godliness · October 28, 2015 10:44 · Aug 18, 2015 · Jul 23, 2015 · Jul 13, 2015 · Jul 3, 2015
diff --git a/README.md b/README.md
@@ -0,0 +1,21 @@
+## IPsec/L2TP VPN Auto Install Script for Ubuntu/Debian
+
+Amazon EC2 user-data file for automatic configuration of IPsec/L2TP VPN server on a Ubuntu or Debian instance. Tested with Ubuntu 14.04 & 12.04 and Debian 8 (Jessie).
+
+With minor modifications, this script **can also be used** on dedicated servers or any KVM- or XEN- based Virtual Private Server (VPS) from other providers.
+
+#### <a href="https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/" target="_blank">My VPN tutorial with detailed usage instructions</a>  
+<a href="https://gist.github.com/hwdsl2/e9a78a50e300d12ae195" target="_blank">Alternative VPN script for CentOS/RHEL</a>  
+<a href="http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md" target="_blank">Original post by Thomas Sarlandie</a>
+
+&darr;&nbsp;&nbsp;&darr;&nbsp;&nbsp;&darr; Scroll down for the script &darr;&nbsp;&nbsp;&darr;&nbsp;&nbsp;&darr;
+
+### Copyright and license
+
+Copyright (C) 2014 <a href="https://www.linkedin.com/in/linsongui" target="_blank">Lin Song</a>  
+Based on the work of Thomas Sarlandie (Copyright 2012)
+
+This work is licensed under the <a href="http://creativecommons.org/licenses/by-sa/3.0/" target="_blank">Creative Commons Attribution-ShareAlike 3.0</a>  
+Attribution required: please include my name in any derivative and let me know how you have improved it!
+
+<a href="https://github.com/igrigorik/ga-beacon" target="_blank"><img src="https://ga-bc1.appspot.com/UA-46742347-4/hwdsl2/9030462?dh=gist.github.com&amp;gif=1" alt="Analytics" style="max-width:100%;"></a>
diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -1,19 +1,13 @@
 #!/bin/sh
 #
 # Amazon EC2 user-data file for automatic configuration of IPsec/L2TP VPN server
-# on a Ubuntu or Debian instance. Tested with Ubuntu 14.04 & 12.04 and Debian 8 & 7.
+# on a Ubuntu or Debian instance. Tested with Ubuntu 14.04 & 12.04 and Debian 8.
 # With minor modifications, this script *can also be used* on dedicated servers
 # or any KVM- or XEN-based Virtual Private Server (VPS) from other providers.
 #
 # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS MEANT TO BE RUN WHEN 
 # YOUR AMAZON EC2 INSTANCE STARTS!
 #
-# For detailed instructions, please see:
-# https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/
-# CentOS/RHEL version: https://gist.github.com/hwdsl2/e9a78a50e300d12ae195
-# Original post by Thomas Sarlandie: 
-# http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md
-#
 # Copyright (C) 2014 Lin Song
 # Based on the work of Thomas Sarlandie (Copyright 2012)
 #
@@ -26,7 +20,6 @@
 if [ "$(uname)" = "Darwin" ]; then
   echo 'DO NOT run this script on your Mac! It should only be run on a newly-created EC2 instance'
   echo 'or other Dedicated Server / VPS, after you have modified it to set the variables below.'
-  echo 'Please see detailed instructions at the URLs in the comments.'
   exit
 fi
 
@@ -51,7 +44,7 @@ VPN_PASSWORD=your_very_secure_password
 # Important Notes:
 # For Windows users, a registry change is required to allow connections
 # to a VPN server behind NAT. Refer to section "Error 809" on this page:
-# https://kb.meraki.com/knowledge_base/troubleshooting-client-vpn
+# https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN
 
 # iPhone/iOS users may need to replace this line in ipsec.conf:
 # "rightprotoport=17/%any" with "rightprotoport=17/0".
@@ -66,35 +59,39 @@ apt-get -y install wget dnsutils nano
 echo 'If the script hangs here, press Ctrl-C to interrupt, then edit it and comment out'
 echo 'the next two lines PUBLIC_IP= and PRIVATE_IP=, OR replace them with the actual IPs.'
 
