diff --git a/vpnsetup.sh b/vpnsetup.sh
index 8ede5cb..786ffd7 100644
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -24,17 +24,16 @@ if [ "$(uname)" = "Darwin" ]; then
 fi
 
 # Please define your own values for these variables
-# IMPORTANT:
-# Escape all non-alphanumeric characters with a backslash (or 3 backslashes for \ and ").
+# Escape *all* non-alphanumeric characters with a backslash (or 3 backslashes for \ and ").
 # Examples: \ --> \\\\, " --> \\\", ' --> \', $ --> \$, ` --> \`, [space] --> \[space]
 
 IPSEC_PSK=your_very_secure_key
 VPN_USER=your_username
 VPN_PASSWORD=your_very_secure_password
 
-# --------------------
-# | IMPORTANT NOTES  |
-# --------------------
+# -----------------
+#  IMPORTANT NOTES
+# -----------------
 
 # To support multiple VPN users with different credentials, just edit a few lines below.
 # See: https://gist.github.com/hwdsl2/123b886f29f4c689f531
@@ -44,8 +43,8 @@ VPN_PASSWORD=your_very_secure_password
 # https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
 
 # **Android 6.0 users**: Edit /etc/ipsec.conf and append ",aes256-sha2_256" to the end of
-# both "ike=" and "phase2alg=", then add a new line "sha2-truncbug=yes". Must start lines with
-# two spaces. Finally, run "service ipsec restart".
+# both "ike=" and "phase2alg=", then add a new line "sha2-truncbug=yes". Must start lines
+# with two spaces. Finally, run "service ipsec restart".
 
 # **iPhone/iOS users**: In iOS settings, choose L2TP (instead of IPSec) for the VPN type.
 # In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
@@ -60,8 +59,8 @@ VPN_PASSWORD=your_very_secure_password
 # If your server uses a custom SSH port (not 22), or if you wish to allow other services
 # through IPTables, be sure to edit the IPTables rules below before running this script.
 
-# This script will backup /etc/rc.local, /etc/sysctl.conf and /etc/iptables.rules
-# before overwriting them. Backups can be found under the same folder with .old suffix.
+# This script will backup your existing configuration files before overwriting them.
+# Backups can be found in the same folder as the original, with .old-date/time suffix.
 
 if [ "$(lsb_release -si)" != "Ubuntu" ] && [ "$(lsb_release -si)" != "Debian" ]; then
   echo "Looks like you aren't running this script on a Ubuntu or Debian system."
@@ -88,10 +87,10 @@ fi
 mkdir -p /opt/src
 cd /opt/src || { echo "Failed to change working directory to /opt/src. Aborting."; exit 1; }
 
-# Update package index and install wget, dig (dnsutils) and nano
+# Update package index and install wget, dig (dnsutils), sed and nano
 export DEBIAN_FRONTEND=noninteractive
 apt-get -y update
-apt-get -y install wget dnsutils nano
+apt-get -y install wget dnsutils sed nano
 
 echo
 echo 'Please wait... Trying to find Public IP and Private IP of this server.'
@@ -150,6 +149,7 @@ cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source directory
 make programs && make install
 
 # Prepare various config files
+/bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
 cat > /etc/ipsec.conf <<EOF
 version 2.0
 
@@ -187,10 +187,12 @@ conn vpnpsk
   dpdaction=clear
 EOF
 
+/bin/cp -f /etc/ipsec.secrets "/etc/ipsec.secrets.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
 cat > /etc/ipsec.secrets <<EOF
 $PUBLIC_IP  %any  : PSK "$IPSEC_PSK"
 EOF
 
+/bin/cp -f /etc/xl2tpd/xl2tpd.conf "/etc/xl2tpd/xl2tpd.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
 cat > /etc/xl2tpd/xl2tpd.conf <<EOF
 [global]
 port = 1701
@@ -212,6 +214,7 @@ pppoptfile = /etc/ppp/options.xl2tpd
 length bit = yes
 EOF
 
+/bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
 cat > /etc/ppp/options.xl2tpd <<EOF
 ipcp-accept-local
 ipcp-accept-remote
@@ -229,15 +232,20 @@ lcp-echo-interval 60
 connect-delay 5000
 EOF
 
