Minor improvements and clean up

2025-02-16 20:13:19 +03:00 · 2016-01-30 13:12:15 -06:00 · 2016-01-30 13:12:15 -06:00 · 39c9249c3b
commit 39c9249c3b
parent 7072264fcf
4 changed files with 128 additions and 126 deletions
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@ -1,9 +1,8 @@
 #!/bin/sh
 #
-# Amazon EC2 user-data file for automatic configuration of IPsec/L2TP VPN server
-# on a Ubuntu or Debian instance. Tested with Ubuntu 14.04 & 12.04 and Debian 8.
-# Besides EC2, this script *can also be used* on dedicated servers or any KVM-
-# or Xen-based Virtual Private Server (VPS) from other providers.
+# Script for automatic configuration of IPsec/L2TP VPN server on Ubuntu 14.04/12.04 and Debian 8.
+# Works on dedicated servers and any KVM- or Xen-based Virtual Private Server (VPS).
+# It can also be used as Amazon EC2 "user-data" with the official Ubuntu or Debian AMIs.
 #
 # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS MEANT TO BE RUN
 # ON YOUR DEDICATED SERVER OR VPS!
@ -11,11 +10,11 @@
 # Copyright (C) 2014-2016 Lin Song
 # Based on the work of Thomas Sarlandie (Copyright 2012)
 #
-# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 
+# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
 # Unported License: http://creativecommons.org/licenses/by-sa/3.0/
 #
 # Attribution required: please include my name in any derivative and let me
-# know how you have improved it! 
+# know how you have improved it!

 # ------------------------------------------------------------

@ -33,8 +32,8 @@ VPN_PASSWORD='your_very_secure_password'
 # ------------------------------------------------------------

 if [ "$(uname)" = "Darwin" ]; then
-  echo 'DO NOT run this script on your Mac! It should only be run on a newly-created EC2 instance'
-  echo 'or other dedicated server / VPS, after you have modified it to set the variables above.'
+  echo 'DO NOT run this script on your Mac! It should only be run on a dedicated server / VPS'
+  echo 'or a newly-created EC2 instance, after you have modified it to set the variables above.'
  exit 1
 fi

@ -43,7 +42,7 @@ if [ "$(lsb_release -si 2>/dev/null)" != "Ubuntu" ] && [ "$(lsb_release -si 2>/d
  exit 1
 fi

-if [ -f "/proc/user_beancounters" ]; then
+if [ -f /proc/user_beancounters ]; then
  echo "This script does NOT support OpenVZ VPS."
  echo "Try Nyr's OpenVPN script: https://github.com/Nyr/openvpn-install"
  exit 1
@ -60,13 +59,13 @@ if [ ! -f /sys/class/net/eth0/operstate ]; then
 fi

 if [ -z "$IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
-  echo "VPN credentials cannot be empty, please edit the VPN script."
+  echo "VPN credentials cannot be empty. Edit the script and re-enter."
  exit 1
 fi

 # Create and change to working dir
 mkdir -p /opt/src
-cd /opt/src || { echo "Failed to change working directory to /opt/src. Aborting."; exit 1; }
+cd /opt/src || { echo "Failed to change working dir to /opt/src. Aborting."; exit 1; }

 # Update package index and install Wget and dig (dnsutils)
 export DEBIAN_FRONTEND=noninteractive
@ -74,21 +73,20 @@ apt-get -y update
 apt-get -y install wget dnsutils

 echo
-echo 'Please wait... Trying to find Public/Private IP of this server.'
+echo 'Trying to determine Public/Private IP of this server...'
 echo
-echo 'If the script hangs here for more than a few minutes, press Ctrl-C to interrupt,'
-echo 'then edit and comment out the next two lines PUBLIC_IP= and PRIVATE_IP=, or replace'
-echo 'them with actual IPs. If your server only has a public IP, put it on both lines.'
+echo 'In case the script hangs here for more than a few minutes, press Ctrl-C to interrupt.'
+echo 'Then edit the script and follow instructions to manually enter server IPs.'
 echo

-# In Amazon EC2, these two variables will be found automatically.
-# For all other servers, you may replace them with the actual IPs,
-# or comment out and let the script auto-detect in the next section.
-# If your server only has a public IP, put it on both lines.
+# In Amazon EC2, these two variables will be retrieved from metadata.
+# For all other servers, you may replace them with actual IPs,
+# or comment them out to use auto-detection in the next section.
+# If your server only has a public IP, put that IP on both lines.
 PUBLIC_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4')
 PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4')