-# In Amazon EC2, these two variables will be found automatically
+# In Amazon EC2, these two variables will be found automatically.
 # For all other servers, you may replace them with the actual IPs,
-# or comment out and let the script auto-detect in the next section
-# If your server only has a public IP, use that IP on both lines
-PUBLIC_IP=$(wget --retry-connrefused --tries=3 --timeout 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4')
-PRIVATE_IP=$(wget --retry-connrefused --tries=3 --timeout 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4')
+# or comment out and let the script auto-detect in the next section.
+# If your server only has a public IP, use that IP on both lines.
+PUBLIC_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4')
+PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4')
 
-# Attempt to find Public IP and Private IP automatically for non-EC2 servers
+# Attempt to find server IPs automatically for non-EC2 servers
 [ "$PUBLIC_IP" = "" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
-[ "$PUBLIC_IP" = "" ] && { echo "Could not find Public IP, please edit the script manually."; exit; }
+[ "$PUBLIC_IP" = "" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipecho.net/plain)
+[ "$PUBLIC_IP" = "" ] && { echo "Could not find Public IP, please edit the VPN script manually."; exit; }
 [ "$PRIVATE_IP" = "" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
-[ "$PRIVATE_IP" = "" ] && { echo "Could not find Private IP, please edit the script manually."; exit; }
+[ "$PRIVATE_IP" = "" ] && { echo "Could not find Private IP, please edit the VPN script manually."; exit; }
 
 # Install necessary packages
 apt-get -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
         libcap-ng-dev libcap-ng-utils libselinux1-dev \
         libcurl4-nss-dev libgmp3-dev flex bison gcc make \
-        libunbound-dev libnss3-tools
+        libunbound-dev libnss3-tools libevent-dev
+apt-get -y --no-install-recommends install xmlto
 apt-get -y install xl2tpd
 
-# Compile and install Libreswan (https://libreswan.org/)
-# To upgrade Libreswan when a newer version is available, just re-run these
-# eight commands with the new "SWAN_VER", and then restart services with
-# "service ipsec restart" and "service xl2tpd restart".
+# Create and change to working dir
 mkdir -p /opt/src
 cd /opt/src
-SWAN_VER=3.13
+
+# Compile and install Libreswan (https://libreswan.org/)
+# To upgrade Libreswan when a newer version is available, just re-run
+# these commands with the new "SWAN_VER", and then restart services with
+# "service ipsec restart" and "service xl2tpd restart".
+SWAN_VER=3.15
 SWAN_URL=https://download.libreswan.org/libreswan-${SWAN_VER}.tar.gz
-wget --retry-connrefused --tries=3 --timeout 15 -qO- $SWAN_URL | tar xvz
+wget -t 3 -T 30 -qO- $SWAN_URL | tar xvz
 [ ! -d libreswan-${SWAN_VER} ] && { echo "Could not retrieve the Libreswan source file. Aborting."; exit; }
 cd libreswan-${SWAN_VER}
 make programs && make install
@@ -239,6 +236,8 @@ cat > /etc/iptables.rules <<EOF
 -A FORWARD -m conntrack --ctstate INVALID -j DROP
 -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i ppp+ -o eth+ -j ACCEPT
+# If you wish to allow traffic between VPN clients themselves, uncomment this line:
+# -A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
 -A FORWARD -j DROP
 -A ICMPALL -p icmp -f -j DROP
 -A ICMPALL -p icmp --icmp-type 0 -j ACCEPT

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -70,8 +70,8 @@ echo 'the next two lines PUBLIC_IP= and PRIVATE_IP=, OR replace them with the ac
 # For all other servers, you may replace them with the actual IPs,
 # or comment out and let the script auto-detect in the next section
 # If your server only has a public IP, use that IP on both lines
-PUBLIC_IP=$(wget --timeout 10 -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4')
-PRIVATE_IP=$(wget --timeout 10 -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4')
+PUBLIC_IP=$(wget --retry-connrefused --tries=3 --timeout 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4')
+PRIVATE_IP=$(wget --retry-connrefused --tries=3 --timeout 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4')
 
 # Attempt to find Public IP and Private IP automatically for non-EC2 servers
 [ "$PUBLIC_IP" = "" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
@@ -88,14 +88,16 @@ apt-get -y install xl2tpd
 
 # Compile and install Libreswan (https://libreswan.org/)
 # To upgrade Libreswan when a newer version is available, just re-run these
-# six commands with the new download link, and then restart services with
+# eight commands with the new "SWAN_VER", and then restart services with
 # "service ipsec restart" and "service xl2tpd restart".
 mkdir -p /opt/src
 cd /opt/src
-wget -qO- https://download.libreswan.org/libreswan-3.13.tar.gz | tar xvz
-cd libreswan-3.13
-make programs
-make install
+SWAN_VER=3.13
+SWAN_URL=https://download.libreswan.org/libreswan-${SWAN_VER}.tar.gz
+wget --retry-connrefused --tries=3 --timeout 15 -qO- $SWAN_URL | tar xvz
+[ ! -d libreswan-${SWAN_VER} ] && { echo "Could not retrieve the Libreswan source file. Aborting."; exit; }
+cd libreswan-${SWAN_VER}
+make programs && make install
 