+/bin/cp -f /etc/ppp/chap-secrets "/etc/ppp/chap-secrets.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
+
 cat > /etc/ppp/chap-secrets <<EOF
 # Secrets for authentication using CHAP
 # client  server  secret  IP addresses
-
 "$VPN_USER" l2tpd "$VPN_PASSWORD" *
 EOF
 
+if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
+
 /bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
-cat > /etc/sysctl.conf <<EOF
+cat >> /etc/sysctl.conf <<EOF
+
+# Added by hwdsl2 VPN script
 kernel.sysrq = 0
 kernel.core_uses_pid = 1
 net.ipv4.tcp_syncookies = 1
@@ -256,8 +264,6 @@ net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0
 net.ipv4.conf.all.rp_filter = 0
 net.ipv4.conf.default.rp_filter = 0
-net.ipv6.conf.all.disable_ipv6=1
-net.ipv6.conf.default.disable_ipv6=1
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 net.ipv4.conf.all.secure_redirects = 0
@@ -269,8 +275,16 @@ net.ipv4.tcp_rmem= 10240 87380 12582912
 net.ipv4.tcp_wmem= 10240 87380 12582912
 EOF
 
+fi
+
+if ! grep -qs "hwdsl2 VPN script" /etc/iptables.rules; then
+
 /bin/cp -f /etc/iptables.rules "/etc/iptables.rules.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
+/usr/sbin/service fail2ban stop >/dev/null 2>&1
+if [ "$(/sbin/iptables-save | grep -c '^\-')" = "0" ]; then
+
 cat > /etc/iptables.rules <<EOF
+# Added by hwdsl2 VPN script
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
@@ -305,31 +319,44 @@ COMMIT
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
--A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source ${PRIVATE_IP}
+-A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}"
 COMMIT
 EOF
 
+else
+
+iptables -I INPUT 1 -p udp -m multiport --dports 500,4500 -j ACCEPT
+iptables -I INPUT 2 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
+iptables -I INPUT 3 -p udp --dport 1701 -j DROP
+
+iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
+iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT
+# If you wish to allow traffic between VPN clients themselves, uncomment this line:
+# iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
+iptables -A FORWARD -j DROP
+
+iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}"
+
+/sbin/iptables-save > /etc/iptables.rules
+echo "# Modified by hwdsl2 VPN script" >> /etc/iptables.rules
+
+fi
+fi
+
 cat > /etc/network/if-pre-up.d/iptablesload <<EOF
 #!/bin/sh
 /sbin/iptables-restore < /etc/iptables.rules
 exit 0
 EOF
 
-/bin/cp -f /etc/rc.local "/etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
-cat > /etc/rc.local <<EOF
-#!/bin/sh -e
-#
-# rc.local
-#
-# This script is executed at the end of each multiuser runlevel.
-# Make sure that the script will "exit 0" on success or any other
-# value on error.
-#
-# In order to enable or disable this script just change the execution
-# bits.
-#
-# By default this script does nothing.
+if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
 
+/bin/cp -f /etc/rc.local "/etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
+/bin/sed --follow-symlinks -i -e '/^exit 0/d' /etc/rc.local
+cat >> /etc/rc.local <<EOF
+
+# Added by hwdsl2 VPN script
 /usr/sbin/service fail2ban restart || /bin/true
 /usr/sbin/service ipsec start
 /usr/sbin/service xl2tpd start
@@ -337,6 +364,8 @@ echo 1 > /proc/sys/net/ipv4/ip_forward
 exit 0
 EOF
 
+fi
+
 if [ ! -f /etc/ipsec.d/cert8.db ] ; then
    echo > /var/tmp/libreswan-nss-pwd
    /usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
@@ -346,7 +375,7 @@ fi
 /sbin/sysctl -p
 /bin/chmod +x /etc/rc.local
 /bin/chmod +x /etc/network/if-pre-up.d/iptablesload
-/bin/chmod 600 /etc/ipsec.secrets /etc/ppp/chap-secrets
+/bin/chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets*
 /sbin/iptables-restore < /etc/iptables.rules
 