-# Attempt to find server IPs for non-EC2 servers
+# Try to determine IPs for non-EC2 servers
 [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
 [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
 [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipecho.net/plain)
@ -98,11 +96,11 @@ PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/la
 # Check IPs for correct format
 IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
 if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then
-  echo "Cannot find valid Public IP, please edit the VPN script manually."
+  echo "Cannot find valid public IP, please edit the script and manually enter."
  exit 1
 fi
 if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then
-  echo "Cannot find valid Private IP, please edit the VPN script manually."
+  echo "Cannot find valid private IP, please edit the script and manually enter."
  exit 1
 fi

@ -114,28 +112,28 @@ apt-get -y install libnss3-dev libnspr4-dev pkg-config libpam0g-dev \
 apt-get -y --no-install-recommends install xmlto
 apt-get -y install xl2tpd

-# Install Fail2Ban to protect SSH server
+# Install Fail2Ban to protect SSH
 apt-get -y install fail2ban

 # Compile and install Libreswan
 SWAN_VER=3.16
 SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
-SWAN_URL="https://download.libreswan.org/${SWAN_FILE}"
+SWAN_URL="https://download.libreswan.org/$SWAN_FILE"
 wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
 [ ! -f "$SWAN_FILE" ] && { echo "Cannot retrieve Libreswan source file. Aborting."; exit 1; }
-/bin/rm -rf "/opt/src/libreswan-${SWAN_VER}"
+/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
 tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE"
-cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source dir. Aborting."; exit 1; }
+cd "libreswan-$SWAN_VER" || { echo "Failed to enter Libreswan source dir. Aborting."; exit 1; }
 make programs && make install

-# Check if the install was successful
-/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "${SWAN_VER}"
-[ "$?" != "0" ] && { echo "Sorry, Libreswan ${SWAN_VER} failed to compile or install. Aborting."; exit 1; }
+# Check if Libreswan install was successful
+/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$SWAN_VER"
+[ "$?" != "0" ] && { echo "Sorry, Libreswan $SWAN_VER failed to build. Aborting."; exit 1; }

 # Prepare various config files
-# Create IPsec (Libreswan) configuration
+# Create IPsec (Libreswan) config
 SYS_DT="$(/bin/date +%Y-%m-%d-%H:%M:%S)"
-/bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-${SYS_DT}" 2>/dev/null
+/bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$SYS_DT" 2>/dev/null
 cat > /etc/ipsec.conf <<EOF
 version 2.0

@ -174,13 +172,13 @@ conn vpnpsk
 EOF

 # Specify IPsec PSK
-/bin/cp -f /etc/ipsec.secrets "/etc/ipsec.secrets.old-${SYS_DT}" 2>/dev/null
+/bin/cp -f /etc/ipsec.secrets "/etc/ipsec.secrets.old-$SYS_DT" 2>/dev/null
 cat > /etc/ipsec.secrets <<EOF
 $PUBLIC_IP  %any  : PSK "$IPSEC_PSK"
 EOF

 # Create xl2tpd config
-/bin/cp -f /etc/xl2tpd/xl2tpd.conf "/etc/xl2tpd/xl2tpd.conf.old-${SYS_DT}" 2>/dev/null
+/bin/cp -f /etc/xl2tpd/xl2tpd.conf "/etc/xl2tpd/xl2tpd.conf.old-$SYS_DT" 2>/dev/null
 cat > /etc/xl2tpd/xl2tpd.conf <<EOF
 [global]
 port = 1701
@ -203,7 +201,7 @@ length bit = yes
 EOF

 # Specify xl2tpd options
-/bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-${SYS_DT}" 2>/dev/null
+/bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-$SYS_DT" 2>/dev/null
 cat > /etc/ppp/options.xl2tpd <<EOF
 ipcp-accept-local
 ipcp-accept-remote
@ -222,7 +220,7 @@ connect-delay 5000
 EOF

 # Create VPN credentials
-/bin/cp -f /etc/ppp/chap-secrets "/etc/ppp/chap-secrets.old-${SYS_DT}" 2>/dev/null
+/bin/cp -f /etc/ppp/chap-secrets "/etc/ppp/chap-secrets.old-$SYS_DT" 2>/dev/null
 cat > /etc/ppp/chap-secrets <<EOF
 # Secrets for authentication using CHAP
 # client  server  secret  IP addresses
@ -231,7 +229,7 @@ EOF

 # Update sysctl settings for VPN and performance
 if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
-/bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-${SYS_DT}" 2>/dev/null
+/bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$SYS_DT" 2>/dev/null
 cat >> /etc/sysctl.conf <<EOF

