--- send.c.orig	2017-10-17 20:26:29.000000000 +0300
+++ send.c	2018-01-08 15:10:25.364428109 +0300
@@ -302,7 +302,7 @@
 	 * all of the packets in the queue. If we can't assign nonces for all of them,
 	 * we just consider it a failure and wait for the next handshake. */
 	skb_queue_walk (&packets, skb) {
-		PACKET_CB(skb)->ds = ip_tunnel_ecn_encap(0 /* No outer TOS: no leak. TODO: should we use flowi->tos as outer? */, ip_hdr(skb), skb);
+		PACKET_CB(skb)->ds = ip_tunnel_ecn_encap(ipv4_get_dsfield(ip_hdr(skb)) & ~INET_ECN_MASK, ip_hdr(skb), skb);
 		PACKET_CB(skb)->nonce = atomic64_inc_return(&key->counter.counter) - 1;
 		if (unlikely(PACKET_CB(skb)->nonce >= REJECT_AFTER_MESSAGES))
 			goto out_invalid;