 /usr/sbin/service fail2ban stop >/dev/null 2>&1
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index 83a4930..322fc6f 100644
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -23,17 +23,16 @@ if [ "$(uname)" = "Darwin" ]; then
 fi
 
 # Please define your own values for these variables
-# IMPORTANT:
-# Escape all non-alphanumeric characters with a backslash (or 3 backslashes for \ and ").
+# Escape *all* non-alphanumeric characters with a backslash (or 3 backslashes for \ and ").
 # Examples: \ --> \\\\, " --> \\\", ' --> \', $ --> \$, ` --> \`, [space] --> \[space]
 
 IPSEC_PSK=your_very_secure_key
 VPN_USER=your_username
 VPN_PASSWORD=your_very_secure_password
 
-# --------------------
-# | IMPORTANT NOTES  |
-# --------------------
+# -----------------
+#  IMPORTANT NOTES
+# -----------------
 
 # To support multiple VPN users with different credentials, just edit a few lines below.
 # See: https://gist.github.com/hwdsl2/123b886f29f4c689f531
@@ -43,8 +42,8 @@ VPN_PASSWORD=your_very_secure_password
 # https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
 
 # **Android 6.0 users**: Edit /etc/ipsec.conf and append ",aes256-sha2_256" to the end of
-# both "ike=" and "phase2alg=", then add a new line "sha2-truncbug=yes". Must start lines with
-# two spaces. Finally, run "service ipsec restart".
+# both "ike=" and "phase2alg=", then add a new line "sha2-truncbug=yes". Must start lines
+# with two spaces. Finally, run "service ipsec restart".
 
 # **iPhone/iOS users**: In iOS settings, choose L2TP (instead of IPSec) for the VPN type.
 # In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
@@ -59,8 +58,8 @@ VPN_PASSWORD=your_very_secure_password
 # If your server uses a custom SSH port (not 22), or if you wish to allow other services
 # through IPTables, be sure to edit the IPTables rules below before running this script.
 
-# This script will backup /etc/rc.local, /etc/sysctl.conf and /etc/sysconfig/iptables
-# before overwriting them. Backups can be found under the same folder with .old suffix.
+# This script will backup your existing configuration files before overwriting them.
+# Backups can be found in the same folder as the original, with .old-date/time suffix.
 
 if [ ! -f /etc/redhat-release ]; then
   echo "Looks like you aren't running this script on a CentOS/RHEL system."
@@ -159,7 +158,7 @@ yum -y install ppp xl2tpd
 # Install Fail2Ban to protect SSH server
 yum -y install fail2ban
 
-# Installed Libevent 2. Use backported version for CentOS 6.
+# Installed Libevent2. Use backported version for CentOS 6.
 if grep -qs "release 6" /etc/redhat-release; then
   LE2_URL="https://people.redhat.com/pwouters/libreswan-rhel6"
   RPM1="libevent2-2.0.21-1.el6.x86_64.rpm"
@@ -184,6 +183,7 @@ cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source directory
 make programs && make install
 
 # Prepare various config files
+/bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
 cat > /etc/ipsec.conf <<EOF
 version 2.0
 
@@ -221,10 +221,12 @@ conn vpnpsk
   dpdaction=clear
 EOF
 
+/bin/cp -f /etc/ipsec.secrets "/etc/ipsec.secrets.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
 cat > /etc/ipsec.secrets <<EOF
 $PUBLIC_IP  %any  : PSK "$IPSEC_PSK"
 EOF
 
+/bin/cp -f /etc/xl2tpd/xl2tpd.conf "/etc/xl2tpd/xl2tpd.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
 cat > /etc/xl2tpd/xl2tpd.conf <<EOF
 [global]
 port = 1701
@@ -246,6 +248,7 @@ pppoptfile = /etc/ppp/options.xl2tpd
 length bit = yes
 EOF
 
+/bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
 cat > /etc/ppp/options.xl2tpd <<EOF
 ipcp-accept-local
 ipcp-accept-remote
@@ -263,15 +266,20 @@ lcp-echo-interval 60
 connect-delay 5000
 EOF
 
