Acked-by: Gert Doering <>

"Simplifying state machine much good" :-)

I have stared at the code a bit ("seems to make sense") and fed this to
the full test rig - extensive client side tests on Linux and FreeBSD,
full set of server side tests on Linux (DCO and no DCO).  Didn't test
FreeBSD/DCO as this is really just TLS handshakes, and all the weirdness
in the past related to TLS handshake have hit both platforms the same

I did have an extra eye on the p2p TLS tests that tended to fail if
the timing was just right - repaired keepalive already fixed those, 
so I tried without keepalive, with the usual timing (reneg-sec 300,
reconnect after 400s).

Dec 24 22:42:13 ubuntu2004 tun-udp-p2p-tls-sha256[1805147]: TLS: move_session: 
dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1

.. but this still confuses the --tls-server...

Dec 24 22:43:14 ubuntu2004 tun-udp-p2p-tls-sha256[1805147]: TLS Error: TLS key 
negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 24 22:43:14 ubuntu2004 tun-udp-p2p-tls-sha256[1805147]: TLS Error: TLS 
handshake failed
Dec 24 22:43:20 ubuntu2004 tun-udp-p2p-tls-sha256[1805147]: TLS Error: Received 
control packet from unexpected IP addr: [AF_INET6]::ffff:

.. and it will then fail to establish connections.  So this is no worse
than without this patch (and no better).  The server will eventually
recover (after 3600s), but --keepalive will fix it as well.

Let's see if the "send UDP directly" patch will fix that one.

Your patch has been applied to the master and release/2.6 branch,
squashed together with 1/9.

commit 7dcde87b7a4323ffb173576d4559e14fcfe4e627 (master)
commit 9828c7045a27e7dc5e6f430798323a1abd003fbf (release/2.6)
Author: Arne Schwabe
Date:   Sat Dec 24 20:42:46 2022 +0100

     Always start session in TM_INITIAL rather than TM_ACTIVE or TM_INITIAL

     Signed-off-by: Arne Schwabe <>
     Acked-by: Gert Doering <>
     Message-Id: <>
     Signed-off-by: Gert Doering <>

kind regards,

Gert Doering

Openvpn-devel mailing list

Reply via email to