diff --git a/README.md b/README.md
index daad41b..8a38256 100644
--- a/README.md
+++ b/README.md
@@ -82,12 +82,14 @@ You may use `vpnupgrade_Libreswan.sh` (for Ubuntu/Debian) and `vpnupgrade_Libres
## Important Notes
-For **Windows users**, a one-time registry change is required for connections to a VPN server behind NAT (e.g. Amazon EC2).
-
-**Android 6.0 users**: Edit `/etc/ipsec.conf` and append `,aes256-sha2_256` to the end of both `ike=` and `phase2alg=`, then add a new line `sha2-truncbug=yes`. Start lines with two spaces. When finished, run `service ipsec restart`. (Source)
-
To support multiple VPN users with different credentials, just edit a few lines in the scripts.
+For **Windows users**, a one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router).
+
+**Android 6.0 users**: Edit `/etc/ipsec.conf` and append `,aes256-sha2_256` to the end of both `ike=` and `phase2alg=`, then add a new line `sha2-truncbug=yes`. Must start lines with two spaces. Finally, run `service ipsec restart`. (Ref)
+
+**iPhone/iOS users**: In iOS settings, choose `L2TP` (instead of `IPSec`) for the VPN type. In case you're unable to connect, try replacing this line in /etc/ipsec.conf: `rightprotoport=17/%any` with `rightprotoport=17/0`. Then restart `ipsec` service.
+
Clients are configured to use Google Public DNS when the VPN connection is active. This setting is controlled by `ms-dns` in `/etc/ppp/options.xl2tpd`.
If using Amazon EC2, these ports must be open in the instance's security group: **UDP ports 500 & 4500** (for the VPN), and **TCP port 22** (optional, for SSH).
@@ -96,8 +98,6 @@ If your server uses a custom SSH port (not 22), or if you wish to allow other se
The scripts will backup files `/etc/rc.local`, `/etc/sysctl.conf`, `/etc/iptables.rules` and `/etc/sysconfig/iptables` before overwriting them. Backups can be found under the same folder with `.old` suffix.
-iPhone/iOS users: If unable to connect, try replacing `rightprotoport=17/%any` in `ipsec.conf` with `rightprotoport=17/0`.
-
## Copyright and license
Copyright (C) 2014 Lin Song
diff --git a/vpnsetup.sh b/vpnsetup.sh
index a2cee7a..03956ac 100644
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -46,21 +46,23 @@ VPN_PASSWORD=your_very_secure_password
# IMPORTANT NOTES:
-# For **Windows users**, a one-time registry change is required for connections
-# to a VPN server behind NAT (e.g. Amazon EC2). Please see:
+# To support multiple VPN users with different credentials, just edit a few lines below.
+# See: https://gist.github.com/hwdsl2/123b886f29f4c689f531
+
+# For **Windows users**, a one-time registry change is required if the VPN server
+# and/or client is behind NAT (e.g. home router). Refer to "Error 809" on this page:
# https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
-# **Android 6.0 users**: Edit /etc/ipsec.conf and append ",aes256-sha2_256" to the end of both
-# "ike=" and "phase2alg=", then add a new line "sha2-truncbug=yes". Start lines with two spaces.
-# When finished, run "service ipsec restart". Source:
-# https://libreswan.org/wiki/FAQ#Android_6.0_connection_comes_up_but_no_packet_flow
+# **Android 6.0 users**: Edit /etc/ipsec.conf and append ",aes256-sha2_256" to the end of
+# both "ike=" and "phase2alg=", then add a new line "sha2-truncbug=yes". Must start lines with
+# two spaces. Finally, run "service ipsec restart".
-# To support multiple VPN users with different credentials, see:
-# https://gist.github.com/hwdsl2/123b886f29f4c689f531
+# **iPhone/iOS users**: In iOS settings, choose L2TP (instead of IPSec) for the VPN type.
+# In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
+# "rightprotoport=17/%any" with "rightprotoport=17/0". Then restart "ipsec" service.