 # Added by hwdsl2 VPN script
@ -264,11 +262,11 @@ net.ipv4.tcp_wmem = 10240 87380 12582912
 EOF
 fi

-# Create basic IPTables rules. First check if there are existing IPTables rules loaded.
-# 1. If IPTables is "empty", write out the new set of rules below.
+# Create basic IPTables rules. First check if there are existing rules.
+# 1. If IPTables is "empty", write out the new set of rules.
 # 2. If *not* empty, insert new rules and save them together with existing ones.
 if ! grep -qs "hwdsl2 VPN script" /etc/iptables.rules; then
-/bin/cp -f /etc/iptables.rules "/etc/iptables.rules.old-${SYS_DT}" 2>/dev/null
+/bin/cp -f /etc/iptables.rules "/etc/iptables.rules.old-$SYS_DT" 2>/dev/null
 /usr/sbin/service fail2ban stop >/dev/null 2>&1
 if [ "$(/sbin/iptables-save | grep -c '^\-')" = "0" ]; then
 cat > /etc/iptables.rules <<EOF
@ -308,7 +306,7 @@ COMMIT
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}"
+-A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP"
 COMMIT
 EOF

@ -322,21 +320,21 @@ iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED
 iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT
 # iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
 iptables -A FORWARD -j DROP
-iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}"
+iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP"

 echo "# Modified by hwdsl2 VPN script" > /etc/iptables.rules
 /sbin/iptables-save >> /etc/iptables.rules
 fi
 # Update rules for iptables-persistent
 if [ -f /etc/iptables/rules.v4 ]; then
-/bin/cp -f /etc/iptables/rules.v4 "/etc/iptables/rules.v4.old-${SYS_DT}"
+/bin/cp -f /etc/iptables/rules.v4 "/etc/iptables/rules.v4.old-$SYS_DT"
 /bin/cp -f /etc/iptables.rules /etc/iptables/rules.v4
 fi
 fi

 # Create basic IP6Tables (IPv6) rules
 if ! grep -qs "hwdsl2 VPN script" /etc/ip6tables.rules; then
-/bin/cp -f /etc/ip6tables.rules "/etc/ip6tables.rules.old-${SYS_DT}" 2>/dev/null
+/bin/cp -f /etc/ip6tables.rules "/etc/ip6tables.rules.old-$SYS_DT" 2>/dev/null
 cat > /etc/ip6tables.rules <<EOF
 # Added by hwdsl2 VPN script
 *filter
@ -351,9 +349,8 @@ cat > /etc/ip6tables.rules <<EOF
 -A INPUT -j DROP
 COMMIT
 EOF
-# Update rules (IPv6) for iptables-persistent
 if [ -f /etc/iptables/rules.v6 ]; then
-/bin/cp -f /etc/iptables/rules.v6 "/etc/iptables/rules.v6.old-${SYS_DT}"
+/bin/cp -f /etc/iptables/rules.v6 "/etc/iptables/rules.v6.old-$SYS_DT"
 /bin/cp -f /etc/ip6tables.rules /etc/iptables/rules.v6
 fi
 fi
@ -373,7 +370,7 @@ EOF

 # Update rc.local to start services at boot
 if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
-/bin/cp -f /etc/rc.local "/etc/rc.local.old-${SYS_DT}" 2>/dev/null
+/bin/cp -f /etc/rc.local "/etc/rc.local.old-$SYS_DT" 2>/dev/null
 /bin/sed --follow-symlinks -i -e '/^exit 0/d' /etc/rc.local
 cat >> /etc/rc.local <<EOF

@ -413,3 +410,7 @@ fi
 /usr/sbin/service fail2ban start
 /usr/sbin/service ipsec start
 /usr/sbin/service xl2tpd start
+
+echo
+echo 'Congratulations! IPsec/L2TP VPN server setup is complete!'
+exit 0
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@ -1,7 +1,7 @@
 #!/bin/sh
 #
 # Script for automatic configuration of IPsec/L2TP VPN server on 64-bit CentOS/RHEL 6 & 7.
-# Works on dedicated servers or any KVM- or Xen-based Virtual Private Server (VPS).
+# Works on dedicated servers and any KVM- or Xen-based Virtual Private Server (VPS).
 # It can also be used as Amazon EC2 "user-data" with the official CentOS 6 & 7 AMIs.
 #
 # DO NOT RUN THIS SCRIPT ON YOUR PC OR MAC! THIS IS MEANT TO BE RUN
@ -52,7 +52,7 @@ if [ "$(uname -m)" != "x86_64" ]; then
  exit 1
 fi

