o UserKnownHostsFile=known_hosts "ubuntu@$CLIENT":/var/log/$log "$LOG_DIR"/client.$log
+    done
+}
+trap retrieve_logs EXIT
+
+deep_cleanup
+
+if $RUN_NODCO; then
+    start_server nodco_udp "--disable-dco --proto udp6"
+    start_client nodco_udp "--disable-dco --proto udp6"
+    post_test_handler
+
+    start_server nodco_tcp "--disable-dco --proto tcp6"
+    start_client nodco_tcp "--disable-dco --proto tcp6"
+    post_test_handler
+fi
+
+if $RUN_DCO; then
+    start_server dco_udp "--proto udp6"
+    start_client dco_udp "--proto udp6"
+    post_test_handler
+
+    start_server dco_tcp "--proto tcp6"
+    start_client dco_tcp "--proto tcp6"
+    post_test_handler
+fi
+
+deep_cleanup
diff --git a/local/server/server.conf b/local/server/server.conf
new file mode 100644
index 0000000..324ce10
--- /dev/null
+++ b/local/server/server.conf
@@ -0,0 +1,15 @@
+port 51199
+dev tun
+ca /root/openvpn-test-server/keys/ca.crt
+cert /root/openvpn-test-server/keys/server.crt
+key /root/openvpn-test-server/keys/server.key
+dh /root/openvpn-test-server/keys/dh.pem
+server 10.199.2.0 255.255.255.0
+server-ipv6 fd00:abcd:199:2::/64
+topology subnet
+ifconfig-pool-persist ipp.txt 60
+writepid openvpn.pid
+keepalive 10 30
+persist-key
+status openvpn-status.log
+verb 4
diff --git a/terraform/openvpn-server/main.tf b/terraform/openvpn-server/main.tf
index 5d6087c..190dfc5 100644
--- a/terraform/openvpn-server/main.tf
+++ b/terraform/openvpn-server/main.tf
@@ -33,6 +33,13 @@ provider "aws" {
       created-by  = "Terraform/OpenVPN/openvpn-tests/terraform/openvpn-server"
     }
   }
+  dynamic "assume_role" {
+    for_each = var.assume_role != "" ? toset([var.assume_role]) : []
+    content {
+      role_arn     = assume_role.value
+      session_name = var.cluster_name
+    }
+  }
 }
 
 data "aws_caller_identity" "current" {}
@@ -40,7 +47,7 @@ data "aws_caller_identity" "current" {}
 module "pki" {
   source = "../openvpn-test-pki/"
 
-  cn       = local.cn
+  cn       = local.cn_server
   locality = var.cluster_name
   province = var.region
 }
@@ -55,5 +62,6 @@ module "vpc" {
 
 locals {
   aws_account_id = data.aws_caller_identity.current.account_id
-  cn             = "${var.dns_host_name}.${var.dns_zone_name}"
+  cn_server      = "${var.dns_host_name}-server.${var.dns_zone_name}"
+  cn_client      = "${var.dns_host_name}-client.${var.dns_zone_name}"
 }
diff --git a/terraform/openvpn-server/outputs.tf b/terraform/openvpn-server/outputs.tf
index 8f82c48..e643b16 100644
--- a/terraform/openvpn-server/outputs.tf
+++ b/terraform/openvpn-server/outputs.tf
@@ -9,6 +9,9 @@ output "clients" {
   value = module.pki.clients
   sensitive = true
 }
-output "cn" {
-  value = local.cn
+output "cn_server" {
+  value = local.cn_server
+}
+output "cn_client" {
+  value = local.cn_client
 }
diff --git a/terraform/openvpn-server/server.tf b/terraform/openvpn-server/server.tf
index 3eba862..0b52bda 100644
--- a/terraform/openvpn-server/server.tf
+++ b/terraform/openvpn-server/server.tf
@@ -1,9 +1,9 @@
-data "aws_ami" "ubuntu2004" {
+data "aws_ami" "ubuntu2204" {
   owners = ["099720109477"]
 
   filter {
     name   = "name"
-    values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20220901"]
+    values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20230711"]
   }
 
   filter {
@@ -26,7 +26,7 @@ data "cloudinit_config" "ubuntu_server" {
   part {
     content_type = "text/cloud-config"
     content = jsonencode({
-      packages = [ "awscli", "git", "net-tools" ]
+      packages = [ "awscli", "git", "iperf", "net-tools" ]
       package_update = true
       package_upgrade = false
       package_reboot_if_required = false
@@ -42,12 +42,24 @@ data "cloudinit_config" "ubuntu_server" {
         {
           path = "/root/openvpn-test-server/keys/server.key"
           content = module.pki.server_key
+          permissions = "0o400"
+        },
+        {
+          path = "/root/openvpn-test-server/keys/client.crt"
+          content = module.pki.clients["test_client"].cert
+        },
+        {
+          path = "/root/openvpn-test-server/keys/client.key"
+          content = module.pki.clients["test_client"].key
+          permissions = "0o400"
         },
         {
           path = "/root/openvpn-test-server/vars"
           content = <<EOF
 OPENVPN_REPO=${var.openvpn_repo}
 OPENVPN_BRANCH=${var.openvpn_branch}
+OVPN_DCO_REPO=${var.ovpn_dco_repo}
+OVPN_DCO_BRANCH=${var.ovpn_dco_branch}
 TEST_REPO=${var.test_repo}
 TEST_BRANCH=${var.test_branch}
 EOF
@@ -74,27 +86,38 @@ service procps restart
 
 sed -i -e 's/^# deb-src/deb-src/g' /etc/apt/sources.list
 
-apt update && apt build-dep -y openvpn
-apt install -y libcap-ng-dev
+apt update
+apt build-dep -y openvpn
+apt install -y libnl-genl-3-dev libcap-ng-dev
+apt install -y dkms # to get all kernel build deps
 
