OpenVPN/openvpn

OpenVPN 2.7.4 Windows 11 fails TLS negotiation while 2.6.17 works

Open

#1036 opened on May 18, 2026

View on GitHub
 (8 comments) (0 reactions) (0 assignees)C (13,839 stars) (3,314 forks)batch import
help wantedmoreinformationneeded

Description

OpenVPN 2.7.4 on Windows 11 fails TLS negotiation with an existing legacy UDP setup that works correctly on:

  • Linux OpenVPN 2.6.14
  • Windows OpenVPN 2.6.17

Environment:

  • Windows 11 build 10.0.26200
  • OpenVPN 2.7.4
  • OpenSSL 3.6.2

Symptoms:

  • Client hangs at: TLS key negotiation failed to occur within 60 seconds
  • Server never logs: TLS: Initial packet from
  • tcpdump on intermediate pfSense shows repeated: UDP, length 14
  • No valid TLS handshake packets observed.

Same exact .ovpn config and certificates connect immediately with OpenVPN 2.6.17 on Windows and 2.6.14 on Linux.

Workaround: Downgrading Windows client from 2.7.4 to 2.6.17 resolves the issue instantly without configuration changes.

Contributor guide

Tech stack
c
Domain
security
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
3-5 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
C programmingTLS/SSL knowledgeOpenVPN architecture
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
35
Research direction
Start by comparing the git changelog between OpenVPN 2.6.17 and 2.7.4, focusing on commits related to TLS and Windows compatibility. Examine the TLS negotiation code in src/openvpn/ssl.c and ssl backend.c. Use tcpdump or Wireshark to capture the failing handshake and identify at which stage it stops. Check for any Windows specific changes in src/openvpn/win32.c and verify OpenSSL version upgrade impact.