 # Prepare various config files
 cat > /etc/ipsec.conf <<EOF

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
-# Amazon EC2 user-data file for automatic configuration of IPsec/L2TP VPN
-# on a Ubuntu server instance. Tested with 14.04 (Trusty) AND 12.04 (Precise).
+# Amazon EC2 user-data file for automatic configuration of IPsec/L2TP VPN server
+# on a Ubuntu or Debian instance. Tested with Ubuntu 14.04 & 12.04 and Debian 8 & 7.
 # With minor modifications, this script *can also be used* on dedicated servers
 # or any KVM- or XEN-based Virtual Private Server (VPS) from other providers.
 #
@@ -30,8 +30,8 @@ if [ "$(uname)" = "Darwin" ]; then
   exit
 fi
 
-if [ "$(lsb_release -si)" != "Ubuntu" ]; then
-  echo "Looks like you aren't running this script on a Ubuntu system."
+if [ "$(lsb_release -si)" != "Ubuntu" ] && [ "$(lsb_release -si)" != "Debian" ]; then
+  echo "Looks like you aren't running this script on a Ubuntu or Debian system."
   exit
 fi
 
@@ -184,7 +184,7 @@ cat > /etc/ppp/chap-secrets <<EOF
 $VPN_USER  l2tpd  $VPN_PASSWORD  *
 EOF
 
-/bin/cp -f /etc/sysctl.conf /etc/sysctl.conf.old-$(date +%Y-%m-%d-%H:%M:%S)
+/bin/cp -f /etc/sysctl.conf /etc/sysctl.conf.old-$(date +%Y-%m-%d-%H:%M:%S) 2>/dev/null
 cat > /etc/sysctl.conf <<EOF
 kernel.sysrq = 0
 kernel.core_uses_pid = 1
@@ -217,7 +217,7 @@ net.ipv4.tcp_rmem= 10240 87380 12582912
 net.ipv4.tcp_wmem= 10240 87380 12582912
 EOF
 
-/bin/cp -f /etc/iptables.rules /etc/iptables.rules.old-$(date +%Y-%m-%d-%H:%M:%S)
+/bin/cp -f /etc/iptables.rules /etc/iptables.rules.old-$(date +%Y-%m-%d-%H:%M:%S) 2>/dev/null
 cat > /etc/iptables.rules <<EOF
 *filter
 :INPUT ACCEPT [0:0]
@@ -238,7 +238,7 @@ cat > /etc/iptables.rules <<EOF
 -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i ppp+ -o eth+ -j ACCEPT
 -A FORWARD -j DROP
--A ICMPALL -p icmp -f -j DROP        
+-A ICMPALL -p icmp -f -j DROP
 -A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
@@ -261,7 +261,7 @@ cat > /etc/network/if-pre-up.d/iptablesload <<EOF
 exit 0
 EOF
 
-/bin/cp -f /etc/rc.local /etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)
+/bin/cp -f /etc/rc.local /etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S) 2>/dev/null
 cat > /etc/rc.local <<EOF
 #!/bin/sh -e
 #

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -10,6 +10,7 @@
 #
 # For detailed instructions, please see:
 # https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/
+# CentOS/RHEL version: https://gist.github.com/hwdsl2/e9a78a50e300d12ae195
 # Original post by Thomas Sarlandie: 
 # http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md
 #
@@ -23,10 +24,20 @@
 # know how you have improved it! 
 
 if [ "$(uname)" = "Darwin" ]; then
-  echo "DO NOT run this script on your Mac! It should only be run on a newly-created EC2 instance"
-  echo "or other Dedicated Server / VPS, after you have modified it to set the variables below."
-  echo "Please see detailed instructions at the URLs in the comments."
-  exit 1
+  echo 'DO NOT run this script on your Mac! It should only be run on a newly-created EC2 instance'
+  echo 'or other Dedicated Server / VPS, after you have modified it to set the variables below.'
+  echo 'Please see detailed instructions at the URLs in the comments.'
+  exit
+fi
+
+if [ "$(lsb_release -si)" != "Ubuntu" ]; then
+  echo "Looks like you aren't running this script on a Ubuntu system."
+  exit
+fi
+
+if [ "$(id -u)" != 0 ]; then
+  echo "Sorry, you need to run this script as root."
+  exit
 fi
 
 # Please define your own values for those variables
@@ -48,21 +59,32 @@ VPN_PASSWORD=your_very_secure_password
 # If using Amazon EC2, these ports must be open in the security group of
 # your VPN server: UDP ports 500 & 4500, and TCP port 22 (optional, for SSH).
 
