diff --git a/extras/vpnupgrade.sh b/extras/vpnupgrade.sh
index b8fdb8edb6..27f2b88814 100644
--- a/extras/vpnupgrade.sh
+++ b/extras/vpnupgrade.sh
@@ -51,6 +51,26 @@ if ! /usr/local/sbin/ipsec --version 2>/dev/null | grep -q "Libreswan"; then
   exiterr "This script requires Libreswan already installed."
 fi
 
+if [ "$SWAN_VER" = "3.22" ]; then
+  if grep -qs raspbian /etc/os-release; then
+    echo "Note: For Raspberry Pi systems, this script will install Libreswan"
+    echo "version 3.21 instead of 3.22, to avoid some recent bugs."
+    echo
+    printf "Do you wish to continue? [y/N] "
+    read -r response
+    case $response in
+      [yY][eE][sS]|[yY])
+        echo
+        SWAN_VER=3.21
+        ;;
+      *)
+        echo "Aborting."
+        exit 1
+        ;;
+    esac
+  fi
+fi
+
 if /usr/local/sbin/ipsec --version 2>/dev/null | grep -qF "$SWAN_VER"; then
   echo "You already have Libreswan version $SWAN_VER installed! "
   echo "If you continue, the same version will be re-installed."
@@ -141,7 +161,7 @@ fi
 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
 tar xzf "$swan_file" && /bin/rm -f "$swan_file"
 cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir."
-sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
+[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
 cat > Makefile.inc.local <<'EOF'
 WERROR_CFLAGS =
 USE_DNSSEC = false
diff --git a/extras/vpnupgrade_centos.sh b/extras/vpnupgrade_centos.sh
index 76692d0e16..1e44f5b8bf 100644
--- a/extras/vpnupgrade_centos.sh
+++ b/extras/vpnupgrade_centos.sh
@@ -143,7 +143,7 @@ fi
 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
 tar xzf "$swan_file" && /bin/rm -f "$swan_file"
 cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir."
-sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
+[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
 cat > Makefile.inc.local <<'EOF'
 WERROR_CFLAGS =
 USE_DNSSEC = false
diff --git a/vpnsetup.sh b/vpnsetup.sh
index 3954085812..a8527e6cd7 100755
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -177,7 +177,11 @@ apt-get -yq install fail2ban || exiterr2
 
 bigecho "Compiling and installing Libreswan..."
 
-SWAN_VER=3.22
+if ! grep -qs raspbian /etc/os-release; then
+  SWAN_VER=3.22
+else
+  SWAN_VER=3.21
+fi
 swan_file="libreswan-$SWAN_VER.tar.gz"
 swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
 swan_url2="https://download.libreswan.org/$swan_file"
@@ -187,7 +191,7 @@ fi
 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
 tar xzf "$swan_file" && /bin/rm -f "$swan_file"
 cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir."
-sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
+[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
 cat > Makefile.inc.local <<'EOF'
 WERROR_CFLAGS =
 USE_DNSSEC = false
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index 405fc092fe..0c8121a784 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -178,7 +178,7 @@ fi
 /bin/rm -rf "/opt/src/libreswan-$SWAN_VER"
 tar xzf "$swan_file" && /bin/rm -f "$swan_file"
 cd "libreswan-$SWAN_VER" || exiterr "Cannot enter Libreswan source dir."
-sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
+[ "$SWAN_VER" = "3.22" ] && sed -i '/^#define LSWBUF_CANARY/s/-2$/((char) -2)/' include/lswlog.h
 cat > Makefile.inc.local <<'EOF'
 WERROR_CFLAGS =
 USE_DNSSEC = false