diff --git a/README.md b/README.md
index b0be34790..f958583e8 100644
--- a/README.md
+++ b/README.md
@@ -913,6 +913,28 @@ Optionally included keys are:
 		where the SRTP endpoint isn't able to receive or process the DTLS handshake packets, for example
 		when it's behind NAT or needs to finish ICE processing first.
 
+	- `active`
+
+		Reverts the `passive` setting. Only useful if the `dtls-passive` config option is set.
+
+* `DTLS-reverse`
+
+	Contains a string and influences the behaviour of DTLS-SRTP. Unlike the regular `DTLS` flag, this one
+	is used to control behaviour towards DTLS that was offered to *rtpengine*. In particular, if `passive`
+	mode is used, it prevents *rtpengine* from prematurely sending active DTLS connection attempts.
+	Possible values are:
+
+	- `passive`
+
+		Instructs *rtpengine* to prefer the passive (i.e. server) role for the DTLS
+		handshake. The default is to take the active (client) role if possible. This is useful in cases
+		where the SRTP endpoint isn't able to receive or process the DTLS handshake packets, for example
+		when it's behind NAT or needs to finish ICE processing first.
+
+	- `active`
+
+		Reverts the `passive` setting. Only useful if the `dtls-passive` config option is set.
+
 * `SDES`
 
 	A list of strings controlling the behaviour regarding SDES. The default is to offer SDES without any
diff --git a/daemon/call.c b/daemon/call.c
index d4b7e65b2..f7cdf21ac 100644
--- a/daemon/call.c
+++ b/daemon/call.c
@@ -1757,7 +1757,7 @@ static void __dtls_logic(const struct sdp_ng_flags *flags,
 				== MEDIA_FLAG_SETUP_PASSIVE)
 			MEDIA_CLEAR(other_media, SETUP_ACTIVE);
 		/* if passive mode is requested, honour it if we can */
-		if (flags && flags->dtls_passive && MEDIA_ISSET(other_media, SETUP_PASSIVE))
+		if (flags && flags->dtls_reverse_passive && MEDIA_ISSET(other_media, SETUP_PASSIVE))
 			MEDIA_CLEAR(other_media, SETUP_ACTIVE);
 	}
 
diff --git a/daemon/call_interfaces.c b/daemon/call_interfaces.c
index cc4de7b37..17bcd1ce1 100644
--- a/daemon/call_interfaces.c
+++ b/daemon/call_interfaces.c
@@ -861,6 +861,7 @@ static void call_ng_process_flags(struct sdp_ng_flags *out, bencode_item_t *inpu
 
 	out->trust_address = trust_address_def;
 	out->dtls_passive = dtls_passive_def;
+	out->dtls_reverse_passive = dtls_passive_def;
 
 	call_ng_flags_list(out, input, "flags", call_ng_flags_flags, NULL);
 	call_ng_flags_list(out, input, "replace", call_ng_flags_replace, NULL);
@@ -925,6 +926,9 @@ static void call_ng_process_flags(struct sdp_ng_flags *out, bencode_item_t *inpu
 			case CSH_LOOKUP("passive"):
 				out->dtls_passive = 1;
 				break;
+			case CSH_LOOKUP("active"):
+				out->dtls_passive = 0;
+				break;
 			case CSH_LOOKUP("no"):
 			case CSH_LOOKUP("off"):
 			case CSH_LOOKUP("disabled"):
@@ -937,6 +941,20 @@ static void call_ng_process_flags(struct sdp_ng_flags *out, bencode_item_t *inpu
 		}
 	}
 
+	if (bencode_dictionary_get_str(input, "DTLS-reverse", &s)) {
+		switch (__csh_lookup(&s)) {
+			case CSH_LOOKUP("passive"):
+				out->dtls_reverse_passive = 1;
+				break;
+			case CSH_LOOKUP("active"):
+				out->dtls_reverse_passive = 0;
+				break;
+			default:
+				ilog(LOG_WARN, "Unknown 'DTLS-reverse' flag encountered: '"STR_FORMAT"'",
+						STR_FMT(&s));
+		}
+	}
+
 	call_ng_flags_list(out, input, "rtcp-mux", call_ng_flags_rtcp_mux, NULL);
 	call_ng_flags_list(out, input, "SDES", ng_sdes_option, NULL);
 	call_ng_flags_list(out, input, "OSRTP", ng_osrtp_option, NULL);
diff --git a/daemon/dtls.c b/daemon/dtls.c
index d5ba441e5..e80a6f751 100644
--- a/daemon/dtls.c
+++ b/daemon/dtls.c
@@ -500,8 +500,6 @@ int dtls_connection_init(struct dtls_connection *d, struct packet_stream *ps, in
 {
 	unsigned long err;
 
-	__DBG("dtls_connection_init(%i)", active);
-
 	if (d->init) {
 		if ((d->active && active) || (!d->active && !active))
 			goto done;
@@ -510,6 +508,8 @@ int dtls_connection_init(struct dtls_connection *d, struct packet_stream *ps, in
 
 	d->ptr = ps;
 