+# Update package index and install wget, dig (dnsutils) and nano
+apt-get -y update
+apt-get -y install wget dnsutils nano
+
+echo 'If the script hangs here, press Ctrl-C to interrupt, then edit it and comment out'
+echo 'the next two lines PUBLIC_IP= and PRIVATE_IP=, OR replace them with the actual IPs.'
+
 # In Amazon EC2, these two variables will be found automatically
-# For all other servers, you MUST replace them with the actual IPs!
+# For all other servers, you may replace them with the actual IPs,
+# or comment out and let the script auto-detect in the next section
 # If your server only has a public IP, use that IP on both lines
-# Get public IP:  dig +short myip.opendns.com @resolver1.opendns.com
-# Get private IP: ifconfig eth0 | grep "inet addr" | awk -F: '{print $2}' | awk '{print $1}'
-PUBLIC_IP=$(wget -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4')
-PRIVATE_IP=$(wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4')
+PUBLIC_IP=$(wget --timeout 10 -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4')
+PRIVATE_IP=$(wget --timeout 10 -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4')
+
+# Attempt to find Public IP and Private IP automatically for non-EC2 servers
+[ "$PUBLIC_IP" = "" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
+[ "$PUBLIC_IP" = "" ] && { echo "Could not find Public IP, please edit the script manually."; exit; }
+[ "$PRIVATE_IP" = "" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
+[ "$PRIVATE_IP" = "" ] && { echo "Could not find Private IP, please edit the script manually."; exit; }
 
 # Install necessary packages
-apt-get update
-apt-get install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
+apt-get -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
         libcap-ng-dev libcap-ng-utils libselinux1-dev \
         libcurl4-nss-dev libgmp3-dev flex bison gcc make \
-        libunbound-dev libnss3-tools wget -y
-apt-get install xl2tpd -y
+        libunbound-dev libnss3-tools
+apt-get -y install xl2tpd
 
 # Compile and install Libreswan (https://libreswan.org/)
 # To upgrade Libreswan when a newer version is available, just re-run these

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -70,8 +70,8 @@ apt-get install xl2tpd -y
 # "service ipsec restart" and "service xl2tpd restart".
 mkdir -p /opt/src
 cd /opt/src
-wget -qO- https://download.libreswan.org/libreswan-3.12.tar.gz | tar xvz
-cd libreswan-3.12
+wget -qO- https://download.libreswan.org/libreswan-3.13.tar.gz | tar xvz
+cd libreswan-3.13
 make programs
 make install
 

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -51,7 +51,7 @@ VPN_PASSWORD=your_very_secure_password
 # In Amazon EC2, these two variables will be found automatically
 # For all other servers, you MUST replace them with the actual IPs!
 # If your server only has a public IP, use that IP on both lines
-# Get public IP:  wget -qO- http://ipecho.net/plain ; echo
+# Get public IP:  dig +short myip.opendns.com @resolver1.opendns.com
 # Get private IP: ifconfig eth0 | grep "inet addr" | awk -F: '{print $2}' | awk '{print $1}'
 PUBLIC_IP=$(wget -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4')
 PRIVATE_IP=$(wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4')

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -45,8 +45,8 @@ VPN_PASSWORD=your_very_secure_password
 # iPhone/iOS users may need to replace this line in ipsec.conf:
 # "rightprotoport=17/%any" with "rightprotoport=17/0".
 
-# If using Amazon EC2, these ports must be open in the security group
-# of your VPN server: UDP ports 500 and 4500, and TCP port 22 (for SSH).
+# If using Amazon EC2, these ports must be open in the security group of
+# your VPN server: UDP ports 500 & 4500, and TCP port 22 (optional, for SSH).
 
 # In Amazon EC2, these two variables will be found automatically
 # For all other servers, you MUST replace them with the actual IPs!

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -45,6 +45,9 @@ VPN_PASSWORD=your_very_secure_password
 # iPhone/iOS users may need to replace this line in ipsec.conf:
 # "rightprotoport=17/%any" with "rightprotoport=17/0".
 
