diff --git a/README.md b/README.md
index b9ff3f9..642b415 100644
--- a/README.md
+++ b/README.md
@@ -1,22 +1,50 @@
-## IPsec/L2TP VPN Auto Install Script for Ubuntu/Debian
+# IPsec/L2TP VPN Server Auto Setup Scripts
-Amazon EC2 user-data file for automatic configuration of IPsec/L2TP VPN server on a Ubuntu or Debian instance. Tested with Ubuntu 14.04 & 12.04 and Debian 8 (Jessie).
+Scripts for automatic setup of an IPsec/L2TP VPN server on Ubuntu 14.04 & 12.04, Debian 8 and CentOS/RHEL 6 & 7. Works on dedicated servers or any KVM- or XEN-based Virtual Private Server (VPS), with **freshly installed** Linux OS.
-With minor modifications, this script **can also be used** on dedicated servers or any KVM- or XEN- based Virtual Private Server (VPS) from other providers.
+They can also be used as Amazon EC2 "user-data" with the Ubuntu 14.04/12.04, Debian 8 or CentOS 7 AMIs.
+
+Do **NOT** run these scripts on your PC or Mac! They are meant to be run on a dedicated server or VPS.
#### My VPN tutorial with detailed usage instructions
-Alternative VPN script for CentOS/RHEL
+Enable multiple VPN users with different credentials
Workaround for Debian 7 (Wheezy)
Original post by Thomas Sarlandie
-↓ ↓ ↓ Scroll down for the script ↓ ↓ ↓
+## Installation
-### Copyright and license
+### For Ubuntu and Debian:
+
+```bash
+wget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup.sh -O vpnsetup.sh
+nano -w vpnsetup.sh
+[Edit and replace IPSEC_PSK, VPN_USER and VPN_PASSWORD with your own values]
+/bin/sh vpnsetup.sh
+```
+
+### For CentOS and RHEL:
+
+```bash
+wget https://github.com/hwdsl2/setup-ipsec-vpn/raw/master/vpnsetup_centos.sh -O vpnsetup_centos.sh
+nano -w vpnsetup_centos.sh
+[Edit and replace IPSEC_PSK, VPN_USER and VPN_PASSWORD with your own values]
+/bin/sh vpnsetup_centos.sh
+```
+
+## Important Notes
+
+For Windows users, a one-time registry change is required for connections to a VPN server behind NAT (e.g. Amazon EC2).
+
+If using Amazon EC2, these ports must be open in the security group of your VPN server: UDP ports 500 & 4500, and TCP port 22 (optional, for SSH).
+
+If your server uses a custom SSH port (not 22), or if you wish to allow other services through IPTables, be sure to edit the IPTables rules in the scripts before using.
+
+The scripts will backup /etc/rc.local, /etc/sysctl.conf, /etc/iptables.rules and /etc/sysconfig/iptables before overwriting them. Backups can be found under the same folder with .old suffix.
+
+## Copyright and license
Copyright (C) 2014 Lin Song 
Based on the work of Thomas Sarlandie (Copyright 2012)
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
Attribution required: please include my name in any derivative and let me know how you have improved it!
-
-
\ No newline at end of file
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
new file mode 100644
index 0000000..95cf155
--- /dev/null
+++ b/vpnsetup_centos.sh
@@ -0,0 +1,329 @@
+#!/bin/sh
+#
+# Script for automatic configuration of IPsec/L2TP VPN server on 64-bit CentOS/RHEL 6 & 7.
+# Works on dedicated servers or any KVM- or XEN-based Virtual Private Server (VPS).
+# It can also be used as the Amazon EC2 "user-data" with the official CentOS 7 AMI.
+# Note that the CentOS 6 AMI does NOT come with cloud-init, therefore you need to
+# run this script manually after instance creation.
+#
+# DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS MEANT TO BE RUN
+# ON YOUR DEDICATED SERVER OR VPS!