+	ilog(LOG_DEBUG, "Creating %s DTLS connection context", active ? "active" : "passive");
+
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
 	d->ssl_ctx = SSL_CTX_new(active ? DTLS_client_method() : DTLS_server_method());
 #else
@@ -801,7 +801,7 @@ void dtls_shutdown(struct packet_stream *ps) {
 }
 
 void dtls_connection_cleanup(struct dtls_connection *c) {
-	__DBG("dtls_connection_cleanup");
+	ilog(LOG_DEBUG, "Resetting DTLS connection context");
 
 	if (c->ssl_ctx)
 		SSL_CTX_free(c->ssl_ctx);
diff --git a/include/call_interfaces.h b/include/call_interfaces.h
index 8656896b4..5507a2e4d 100644
--- a/include/call_interfaces.h
+++ b/include/call_interfaces.h
@@ -67,6 +67,7 @@ struct sdp_ng_flags {
 	    strict_source:1,
 	    media_handover:1,
 	    dtls_passive:1,
+	    dtls_reverse_passive:1,
 	    osrtp_accept:1,
 	    osrtp_offer:1,
 	    reset:1,
diff --git a/t/auto-daemon-tests.pl b/t/auto-daemon-tests.pl
index ca1eb9d99..554ccb042 100755
--- a/t/auto-daemon-tests.pl
+++ b/t/auto-daemon-tests.pl
@@ -36,6 +36,112 @@ my ($sock_a, $sock_b, $sock_c, $sock_d, $port_a, $port_b, $ssrc, $resp,
 
 
 
+# DTLS-reverse flag
+
+new_call;
+
+offer('DTLS-reverse not set', {
+		ICE => 'remove', 'transport-protocol' => 'RTP/AVP',
+	}, <<SDP);
+v=0
+o=test 2350 1824 IN IP4 198.51.100.4
+s=test
+c=IN IP4 198.51.100.4
+t=0 0
+m=audio 2000 UDP/TLS/RTP/SAVPF 0
+a=setup:actpass
+a=fingerprint:SHA-256 DA:89:F7:04:38:D9:04:E1:9E:25:1A:43:87:8D:F5:BD:6E:4C:BB:88:12:A6:D5:FA:B1:4A:34:BC:32:C0:05:FE
+--------------------------------------
+v=0
+o=test 2350 1824 IN IP4 198.51.100.4
+s=test
+c=IN IP4 203.0.113.1
+t=0 0
+m=audio PORT RTP/AVP 0
+a=rtpmap:0 PCMU/8000
+a=sendrecv
+a=rtcp:PORT
+SDP
+
+
+answer('DTLS-reverse not set', {
+		ICE => 'remove',
+	}, <<SDP);
+v=0
+o=test 2350 1824 IN IP4 198.51.100.4
+s=test
+c=IN IP4 198.51.100.4
+t=0 0
+m=audio 2000 RTP/AVP 0
+--------------------------------------
+v=0
+o=test 2350 1824 IN IP4 198.51.100.4
+s=test
+c=IN IP4 203.0.113.1
+t=0 0
+m=audio PORT UDP/TLS/RTP/SAVPF 0
+a=rtpmap:0 PCMU/8000
+a=sendrecv
+a=rtcp:PORT
+a=setup:active
+a=fingerprint:sha-1 FINGERPRINT
+SDP
+
+
+
+
+new_call;
+
+offer('DTLS-reverse set', {
+		ICE => 'remove', 'transport-protocol' => 'RTP/AVP',
+		'DTLS-reverse' => 'passive',
+	}, <<SDP);
+v=0
+o=test 2350 1824 IN IP4 198.51.100.4
+s=test
+c=IN IP4 198.51.100.4
+t=0 0
+m=audio 2000 UDP/TLS/RTP/SAVPF 0
+a=setup:actpass
+a=fingerprint:SHA-256 DA:89:F7:04:38:D9:04:E1:9E:25:1A:43:87:8D:F5:BD:6E:4C:BB:88:12:A6:D5:FA:B1:4A:34:BC:32:C0:05:FE
+--------------------------------------
+v=0
+o=test 2350 1824 IN IP4 198.51.100.4
+s=test
+c=IN IP4 203.0.113.1
+t=0 0
+m=audio PORT RTP/AVP 0
+a=rtpmap:0 PCMU/8000
+a=sendrecv
+a=rtcp:PORT
+SDP
+
+
+answer('DTLS-reverse set', {
+		ICE => 'remove',
+	}, <<SDP);
+v=0
+o=test 2350 1824 IN IP4 198.51.100.4
+s=test
+c=IN IP4 198.51.100.4
+t=0 0
+m=audio 2000 RTP/AVP 0
+--------------------------------------
+v=0
+o=test 2350 1824 IN IP4 198.51.100.4
+s=test
+c=IN IP4 203.0.113.1
+t=0 0
+m=audio PORT UDP/TLS/RTP/SAVPF 0
+a=rtpmap:0 PCMU/8000
+a=sendrecv
+a=rtcp:PORT
+a=setup:passive
+a=fingerprint:sha-1 FINGERPRINT
+SDP
+
+
+
 # DTLS early start with ICE (GH 1035 TT 84804)
 
 ($sock_a, $sock_b, $sock_c, $sock_d) = new_call([qw(198.51.100.4 2000)], [qw(198.51.100.4 2001)], [qw(198.51.100.8 3000)], [qw(198.51.100.8 3001)]);