+# If using Amazon EC2, these ports must be open in the security group
+# of your VPN server: UDP ports 500 and 4500, and TCP port 22 (for SSH).
+
 # In Amazon EC2, these two variables will be found automatically
 # For all other servers, you MUST replace them with the actual IPs!
 # If your server only has a public IP, use that IP on both lines

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -34,9 +34,17 @@ IPSEC_PSK=your_very_secure_key
 VPN_USER=your_username
 VPN_PASSWORD=your_very_secure_password
 
-# Note: If you need multiple VPN users with different credentials,
+# If you need multiple VPN users with different credentials,
 # please see: https://gist.github.com/hwdsl2/123b886f29f4c689f531
 
+# Important Notes:
+# For Windows users, a registry change is required to allow connections
+# to a VPN server behind NAT. Refer to section "Error 809" on this page:
+# https://kb.meraki.com/knowledge_base/troubleshooting-client-vpn
+
+# iPhone/iOS users may need to replace this line in ipsec.conf:
+# "rightprotoport=17/%any" with "rightprotoport=17/0".
+
 # In Amazon EC2, these two variables will be found automatically
 # For all other servers, you MUST replace them with the actual IPs!
 # If your server only has a public IP, use that IP on both lines
@@ -45,12 +53,6 @@ VPN_PASSWORD=your_very_secure_password
 PUBLIC_IP=$(wget -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4')
 PRIVATE_IP=$(wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4')
 
-# Note: iPhone/iOS users may need to replace this line in ipsec.conf
-#  (Source: http://serverfault.com/a/527793)
-# rightprotoport=17/%any
-# with the line below:
-# rightprotoport=17/0
-
 # Install necessary packages
 apt-get update
 apt-get install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -224,7 +224,6 @@ COMMIT
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
--A POSTROUTING -s 192.168.42.0/24 -o eth+ -m policy --dir out --pol ipsec -j ACCEPT
 -A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source ${PRIVATE_IP}
 COMMIT
 EOF

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -263,6 +263,7 @@ fi
 
 /sbin/sysctl -p
 /bin/chmod +x /etc/network/if-pre-up.d/iptablesload
+/bin/chmod 600 /etc/ipsec.secrets /etc/ppp/chap-secrets
 /sbin/iptables-restore < /etc/iptables.rules
 
 /usr/sbin/service ipsec restart

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -24,7 +24,7 @@
 
 if [ "$(uname)" = "Darwin" ]; then
   echo "DO NOT run this script on your Mac! It should only be run on a newly-created EC2 instance"
-  echo "or other dedicated server / VPS, after you have modified it to set the three variables below."
+  echo "or other Dedicated Server / VPS, after you have modified it to set the variables below."
   echo "Please see detailed instructions at the URLs in the comments."
   exit 1
 fi
@@ -37,11 +37,19 @@ VPN_PASSWORD=your_very_secure_password
 # Note: If you need multiple VPN users with different credentials,
 # please see: https://gist.github.com/hwdsl2/123b886f29f4c689f531
 
-# In Amazon EC2, those two variables will be found automatically.
+# In Amazon EC2, these two variables will be found automatically
 # For all other servers, you MUST replace them with the actual IPs!
-# If your server only has a public IP, use that IP on both lines.
-PRIVATE_IP=$(wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4')
+# If your server only has a public IP, use that IP on both lines
+# Get public IP:  wget -qO- http://ipecho.net/plain ; echo
+# Get private IP: ifconfig eth0 | grep "inet addr" | awk -F: '{print $2}' | awk '{print $1}'
 PUBLIC_IP=$(wget -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4')
+PRIVATE_IP=$(wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4')
+
+# Note: iPhone/iOS users may need to replace this line in ipsec.conf
+#  (Source: http://serverfault.com/a/527793)
+# rightprotoport=17/%any
+# with the line below:
+# rightprotoport=17/0
 
 # Install necessary packages
 apt-get update

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -22,7 +22,7 @@
 # Attribution required: please include my name in any derivative and let me
 # know how you have improved it! 
 
-if [[ "$(uname)" == "Darwin" ]]; then
+if [ "$(uname)" = "Darwin" ]; then
   echo "DO NOT run this script on your Mac! It should only be run on a newly-created EC2 instance"
   echo "or other dedicated server / VPS, after you have modified it to set the three variables below."
   echo "Please see detailed instructions at the URLs in the comments."

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -22,7 +22,7 @@
 # Attribution required: please include my name in any derivative and let me
 # know how you have improved it! 
 