+#
+# Copyright (C) 2015 Lin Song
+# Based on the work of Thomas Sarlandie (Copyright 2012)
+#
+# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
+# Unported License: http://creativecommons.org/licenses/by-sa/3.0/
+#
+# Attribution required: please include my name in any derivative and let me
+# know how you have improved it!
+
+if [ "$(uname)" = "Darwin" ]; then
+ echo 'DO NOT run this script on your Mac! It should only be run on a Dedicated Server / VPS'
+ echo 'or a newly-created EC2 instance, after you have modified it to set the variables below.'
+ exit 1
+fi
+
+if [ ! -f /etc/redhat-release ]; then
+ echo "Looks like you aren't running this script on a CentOS/RHEL system."
+ exit 1
+fi
+
+if [ "$(uname -m)" != "x86_64" ]; then
+ echo "Sorry, this script only supports 64-bit CentOS/RHEL."
+ exit 1
+fi
+
+if [ "$(id -u)" != 0 ]; then
+ echo "Sorry, you need to run this script as root."
+ exit 1
+fi
+
+# Please define your own values for those variables
+IPSEC_PSK=your_very_secure_key
+VPN_USER=your_username
+VPN_PASSWORD=your_very_secure_password
+
+# IMPORTANT NOTES:
+
+# If you need multiple VPN users with different credentials,
+# please see: https://gist.github.com/hwdsl2/123b886f29f4c689f531
+
+# For Windows users, a one-time registry change is required in order to
+# connect to a VPN server behind NAT (e.g. in Amazon EC2). Please see:
+# https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
+
+# If using Amazon EC2, these ports must be open in the security group of
+# your VPN server: UDP ports 500 & 4500, and TCP port 22 (optional, for SSH).
+
+# If your server uses a custom SSH port (not 22), or if you wish to allow other services
+# through IPTables, be sure to edit the IPTables rules below before running this script.
+
+# This script will backup /etc/rc.local, /etc/sysctl.conf and /etc/sysconfig/iptables
+# before overwriting them. Backups can be found under the same folder with .old suffix.
+
+# iPhone/iOS users may need to replace this line in ipsec.conf:
+# "rightprotoport=17/%any" with "rightprotoport=17/0".
+
+# Install wget, dig (bind-utils) and nano
+yum -y install wget bind-utils nano
+
+echo 'If the script hangs here, press Ctrl-C to interrupt, then edit it and comment out'
+echo 'the next two lines PUBLIC_IP= and PRIVATE_IP=, OR replace them with the actual IPs.'
+
+# In Amazon EC2, these two variables will be found automatically.
+# For all other servers, you may replace them with the actual IPs,
+# or comment out and let the script auto-detect in the next section.
+# If your server only has a public IP, use that IP on both lines.
+PUBLIC_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4')
+PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4')
+
+# Attempt to find server IPs automatically for non-EC2 servers
+[ "$PUBLIC_IP" = "" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
+[ "$PUBLIC_IP" = "" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipecho.net/plain)
+[ "$PUBLIC_IP" = "" ] && { echo "Could not find Public IP, please edit the VPN script manually."; exit 1; }
+[ "$PRIVATE_IP" = "" ] && PRIVATE_IP=$(ifconfig eth0 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
+[ "$PRIVATE_IP" = "" ] && { echo "Could not find Private IP, please edit the VPN script manually."; exit 1; }
+
+# Create and change to working dir
+mkdir -p /opt/src
+cd /opt/src || { echo "Failed to change working directory to /opt/src. Aborting."; exit 1; }
+
+# Add the EPEL repository
+if grep -qs "release 6" /etc/redhat-release; then
+ EPEL_RPM="epel-release-6-8.noarch.rpm"
+ EPEL_URL="http://download.fedoraproject.org/pub/epel/6/x86_64/$EPEL_RPM"
+elif grep -qs "release 7" /etc/redhat-release; then
+ EPEL_RPM="epel-release-7-5.noarch.rpm"
+ EPEL_URL="http://download.fedoraproject.org/pub/epel/7/x86_64/e/$EPEL_RPM"
+else
+ echo "Sorry, this script only supports versions 6 and 7 of CentOS/RHEL."