-if [ -f "/proc/user_beancounters" ]; then
+if [ -f /proc/user_beancounters ]; then
  echo "This script does NOT support OpenVZ VPS."
  echo "Try Nyr's OpenVPN script: https://github.com/Nyr/openvpn-install"
  exit 1
@ -72,33 +72,32 @@ if [ ! -f /sys/class/net/eth0/operstate ]; then
 fi

 if [ -z "$IPSEC_PSK" ] || [ -z "$VPN_USER" ] || [ -z "$VPN_PASSWORD" ]; then
-  echo "VPN credentials cannot be empty, please edit the VPN script."
+  echo "VPN credentials cannot be empty. Edit the script and re-enter."
  exit 1
 fi

 # Create and change to working dir
 mkdir -p /opt/src
-cd /opt/src || { echo "Failed to change working directory to /opt/src. Aborting."; exit 1; }
+cd /opt/src || { echo "Failed to change working dir to /opt/src. Aborting."; exit 1; }

 # Install Wget and dig (bind-utils)
 yum -y install wget bind-utils

 echo
-echo 'Please wait... Trying to find Public/Private IP of this server.'
+echo 'Trying to determine Public/Private IP of this server...'
 echo
-echo 'If the script hangs here for more than a few minutes, press Ctrl-C to interrupt,'
-echo 'then edit and comment out the next two lines PUBLIC_IP= and PRIVATE_IP=, or replace'
-echo 'them with actual IPs. If your server only has a public IP, put it on both lines.'
+echo 'In case the script hangs here for more than a few minutes, press Ctrl-C to interrupt.'
+echo 'Then edit the script and follow instructions to manually enter server IPs.'
 echo

-# In Amazon EC2, these two variables will be found automatically.
-# For all other servers, you may replace them with the actual IPs,
-# or comment out and let the script auto-detect in the next section.
-# If your server only has a public IP, put it on both lines.
+# In Amazon EC2, these two variables will be retrieved from metadata.
+# For all other servers, you may replace them with actual IPs,
+# or comment them out to use auto-detection in the next section.
+# If your server only has a public IP, put that IP on both lines.
 PUBLIC_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/public-ipv4')
 PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/latest/meta-data/local-ipv4')

-# Attempt to find server IPs for non-EC2 servers
+# Try to determine IPs for non-EC2 servers
 [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
 [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipv4.icanhazip.com)
 [ -z "$PUBLIC_IP" ] && PUBLIC_IP=$(wget -t 3 -T 15 -qO- http://ipecho.net/plain)
@ -108,21 +107,21 @@ PRIVATE_IP=$(wget --retry-connrefused -t 3 -T 15 -qO- 'http://169.254.169.254/la
 # Check IPs for correct format
 IP_REGEX="^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$"
 if ! printf %s "$PUBLIC_IP" | grep -Eq "$IP_REGEX"; then
-  echo "Cannot find valid Public IP, please edit the VPN script manually."
+  echo "Cannot find valid public IP, please edit the script and manually enter."
  exit 1
 fi
 if ! printf %s "$PRIVATE_IP" | grep -Eq "$IP_REGEX"; then
-  echo "Cannot find valid Private IP, please edit the VPN script manually."
+  echo "Cannot find valid private IP, please edit the script and manually enter."
  exit 1
 fi

 # Add the EPEL repository
 if grep -qs "release 6" /etc/redhat-release; then
-  EPEL_RPM="epel-release-6-8.noarch.rpm"
-  EPEL_URL="http://download.fedoraproject.org/pub/epel/6/x86_64/$EPEL_RPM"
+  EPEL_RPM=epel-release-6-8.noarch.rpm
+  EPEL_URL=http://download.fedoraproject.org/pub/epel/6/x86_64/$EPEL_RPM
 elif grep -qs "release 7" /etc/redhat-release; then
-  EPEL_RPM="epel-release-7-5.noarch.rpm"
-  EPEL_URL="http://download.fedoraproject.org/pub/epel/7/x86_64/e/$EPEL_RPM"
+  EPEL_RPM=epel-release-7-5.noarch.rpm
+  EPEL_URL=http://download.fedoraproject.org/pub/epel/7/x86_64/e/$EPEL_RPM
 fi
 wget -t 3 -T 30 -nv -O "$EPEL_RPM" "$EPEL_URL"
 [ ! -f "$EPEL_RPM" ] && { echo "Cannot retrieve EPEL repo RPM file. Aborting."; exit 1; }
@ -135,7 +134,7 @@ yum -y install nss-devel nspr-devel pkgconfig pam-devel \
    fipscheck-devel unbound-devel gmp gmp-devel xmlto
 yum -y install ppp xl2tpd

-# Install Fail2Ban to protect SSH server
+# Install Fail2Ban to protect SSH
 yum -y install fail2ban