-if [[ "`uname`" == "Darwin" ]]; then
+if [[ "$(uname)" == "Darwin" ]]; then
   echo "DO NOT run this script on your Mac! It should only be run on a newly-created EC2 instance"
   echo "or other dedicated server / VPS, after you have modified it to set the three variables below."
   echo "Please see detailed instructions at the URLs in the comments."
@@ -37,6 +37,12 @@ VPN_PASSWORD=your_very_secure_password
 # Note: If you need multiple VPN users with different credentials,
 # please see: https://gist.github.com/hwdsl2/123b886f29f4c689f531
 
+# In Amazon EC2, those two variables will be found automatically.
+# For all other servers, you MUST replace them with the actual IPs!
+# If your server only has a public IP, use that IP on both lines.
+PRIVATE_IP=$(wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4')
+PUBLIC_IP=$(wget -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4')
+
 # Install necessary packages
 apt-get update
 apt-get install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
@@ -51,15 +57,11 @@ apt-get install xl2tpd -y
 # "service ipsec restart" and "service xl2tpd restart".
 mkdir -p /opt/src
 cd /opt/src
-wget -qO- https://download.libreswan.org/libreswan-3.11.tar.gz | tar xvz
-cd libreswan-3.11
+wget -qO- https://download.libreswan.org/libreswan-3.12.tar.gz | tar xvz
+cd libreswan-3.12
 make programs
 make install
 
-# Those two variables will be found automatically
-PRIVATE_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/local-ipv4'`
-PUBLIC_IP=`wget -q -O - 'http://169.254.169.254/latest/meta-data/public-ipv4'`
-
 # Prepare various config files
 cat > /etc/ipsec.conf <<EOF
 version 2.0
@@ -147,7 +149,7 @@ cat > /etc/ppp/chap-secrets <<EOF
 $VPN_USER  l2tpd  $VPN_PASSWORD  *
 EOF
 
-/bin/cp -f /etc/sysctl.conf /etc/sysctl.conf.old
+/bin/cp -f /etc/sysctl.conf /etc/sysctl.conf.old-$(date +%Y-%m-%d-%H:%M:%S)
 cat > /etc/sysctl.conf <<EOF
 kernel.sysrq = 0
 kernel.core_uses_pid = 1
@@ -180,14 +182,13 @@ net.ipv4.tcp_rmem= 10240 87380 12582912
 net.ipv4.tcp_wmem= 10240 87380 12582912
 EOF
 
-/bin/cp -f /etc/iptables.rules /etc/iptables.rules.old
+/bin/cp -f /etc/iptables.rules /etc/iptables.rules.old-$(date +%Y-%m-%d-%H:%M:%S)
 cat > /etc/iptables.rules <<EOF
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :ICMPALL - [0:0]
-:ZREJ - [0:0]
 -A INPUT -m conntrack --ctstate INVALID -j DROP
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
@@ -197,26 +198,25 @@ cat > /etc/iptables.rules <<EOF
 -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
 -A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
 -A INPUT -p udp --dport 1701 -j DROP
--A INPUT -j ZREJ
+-A INPUT -j DROP
+-A FORWARD -m conntrack --ctstate INVALID -j DROP
 -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i ppp+ -o eth+ -j ACCEPT
--A FORWARD -j ZREJ
--A ICMPALL -p icmp --fragment -j DROP        
+-A FORWARD -j DROP
+-A ICMPALL -p icmp -f -j DROP        
 -A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
 -A ICMPALL -p icmp -j DROP
--A ZREJ -p tcp -j REJECT --reject-with tcp-reset 
--A ZREJ -p udp -j REJECT --reject-with icmp-port-unreachable
--A ZREJ -j REJECT --reject-with icmp-proto-unreachable
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
+-A POSTROUTING -s 192.168.42.0/24 -o eth+ -m policy --dir out --pol ipsec -j ACCEPT
 -A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source ${PRIVATE_IP}
 COMMIT
 EOF
@@ -227,7 +227,7 @@ cat > /etc/network/if-pre-up.d/iptablesload <<EOF
 exit 0
 EOF
 
-/bin/cp -f /etc/rc.local /etc/rc.local.old
+/bin/cp -f /etc/rc.local /etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)
 cat > /etc/rc.local <<EOF
 #!/bin/sh -e
 #

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -51,8 +51,8 @@ apt-get install xl2tpd -y
 # "service ipsec restart" and "service xl2tpd restart".
 mkdir -p /opt/src
 cd /opt/src
-wget -qO- https://download.libreswan.org/libreswan-3.9.tar.gz | tar xvz
-cd libreswan-3.9
+wget -qO- https://download.libreswan.org/libreswan-3.11.tar.gz | tar xvz
+cd libreswan-3.11
 make programs
 make install
 

