Hello all,

I'm working with OpenVPN-NL, which uses the mbed TLS 2.9.0 library. We've discovered that when a client disconnects and reconnects (e.g. client is killed and restarted), the client will send a PUSH_REQUEST to the server, but the server will never answer. This was reported as https://community.openvpn.net/openvpn/ticket/880 by krzee in 2017. The user krzee also reported that the issue disappeared when he switched out mbed-TLS for OpenSSL. This is not an option for OpenVPN-NL, which uses mbed-TLS in all its releases.

Analysis seems to indicate that the TLS server ignores new PUSH_REQUESTS for connections it already considers to be active, which causes the OpenVPN(-NL) server to never send a reply, which in turn causes the OpenVPN(-NL) client to disconnect after 12 attempts (and retry after a few seconds).

Does anyone have any idea what might cause this issue? It appears to have been a change in the code somewhere between when the library was still called PolarSSL (since it works for OpenVPN-NL 2.3.9) and 2017 (since it was first reported then).

Kind regards,

Pieter Hulshoff

I tried to post this as text, but I got an error message...

The above log is from the OpenVPN-NL 2.4.4 server; I'm not 100% sure which version of the mbed-TLS library was used at that time.