+/bin/cp -f /etc/ppp/chap-secrets "/etc/ppp/chap-secrets.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
+
 cat > /etc/ppp/chap-secrets <<EOF
 # Secrets for authentication using CHAP
 # client  server  secret  IP addresses
-
 "$VPN_USER" l2tpd "$VPN_PASSWORD" *
 EOF
 
+if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
+
 /bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
-cat > /etc/sysctl.conf <<EOF
+cat >> /etc/sysctl.conf <<EOF
+
+# Added by hwdsl2 VPN script
 kernel.sysrq = 0
 kernel.core_uses_pid = 1
 net.ipv4.tcp_syncookies = 1
@@ -290,8 +298,6 @@ net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0
 net.ipv4.conf.all.rp_filter = 0
 net.ipv4.conf.default.rp_filter = 0
-net.ipv6.conf.all.disable_ipv6=1
-net.ipv6.conf.default.disable_ipv6=1
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 net.ipv4.conf.all.secure_redirects = 0
@@ -303,8 +309,16 @@ net.ipv4.tcp_rmem= 10240 87380 12582912
 net.ipv4.tcp_wmem= 10240 87380 12582912
 EOF
 
+fi
+
+if ! grep -qs "hwdsl2 VPN script" /etc/sysconfig/iptables; then
+
 /bin/cp -f /etc/sysconfig/iptables "/etc/sysconfig/iptables.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
+/sbin/service fail2ban stop >/dev/null 2>&1
+if [ "$(/sbin/iptables-save | grep -c '^\-')" = "0" ]; then
+
 cat > /etc/sysconfig/iptables <<EOF
+# Added by hwdsl2 VPN script
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
@@ -338,10 +352,31 @@ COMMIT
 :PREROUTING ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
--A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source ${PRIVATE_IP}
+-A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}"
 COMMIT
 EOF
 
+else
+
+iptables -I INPUT 1 -p udp -m multiport --dports 500,4500 -j ACCEPT
+iptables -I INPUT 2 -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
+iptables -I INPUT 3 -p udp --dport 1701 -j DROP
+
+iptables -I FORWARD 1 -m conntrack --ctstate INVALID -j DROP
+iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT
+# If you wish to allow traffic between VPN clients themselves, uncomment this line:
+# iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
+iptables -A FORWARD -j DROP
+
+iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}"
+
+/sbin/iptables-save > /etc/sysconfig/iptables
+echo "# Modified by hwdsl2 VPN script" >> /etc/sysconfig/iptables
+
+fi
+fi
+
 if [ ! -f /etc/fail2ban/jail.local ] ; then
 
 cat > /etc/fail2ban/jail.local <<EOF
@@ -361,15 +396,12 @@ EOF
 
 fi
 
-/bin/cp -f /etc/rc.local "/etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
-cat > /etc/rc.local <<EOF
-#!/bin/sh
-#
-# This script will be executed *after* all the other init scripts.
-# You can put your own initialization stuff in here if you don't
-# want to do the full Sys V style init stuff.
+if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
 
-touch /var/lock/subsys/local
+/bin/cp -f /etc/rc.local "/etc/rc.local.old-$(date +%Y-%m-%d-%H:%M:%S)" 2>/dev/null
+cat >> /etc/rc.local <<EOF
+
+# Added by hwdsl2 VPN script
 /sbin/iptables-restore < /etc/sysconfig/iptables
 /sbin/service fail2ban restart
 /sbin/service ipsec start
@@ -377,6 +409,8 @@ touch /var/lock/subsys/local
 echo 1 > /proc/sys/net/ipv4/ip_forward
 EOF
 
+fi
+
 if [ ! -f /etc/ipsec.d/cert8.db ] ; then
    echo > /var/tmp/libreswan-nss-pwd
    /usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
@@ -390,7 +424,7 @@ restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
 
 /sbin/sysctl -p
 /bin/chmod +x /etc/rc.local
-/bin/chmod 600 /etc/ipsec.secrets /etc/ppp/chap-secrets
+/bin/chmod 600 /etc/ipsec.secrets* /etc/ppp/chap-secrets*
 /sbin/iptables-restore < /etc/sysconfig/iptables
 
 /sbin/service fail2ban stop >/dev/null 2>&1