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -25,7 +25,7 @@
 if [[ "`uname`" == "Darwin" ]]; then
   echo "DO NOT run this script on your Mac! It should only be run on a newly-created EC2 instance"
   echo "or other dedicated server / VPS, after you have modified it to set the three variables below."
-  echo "Please see detailed instructions at the URLs in the comments above."
+  echo "Please see detailed instructions at the URLs in the comments."
   exit 1
 fi
 

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -23,7 +23,7 @@
 # know how you have improved it! 
 
 if [[ "`uname`" == "Darwin" ]]; then
-  echo "DO NOT run this script on your Mac! This script should only be run on a newly-created EC2 instance"
+  echo "DO NOT run this script on your Mac! It should only be run on a newly-created EC2 instance"
   echo "or other dedicated server / VPS, after you have modified it to set the three variables below."
   echo "Please see detailed instructions at the URLs in the comments above."
   exit 1

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -23,7 +23,9 @@
 # know how you have improved it! 
 
 if [[ "`uname`" == "Darwin" ]]; then
-  echo "Do not run this script on your mac! This script should only be run on a newly-created EC2 instance, after you have modified it to set the three variables below."
+  echo "DO NOT run this script on your Mac! This script should only be run on a newly-created EC2 instance"
+  echo "or other dedicated server / VPS, after you have modified it to set the three variables below."
+  echo "Please see detailed instructions at the URLs in the comments above."
   exit 1
 fi
 

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -5,14 +5,14 @@
 # With minor modifications, this script *can also be used* on dedicated servers
 # or any KVM- or XEN-based Virtual Private Server (VPS) from other providers.
 #
+# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS MEANT TO BE RUN WHEN 
+# YOUR AMAZON EC2 INSTANCE STARTS!
+#
 # For detailed instructions, please see:
 # https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/
 # Original post by Thomas Sarlandie: 
 # http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md
 #
-# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS MEANT TO BE RUN WHEN 
-# YOUR AMAZON EC2 INSTANCE STARTS!
-#
 # Copyright (C) 2014 Lin Song
 # Based on the work of Thomas Sarlandie (Copyright 2012)
 #
@@ -22,11 +22,19 @@
 # Attribution required: please include my name in any derivative and let me
 # know how you have improved it! 
 
+if [[ "`uname`" == "Darwin" ]]; then
+  echo "Do not run this script on your mac! This script should only be run on a newly-created EC2 instance, after you have modified it to set the three variables below."
+  exit 1
+fi
+
 # Please define your own values for those variables
 IPSEC_PSK=your_very_secure_key
 VPN_USER=your_username
 VPN_PASSWORD=your_very_secure_password
 
+# Note: If you need multiple VPN users with different credentials,
+# please see: https://gist.github.com/hwdsl2/123b886f29f4c689f531
+
 # Install necessary packages
 apt-get update
 apt-get install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
@@ -130,9 +138,6 @@ lcp-echo-interval 60
 connect-delay 5000
 EOF
 
-# If you need multiple VPN users with different credentials,
-# please see: https://gist.github.com/hwdsl2/123b886f29f4c689f531
-
 cat > /etc/ppp/chap-secrets <<EOF
 # Secrets for authentication using CHAP
 # client  server  secret  IP addresses

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -5,17 +5,17 @@
 # With minor modifications, this script *can also be used* on dedicated servers
 # or any KVM- or XEN-based Virtual Private Server (VPS) from other providers.
 #
+# For detailed instructions, please see:
+# https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/
+# Original post by Thomas Sarlandie: 
+# http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md
+#
 # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS MEANT TO BE RUN WHEN 
 # YOUR AMAZON EC2 INSTANCE STARTS!
 #
 # Copyright (C) 2014 Lin Song
 # Based on the work of Thomas Sarlandie (Copyright 2012)
 #
-# For detailed instructions, please see:
-# https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/
-# Original post by Thomas Sarlandie: 
-# http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md
-#
 # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 
 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/
 #
@@ -35,7 +35,10 @@ apt-get install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
         libunbound-dev libnss3-tools wget -y
 apt-get install xl2tpd -y
 