 # Install IP6Tables for CentOS/RHEL 6
@ -145,9 +144,9 @@ fi

 # Installed Libevent2. Use backported version for CentOS 6.
 if grep -qs "release 6" /etc/redhat-release; then
-  LE2_URL="https://download.libreswan.org/binaries/rhel/6/x86_64"
-  RPM1="libevent2-2.0.22-1.el6.x86_64.rpm"
-  RPM2="libevent2-devel-2.0.22-1.el6.x86_64.rpm"
+  LE2_URL=https://download.libreswan.org/binaries/rhel/6/x86_64
+  RPM1=libevent2-2.0.22-1.el6.x86_64.rpm
+  RPM2=libevent2-devel-2.0.22-1.el6.x86_64.rpm
  wget -t 3 -T 30 -nv -O "$RPM1" "$LE2_URL/$RPM1"
  wget -t 3 -T 30 -nv -O "$RPM2" "$LE2_URL/$RPM2"
  [ ! -f "$RPM1" ] || [ ! -f "$RPM2" ] && { echo "Cannot retrieve Libevent2 RPM file(s). Aborting."; exit 1; }
@ -159,22 +158,22 @@ fi
 # Compile and install Libreswan
 SWAN_VER=3.16
 SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
-SWAN_URL="https://download.libreswan.org/${SWAN_FILE}"
+SWAN_URL="https://download.libreswan.org/$SWAN_FILE"
 wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
 [ ! -f "$SWAN_FILE" ] && { echo "Cannot retrieve Libreswan source file. Aborting."; exit 1; }
-/bin/rm -rf "/opt/src/libreswan-${SWAN_VER}"
+/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
 tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE"
-cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source dir. Aborting."; exit 1; }
+cd "libreswan-$SWAN_VER" || { echo "Failed to enter Libreswan source dir. Aborting."; exit 1; }
 make programs && make install

-# Check if the install was successful
-/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "${SWAN_VER}"
-[ "$?" != "0" ] && { echo "Sorry, Libreswan ${SWAN_VER} failed to compile or install. Aborting."; exit 1; }
+# Check if Libreswan install was successful
+/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$SWAN_VER"
+[ "$?" != "0" ] && { echo "Sorry, Libreswan $SWAN_VER failed to build. Aborting."; exit 1; }

 # Prepare various config files
-# Create IPsec (Libreswan) configuration
+# Create IPsec (Libreswan) config
 SYS_DT="$(/bin/date +%Y-%m-%d-%H:%M:%S)"
-/bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-${SYS_DT}" 2>/dev/null
+/bin/cp -f /etc/ipsec.conf "/etc/ipsec.conf.old-$SYS_DT" 2>/dev/null
 cat > /etc/ipsec.conf <<EOF
 version 2.0

@ -213,13 +212,13 @@ conn vpnpsk
 EOF

 # Specify IPsec PSK
-/bin/cp -f /etc/ipsec.secrets "/etc/ipsec.secrets.old-${SYS_DT}" 2>/dev/null
+/bin/cp -f /etc/ipsec.secrets "/etc/ipsec.secrets.old-$SYS_DT" 2>/dev/null
 cat > /etc/ipsec.secrets <<EOF
 $PUBLIC_IP  %any  : PSK "$IPSEC_PSK"
 EOF

 # Create xl2tpd config
-/bin/cp -f /etc/xl2tpd/xl2tpd.conf "/etc/xl2tpd/xl2tpd.conf.old-${SYS_DT}" 2>/dev/null
+/bin/cp -f /etc/xl2tpd/xl2tpd.conf "/etc/xl2tpd/xl2tpd.conf.old-$SYS_DT" 2>/dev/null
 cat > /etc/xl2tpd/xl2tpd.conf <<EOF
 [global]
 port = 1701
@ -242,7 +241,7 @@ length bit = yes
 EOF

 # Specify xl2tpd options
-/bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-${SYS_DT}" 2>/dev/null
+/bin/cp -f /etc/ppp/options.xl2tpd "/etc/ppp/options.xl2tpd.old-$SYS_DT" 2>/dev/null
 cat > /etc/ppp/options.xl2tpd <<EOF
 ipcp-accept-local
 ipcp-accept-remote
@ -261,7 +260,7 @@ connect-delay 5000
 EOF

 # Create VPN credentials
-/bin/cp -f /etc/ppp/chap-secrets "/etc/ppp/chap-secrets.old-${SYS_DT}" 2>/dev/null
+/bin/cp -f /etc/ppp/chap-secrets "/etc/ppp/chap-secrets.old-$SYS_DT" 2>/dev/null
 cat > /etc/ppp/chap-secrets <<EOF
 # Secrets for authentication using CHAP
 # client  server  secret  IP addresses
@ -270,7 +269,7 @@ EOF