-# Clients are configured to use Google Public DNS when the VPN connection is active.
+# Clients are configured to use "Google Public DNS" when the VPN connection is active.
# This setting is controlled by "ms-dns" in /etc/ppp/options.xl2tpd.
-# https://developers.google.com/speed/public-dns/
# If using Amazon EC2, these ports must be open in the instance's security group:
# UDP ports 500 & 4500 (for the VPN), and TCP port 22 (optional, for SSH).
@@ -71,9 +73,6 @@ VPN_PASSWORD=your_very_secure_password
# This script will backup /etc/rc.local, /etc/sysctl.conf and /etc/iptables.rules
# before overwriting them. Backups can be found under the same folder with .old suffix.
-# iPhone/iOS users: In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
-# "rightprotoport=17/%any" with "rightprotoport=17/0".
-
# Check for empty VPN variables
[ -z "$IPSEC_PSK" ] && { echo "'IPSEC_PSK' cannot be empty. Please edit the VPN script."; exit 1; }
[ -z "$VPN_USER" ] && { echo "'VPN_USER' cannot be empty. Please edit the VPN script."; exit 1; }
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index 60cd822..00f1c2e 100644
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -55,21 +55,23 @@ VPN_PASSWORD=your_very_secure_password
# IMPORTANT NOTES:
-# For **Windows users**, a one-time registry change is required for connections
-# to a VPN server behind NAT (e.g. Amazon EC2). Please see:
+# To support multiple VPN users with different credentials, just edit a few lines below.
+# See: https://gist.github.com/hwdsl2/123b886f29f4c689f531
+
+# For **Windows users**, a one-time registry change is required if the VPN server
+# and/or client is behind NAT (e.g. home router). Refer to "Error 809" on this page:
# https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809
-# **Android 6.0 users**: Edit /etc/ipsec.conf and append ",aes256-sha2_256" to the end of both
-# "ike=" and "phase2alg=", then add a new line "sha2-truncbug=yes". Start lines with two spaces.
-# When finished, run "service ipsec restart". Source:
-# https://libreswan.org/wiki/FAQ#Android_6.0_connection_comes_up_but_no_packet_flow
+# **Android 6.0 users**: Edit /etc/ipsec.conf and append ",aes256-sha2_256" to the end of
+# both "ike=" and "phase2alg=", then add a new line "sha2-truncbug=yes". Must start lines with
+# two spaces. Finally, run "service ipsec restart".
-# To support multiple VPN users with different credentials, see:
-# https://gist.github.com/hwdsl2/123b886f29f4c689f531
+# **iPhone/iOS users**: In iOS settings, choose L2TP (instead of IPSec) for the VPN type.
+# In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
+# "rightprotoport=17/%any" with "rightprotoport=17/0". Then restart "ipsec" service.
-# Clients are configured to use Google Public DNS when the VPN connection is active.
+# Clients are configured to use "Google Public DNS" when the VPN connection is active.
# This setting is controlled by "ms-dns" in /etc/ppp/options.xl2tpd.
-# https://developers.google.com/speed/public-dns/
# If using Amazon EC2, these ports must be open in the instance's security group:
# UDP ports 500 & 4500 (for the VPN), and TCP port 22 (optional, for SSH).
@@ -80,9 +82,6 @@ VPN_PASSWORD=your_very_secure_password
# This script will backup /etc/rc.local, /etc/sysctl.conf and /etc/sysconfig/iptables
# before overwriting them. Backups can be found under the same folder with .old suffix.
-# iPhone/iOS users: In case you're unable to connect, try replacing this line in /etc/ipsec.conf:
-# "rightprotoport=17/%any" with "rightprotoport=17/0".
-
# Check for empty VPN variables
[ -z "$IPSEC_PSK" ] && { echo "'IPSEC_PSK' cannot be empty. Please edit the VPN script."; exit 1; }
[ -z "$VPN_USER" ] && { echo "'VPN_USER' cannot be empty. Please edit the VPN script."; exit 1; }