-# Compile and install Libreswan
+# Compile and install Libreswan (https://libreswan.org/)
+# To upgrade Libreswan when a newer version is available, just re-run these
+# six commands with the new download link, and then restart services with
+# "service ipsec restart" and "service xl2tpd restart".
 mkdir -p /opt/src
 cd /opt/src
 wget -qO- https://download.libreswan.org/libreswan-3.9.tar.gz | tar xvz
@@ -127,6 +130,9 @@ lcp-echo-interval 60
 connect-delay 5000
 EOF
 
+# If you need multiple VPN users with different credentials,
+# please see: https://gist.github.com/hwdsl2/123b886f29f4c689f531
+
 cat > /etc/ppp/chap-secrets <<EOF
 # Secrets for authentication using CHAP
 # client  server  secret  IP addresses

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -2,6 +2,8 @@
 #
 # Amazon EC2 user-data file for automatic configuration of IPsec/L2TP VPN
 # on a Ubuntu server instance. Tested with 14.04 (Trusty) AND 12.04 (Precise).
+# With minor modifications, this script *can also be used* on dedicated servers
+# or any KVM- or XEN-based Virtual Private Server (VPS) from other providers.
 #
 # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS MEANT TO BE RUN WHEN 
 # YOUR AMAZON EC2 INSTANCE STARTS!

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -36,8 +36,8 @@ apt-get install xl2tpd -y
 # Compile and install Libreswan
 mkdir -p /opt/src
 cd /opt/src
-wget -qO- https://download.libreswan.org/libreswan-3.8.tar.gz | tar xvz
-cd libreswan-3.8
+wget -qO- https://download.libreswan.org/libreswan-3.9.tar.gz | tar xvz
+cd libreswan-3.9
 make programs
 make install
 

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -192,7 +192,7 @@ cat > /etc/iptables.rules <<EOF
 -A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
 -A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
--A ICMPALL -j DROP
+-A ICMPALL -p icmp -j DROP
 -A ZREJ -p tcp -j REJECT --reject-with tcp-reset 
 -A ZREJ -p udp -j REJECT --reject-with icmp-port-unreachable
 -A ZREJ -j REJECT --reject-with icmp-proto-unreachable

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
 # Amazon EC2 user-data file for automatic configuration of IPsec/L2TP VPN
-# on a Ubuntu server instance. Tested with 12.04.
+# on a Ubuntu server instance. Tested with 14.04 (Trusty) AND 12.04 (Precise).
 #
 # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS MEANT TO BE RUN WHEN 
 # YOUR AMAZON EC2 INSTANCE STARTS!

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -30,7 +30,7 @@ apt-get update
 apt-get install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
         libcap-ng-dev libcap-ng-utils libselinux1-dev \
         libcurl4-nss-dev libgmp3-dev flex bison gcc make \
-        libunbound-dev libnss3-tools -y
+        libunbound-dev libnss3-tools wget -y
 apt-get install xl2tpd -y
 
 # Compile and install Libreswan

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -197,13 +197,6 @@ cat > /etc/iptables.rules <<EOF
 -A ZREJ -p udp -j REJECT --reject-with icmp-port-unreachable
 -A ZREJ -j REJECT --reject-with icmp-proto-unreachable
 COMMIT
-*mangle
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -235,6 +235,7 @@ cat > /etc/rc.local <<EOF
 # By default this script does nothing.
 /usr/sbin/service ipsec restart
 /usr/sbin/service xl2tpd restart
+echo 1 > /proc/sys/net/ipv4/ip_forward
 exit 0
 EOF
 

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -9,9 +9,10 @@
 # Copyright (C) 2014 Lin Song
 # Based on the work of Thomas Sarlandie (Copyright 2012)
 #
-# For detailed instructions, see my tech blog article:
+# For detailed instructions, please see:
 # https://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/
-# Original post: http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md
+# Original post by Thomas Sarlandie: 
+# http://www.sarfata.org/posts/setting-up-an-amazon-vpn-server.md
 #
 # This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 
 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -218,6 +218,7 @@ cat > /etc/network/if-pre-up.d/iptablesload <<EOF
 exit 0
 EOF
 
+/bin/cp -f /etc/rc.local /etc/rc.local.old
 cat > /etc/rc.local <<EOF
 #!/bin/sh -e
 #

diff --git a/vpnsetup.sh b/vpnsetup.sh
@@ -164,6 +164,7 @@ net.ipv4.tcp_rmem= 10240 87380 12582912
 net.ipv4.tcp_wmem= 10240 87380 12582912
 EOF
 
+/bin/cp -f /etc/iptables.rules /etc/iptables.rules.old
 cat > /etc/iptables.rules <<EOF
 *filter
 :INPUT ACCEPT [0:0]
No results found