 # Update sysctl settings for VPN and performance
 if ! grep -qs "hwdsl2 VPN script" /etc/sysctl.conf; then
-/bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-${SYS_DT}" 2>/dev/null
+/bin/cp -f /etc/sysctl.conf "/etc/sysctl.conf.old-$SYS_DT" 2>/dev/null
 cat >> /etc/sysctl.conf <<EOF

 # Added by hwdsl2 VPN script
@ -303,11 +302,11 @@ net.ipv4.tcp_wmem = 10240 87380 12582912
 EOF
 fi

-# Create basic IPTables rules. First check if there are existing IPTables rules loaded.
-# 1. If IPTables is "empty", write out the new set of rules below.
+# Create basic IPTables rules. First check if there are existing rules.
+# 1. If IPTables is "empty", write out the new set of rules.
 # 2. If *not* empty, insert new rules and save them together with existing ones.
 if ! grep -qs "hwdsl2 VPN script" /etc/sysconfig/iptables; then
-/bin/cp -f /etc/sysconfig/iptables "/etc/sysconfig/iptables.old-${SYS_DT}" 2>/dev/null
+/bin/cp -f /etc/sysconfig/iptables "/etc/sysconfig/iptables.old-$SYS_DT" 2>/dev/null
 /sbin/service fail2ban stop >/dev/null 2>&1
 if [ "$(/sbin/iptables-save | grep -c '^\-')" = "0" ]; then
 cat > /etc/sysconfig/iptables <<EOF
@ -346,7 +345,7 @@ COMMIT
 :PREROUTING ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}"
+-A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP"
 COMMIT
 EOF

@ -360,7 +359,7 @@ iptables -I FORWARD 2 -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED
 iptables -I FORWARD 3 -i ppp+ -o eth+ -j ACCEPT
 # iptables -I FORWARD 4 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
 iptables -A FORWARD -j DROP
-iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "${PRIVATE_IP}"
+iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source "$PRIVATE_IP"

 echo "# Modified by hwdsl2 VPN script" > /etc/sysconfig/iptables
 /sbin/iptables-save >> /etc/sysconfig/iptables
@ -369,7 +368,7 @@ fi

 # Create basic IP6Tables (IPv6) rules
 if ! grep -qs "hwdsl2 VPN script" /etc/sysconfig/ip6tables; then
-/bin/cp -f /etc/sysconfig/ip6tables "/etc/sysconfig/ip6tables.old-${SYS_DT}" 2>/dev/null
+/bin/cp -f /etc/sysconfig/ip6tables "/etc/sysconfig/ip6tables.old-$SYS_DT" 2>/dev/null
 cat > /etc/sysconfig/ip6tables <<EOF
 # Added by hwdsl2 VPN script
 *filter
@ -386,7 +385,7 @@ COMMIT
 EOF
 fi

-# Create basic Fail2Ban rules if not already exist
+# Create basic Fail2Ban rules if not present
 if [ ! -f /etc/fail2ban/jail.local ] ; then
 cat > /etc/fail2ban/jail.local <<EOF
 [DEFAULT]
@ -406,7 +405,7 @@ fi

 # Update rc.local to start services at boot
 if ! grep -qs "hwdsl2 VPN script" /etc/rc.local; then
-/bin/cp -f /etc/rc.local "/etc/rc.local.old-${SYS_DT}" 2>/dev/null
+/bin/cp -f /etc/rc.local "/etc/rc.local.old-$SYS_DT" 2>/dev/null
 cat >> /etc/rc.local <<EOF

 # Added by hwdsl2 VPN script
@ -449,3 +448,7 @@ fi
 /sbin/service fail2ban start
 /sbin/service ipsec start
 /sbin/service xl2tpd start
+
+echo
+echo 'Congratulations! IPsec/L2TP VPN server setup is complete!'
+exit 0
--- a/vpnupgrade_Libreswan.sh
+++ b/vpnupgrade_Libreswan.sh
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Simple script to upgrade Libreswan on Ubuntu and Debian
+# Script to upgrade Libreswan to a newer version on Ubuntu and Debian
 #
 # Copyright (C) 2016 Lin Song
 #
@ -20,7 +20,7 @@ if [ "$(lsb_release -si 2>/dev/null)" != "Ubuntu" ] && [ "$(lsb_release -si 2>/d
  exit 1
 fi

-if [ -f "/proc/user_beancounters" ]; then
+if [ -f /proc/user_beancounters ]; then
  echo "This script does NOT support OpenVZ VPS."
  exit 1
 fi
@ -33,13 +33,12 @@ fi
 /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan"
 if [ "$?" != "0" ]; then
  echo "This upgrade script requires you already have Libreswan installed."
-  echo "Aborting."
  exit 1
 fi