 cd /root/openvpn-test-server
 
 . ./vars
 
 git clone -b $OPENVPN_BRANCH $OPENVPN_REPO openvpn
+git clone -b $OVPN_DCO_BRANCH $OVPN_DCO_REPO ovpn-dco
 git clone -b $TEST_BRANCH $TEST_REPO openvpn-tests
 ln -s $PWD/openvpn/src/openvpn/openvpn openvpn-tests/server
+ln -s $PWD/openvpn/src/openvpn/openvpn openvpn-tests/local
 
 pushd keys
 openssl dhparam -out dh.pem 2048
 popd
 
-cd openvpn
+pushd openvpn
 
 autoreconf -f -i
 ./configure
 make -j4
 
+popd
+pushd ovpn-dco
+
+make KERNEL_SRC=/lib/modules/$(uname -r)/build/
+make install
+modprobe ovpn-dco-v2
+
 EOF
   }
 }
@@ -104,10 +127,35 @@ module "server_instance" {
   source  = "terraform-aws-modules/ec2-instance/aws"
   version = "~> 4.0.0"
 
-  name = "${var.cluster_name}-server"
+  name = local.cn_server
+
+  associate_public_ip_address = true
+  ami                    = data.aws_ami.ubuntu2204.id
+  instance_type          = "m5.xlarge"
+  ipv6_address_count     = 1
+  key_name               = module.vpc.key_pair
+  placement_group        = module.vpc.placement_group
+  vpc_security_group_ids = [module.vpc.sg_id]
+  subnet_id              = module.vpc.first_subnet
+  user_data_base64       = data.cloudinit_config.ubuntu_server.rendered
+  user_data_replace_on_change = true
+
+  root_block_device = [
+    {
+      volume_size = 20
+    },
+  ]
+
+}
+
+module "local_client_instance" {
+  source  = "terraform-aws-modules/ec2-instance/aws"
+  version = "~> 4.0.0"
+
+  name = local.cn_client
 
   associate_public_ip_address = true
-  ami                    = data.aws_ami.ubuntu2004.id
+  ami                    = data.aws_ami.ubuntu2204.id
   instance_type          = "m5.xlarge"
   ipv6_address_count     = 1
   key_name               = module.vpc.key_pair
@@ -115,7 +163,7 @@ module "server_instance" {
   vpc_security_group_ids = [module.vpc.sg_id]
   subnet_id              = module.vpc.first_subnet
   user_data_base64       = data.cloudinit_config.ubuntu_server.rendered
-  user_data_replace_on_change = false
+  user_data_replace_on_change = true
 
   root_block_device = [
     {
@@ -130,7 +178,7 @@ data "aws_route53_zone" "selected" {
 
 resource "aws_route53_record" "server_ipv4" {
   zone_id = data.aws_route53_zone.selected.zone_id
-  name    = local.cn
+  name    = local.cn_server
   type    = "A"
   ttl     = "60"
   records = [module.server_instance.public_ip]
@@ -138,8 +186,24 @@ resource "aws_route53_record" "server_ipv4" {
 
 resource "aws_route53_record" "server_ipv6" {
   zone_id = data.aws_route53_zone.selected.zone_id
-  name    = local.cn
+  name    = local.cn_server
   type    = "AAAA"
   ttl     = "60"
   records = module.server_instance.ipv6_addresses
 }
+
+resource "aws_route53_record" "client_ipv4" {
+  zone_id = data.aws_route53_zone.selected.zone_id
+  name    = local.cn_client
+  type    = "A"
+  ttl     = "60"
+  records = [module.local_client_instance.public_ip]
+}
+
+resource "aws_route53_record" "client_ipv6" {
+  zone_id = data.aws_route53_zone.selected.zone_id
+  name    = local.cn_client
+  type    = "AAAA"
+  ttl     = "60"
+  records = module.local_client_instance.ipv6_addresses
+}
diff --git a/terraform/openvpn-server/variables.tf b/terraform/openvpn-server/variables.tf
index a50d2e5..3469a57 100644
--- a/terraform/openvpn-server/variables.tf
+++ b/terraform/openvpn-server/variables.tf
@@ -1,23 +1,41 @@
+variable "assume_role" {
+  description = "Have the AWS provider assume a role"
+  type        = string
+  default     = ""
+}
+
 variable "openvpn_repo" {
-  description = "Git Repo URI"
+  description = "OpenVPN 2 Git Repo URI"
   type        = string
   default     = "https://github.com/OpenVPN/openvpn.git"
 }
 
+variable "ovpn_dco_repo" {
+  description = "DCO Linux Kernel Module Git Repo URI"
+  type        = string
+  default     = "https://github.com/OpenVPN/ovpn-dco.git"
+}
+
 variable "test_repo" {
-  description = "Git Repo URI"
+  description = "Tests Git Repo URI"
   type        = string
   default     = "https://github.com/OpenVPN/openvpn-tests.git"
 }
 
 variable "openvpn_branch" {
-  description = "Branch name to check out"
+  description = "Branch name to check out in openvpn_repo"
+  type        = string
+  default     = "master"
+}
+
+variable "ovpn_dco_branch" {
+  description = "Branch name to check out in ovpn_dco_repo"
   type        = string
   default     = "master"
 }
 
 variable "test_branch" {
-  description = "Branch name to check out"
+  description = "Branch name to check out in test_repo"
   type        = string
   default     = "main"
 }
@@ -33,7 +51,7 @@ variable "dns_zone_name" {
 }
 
 variable "dns_host_name" {
-  description = "Hostname to use for server"
+  description = "Hostname prefix to use"
   type        = string
   default     = "openvpn-test"
 }