+ exit 1
+fi
+wget -t 3 -T 30 -nv -O $EPEL_RPM $EPEL_URL
+[ ! -f $EPEL_RPM ] && { echo "Could not retrieve EPEL repository RPM file. Aborting."; exit 1; }
+rpm -ivh --force $EPEL_RPM && /bin/rm -f $EPEL_RPM
+
+# Install necessary packages
+yum -y install nss-devel nspr-devel pkgconfig pam-devel \
+ libcap-ng-devel libselinux-devel \
+ curl-devel gmp-devel flex bison gcc make \
+ fipscheck-devel unbound-devel gmp gmp-devel xmlto
+yum -y install ppp xl2tpd
+
+# Installed Libevent 2. Use backported version for CentOS 6.
+if grep -qs "release 6" /etc/redhat-release; then
+ LE2_URL="https://people.redhat.com/pwouters/libreswan-rhel6"
+ RPM1="libevent2-2.0.21-1.el6.x86_64.rpm"
+ RPM2="libevent2-devel-2.0.21-1.el6.x86_64.rpm"
+ wget -t 3 -T 30 -nv -O $RPM1 $LE2_URL/$RPM1
+ wget -t 3 -T 30 -nv -O $RPM2 $LE2_URL/$RPM2
+ [ ! -f $RPM1 ] || [ ! -f $RPM2 ] && { echo "Could not retrieve Libevent2 RPM file(s). Aborting."; exit 1; }
+ rpm -ivh --force $RPM1 $RPM2 && /bin/rm -f $RPM1 $RPM2
+elif grep -qs "release 7" /etc/redhat-release; then
+ yum -y install libevent-devel
+fi
+
+# Compile and install Libreswan (https://libreswan.org/)
+# To upgrade Libreswan when a newer version is available, just re-run these
+# commands with the new "SWAN_VER", then restore SELinux contexts using
+# the commands at the end of this script, and finally restart services with
+# "service ipsec restart" and "service xl2tpd restart".
+SWAN_VER=3.16
+SWAN_URL=https://download.libreswan.org/libreswan-${SWAN_VER}.tar.gz
+wget -t 3 -T 30 -qO- $SWAN_URL | tar xvz
+[ ! -d libreswan-${SWAN_VER} ] && { echo "Could not retrieve Libreswan source files. Aborting."; exit 1; }
+cd libreswan-${SWAN_VER}
+make programs && make install
+
+# Prepare various config files
+cat > /etc/ipsec.conf < /etc/ipsec.secrets < /etc/xl2tpd/xl2tpd.conf < /etc/ppp/options.xl2tpd < /etc/ppp/chap-secrets </dev/null
+cat > /etc/sysctl.conf </dev/null
+cat > /etc/sysconfig/iptables </dev/null
+cat > /etc/rc.local < /proc/sys/net/ipv4/ip_forward
+EOF
+
+if [ ! -f /etc/ipsec.d/cert8.db ] ; then
+ echo > /var/tmp/libreswan-nss-pwd
+ /usr/bin/certutil -N -f /var/tmp/libreswan-nss-pwd -d /etc/ipsec.d
+ /bin/rm -f /var/tmp/libreswan-nss-pwd
+fi
+
+# Restore SELinux contexts
+restorecon /etc/ipsec.d/*db 2>/dev/null
+restorecon /usr/local/sbin -Rv 2>/dev/null
+restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
+
+/sbin/sysctl -p
+/bin/chmod 600 /etc/ipsec.secrets /etc/ppp/chap-secrets
+/sbin/iptables-restore < /etc/sysconfig/iptables
+
+/sbin/service ipsec restart
+/sbin/service xl2tpd restart