-/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan ${SWAN_VER}"
+/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan $SWAN_VER"
 if [ "$?" = "0" ]; then
-  echo "It looks like you already have Libreswan ${SWAN_VER} installed! "
+  echo "Looks like you already have Libreswan version $SWAN_VER installed! "
  echo
  printf "Do you wish to continue anyway? [y/N] "
  read -r response
@ -56,7 +55,7 @@ fi

 clear

-echo "Welcome! This script will build and install Libreswan ${SWAN_VER} on your server."
+echo "Welcome! This script will build and install Libreswan $SWAN_VER on your server."
 echo "Related packages, such as those required by Libreswan compilation will also be installed."
 echo "This is intended for use on VPN servers running an older version of Libreswan."
 echo "Your existing VPN configuration files will NOT be modified."
@ -65,7 +64,7 @@ if [ "$(sed 's/\..*//' /etc/debian_version 2>/dev/null)" = "7" ]; then
  echo
  echo "IMPORTANT NOTE for Debian 7 (Wheezy) users:"
  echo "A workaround is required for your system. See: https://gist.github.com/hwdsl2/5a769b2c4436cdf02a90"
-  echo "Continue only if you have completed the workaround."
+  echo "Continue only after you have completed the workaround."
 fi

 echo
@ -85,7 +84,7 @@ esac

 # Create and change to working dir
 mkdir -p /opt/src
-cd /opt/src || { echo "Failed to change working directory to /opt/src. Aborting."; exit 1; }
+cd /opt/src || { echo "Failed to change working dir to /opt/src. Aborting."; exit 1; }

 # Update package index and install Wget
 export DEBIAN_FRONTEND=noninteractive
@ -101,21 +100,21 @@ apt-get -y --no-install-recommends install xmlto

 # Compile and install Libreswan
 SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
-SWAN_URL="https://download.libreswan.org/${SWAN_FILE}"
+SWAN_URL="https://download.libreswan.org/$SWAN_FILE"
 wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
 [ ! -f "$SWAN_FILE" ] && { echo "Cannot retrieve Libreswan source file. Aborting."; exit 1; }
-/bin/rm -rf "/opt/src/libreswan-${SWAN_VER}"
+/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
 tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE"
-cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source dir. Aborting."; exit 1; }
+cd "libreswan-$SWAN_VER" || { echo "Failed to enter Libreswan source dir. Aborting."; exit 1; }
 make programs && make install

 # Restart IPsec service
 /usr/sbin/service ipsec restart

-# Check if the install was successful
-/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "${SWAN_VER}"
-[ "$?" != "0" ] && { echo "Sorry, Libreswan ${SWAN_VER} failed to compile or install. Aborting."; exit 1; }
+# Check if Libreswan install was successful
+/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$SWAN_VER"
+[ "$?" != "0" ] && { echo "Sorry, Libreswan $SWAN_VER failed to build. Aborting."; exit 1; }

 echo
-echo "Congratulations! Libreswan ${SWAN_VER} was installed successfully!"
+echo "Congratulations! Libreswan $SWAN_VER was installed successfully! "
 exit 0
--- a/vpnupgrade_Libreswan_centos.sh
+++ b/vpnupgrade_Libreswan_centos.sh
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Simple script to upgrade Libreswan on CentOS and RHEL
+# Script to upgrade Libreswan to a newer version on CentOS and RHEL
 #
 # Copyright (C) 2016 Lin Song
 #
@ -30,7 +30,7 @@ if [ "$(uname -m)" != "x86_64" ]; then
  exit 1
 fi

-if [ -f "/proc/user_beancounters" ]; then
+if [ -f /proc/user_beancounters ]; then
  echo "This script does NOT support OpenVZ VPS."
  exit 1
 fi
@ -43,13 +43,12 @@ fi
 /usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan"
 if [ "$?" != "0" ]; then
  echo "This upgrade script requires you already have Libreswan installed."
-  echo "Aborting."
  exit 1
 fi

-/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan ${SWAN_VER}"
+/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "Libreswan $SWAN_VER"
 if [ "$?" = "0" ]; then
-  echo "It looks like you already have Libreswan ${SWAN_VER} installed! "
+  echo "Looks like you already have Libreswan version $SWAN_VER installed! "
  echo
  printf "Do you wish to continue anyway? [y/N] "
  read -r response
@ -66,7 +65,7 @@ fi

 clear

-echo "Welcome! This script will build and install Libreswan ${SWAN_VER} on your server."
+echo "Welcome! This script will build and install Libreswan $SWAN_VER on your server."
 echo "Related packages, such as those required by Libreswan compilation will also be installed."
 echo "This is intended for use on VPN servers running an older version of Libreswan."
 echo "Your existing VPN configuration files will NOT be modified."
@ -88,18 +87,18 @@ esac

 # Create and change to working dir
 mkdir -p /opt/src
-cd /opt/src || { echo "Failed to change working directory to /opt/src. Aborting."; exit 1; }
+cd /opt/src || { echo "Failed to change working dir to /opt/src. Aborting."; exit 1; }

 # Install Wget
 yum -y install wget

 # Add the EPEL repository
 if grep -qs "release 6" /etc/redhat-release; then
-  EPEL_RPM="epel-release-6-8.noarch.rpm"
-  EPEL_URL="http://download.fedoraproject.org/pub/epel/6/x86_64/$EPEL_RPM"
+  EPEL_RPM=epel-release-6-8.noarch.rpm
+  EPEL_URL=http://download.fedoraproject.org/pub/epel/6/x86_64/$EPEL_RPM
 elif grep -qs "release 7" /etc/redhat-release; then
-  EPEL_RPM="epel-release-7-5.noarch.rpm"
-  EPEL_URL="http://download.fedoraproject.org/pub/epel/7/x86_64/e/$EPEL_RPM"
+  EPEL_RPM=epel-release-7-5.noarch.rpm
+  EPEL_URL=http://download.fedoraproject.org/pub/epel/7/x86_64/e/$EPEL_RPM
 fi
 wget -t 3 -T 30 -nv -O "$EPEL_RPM" "$EPEL_URL"
 [ ! -f "$EPEL_RPM" ] && { echo "Cannot retrieve EPEL repo RPM file. Aborting."; exit 1; }
@ -113,9 +112,9 @@ yum -y install nss-devel nspr-devel pkgconfig pam-devel \

 # Installed Libevent2. Use backported version for CentOS 6.
 if grep -qs "release 6" /etc/redhat-release; then
-  LE2_URL="https://download.libreswan.org/binaries/rhel/6/x86_64"
-  RPM1="libevent2-2.0.22-1.el6.x86_64.rpm"
-  RPM2="libevent2-devel-2.0.22-1.el6.x86_64.rpm"
+  LE2_URL=https://download.libreswan.org/binaries/rhel/6/x86_64
+  RPM1=libevent2-2.0.22-1.el6.x86_64.rpm
+  RPM2=libevent2-devel-2.0.22-1.el6.x86_64.rpm
  wget -t 3 -T 30 -nv -O "$RPM1" "$LE2_URL/$RPM1"
  wget -t 3 -T 30 -nv -O "$RPM2" "$LE2_URL/$RPM2"
  [ ! -f "$RPM1" ] || [ ! -f "$RPM2" ] && { echo "Cannot retrieve Libevent2 RPM file(s). Aborting."; exit 1; }
@ -126,12 +125,12 @@ fi

 # Compile and install Libreswan
 SWAN_FILE="libreswan-${SWAN_VER}.tar.gz"
-SWAN_URL="https://download.libreswan.org/${SWAN_FILE}"
+SWAN_URL="https://download.libreswan.org/$SWAN_FILE"
 wget -t 3 -T 30 -nv -O "$SWAN_FILE" "$SWAN_URL"
 [ ! -f "$SWAN_FILE" ] && { echo "Cannot retrieve Libreswan source file. Aborting."; exit 1; }
-/bin/rm -rf "/opt/src/libreswan-${SWAN_VER}"
+/bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
 tar xvzf "$SWAN_FILE" && rm -f "$SWAN_FILE"
-cd "libreswan-${SWAN_VER}" || { echo "Failed to enter Libreswan source dir. Aborting."; exit 1; }
+cd "libreswan-$SWAN_VER" || { echo "Failed to enter Libreswan source dir. Aborting."; exit 1; }
 make programs && make install

 # Restore SELinux contexts
@ -142,10 +141,10 @@ make programs && make install
 # Restart IPsec service
 /sbin/service ipsec restart

-# Check if the install was successful
-/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "${SWAN_VER}"
-[ "$?" != "0" ] && { echo "Sorry, Libreswan ${SWAN_VER} failed to compile or install. Aborting."; exit 1; }
+# Check if Libreswan install was successful
+/usr/local/sbin/ipsec --version 2>/dev/null | grep -qs "$SWAN_VER"
+[ "$?" != "0" ] && { echo "Sorry, Libreswan $SWAN_VER failed to build. Aborting."; exit 1; }

 echo
-echo "Congratulations! Libreswan ${SWAN_VER} was installed successfully!"
+echo "Congratulations! Libreswan $SWAN_VER was installed successfully! "
 exit 0