I recently moved from an appliance to a FreeBSD 14.2 gateway.
In this post:
- FreeBSD 14.2
- gw01
- gw01 photos
These are the main things I need done when my IP address changes:
- restart OpenVPN
- restart my Hurricane Electric IPv6 tunnel with the new IP address – written
- Tell HE.net about my IP address change – written
- Notify OpenDNS.com about my IP address change
- Update a dynamic DNS entry so my VPN clients can reconnect
The last two items have yet to be scripted. They won’t take long, but they will be in the next post because I’ve run out of time today
The hooks
After posting on Mastodon about using devd.conf(5) for ADDR_ADD / ADDR_DEL (i.e. catch the event and launch a script to set DNS), I changed my mind. That sounds like a bunch of new code, and I don’t want to do that right now. Instead, I’m going to use the /etc/dhclient-exit-hooks file mentioned within /sbin/dhclient-script
Looking around, I found a script, written by a rather dodgy individual, responsible for much mayhem in the queuing world, and I think I’m going to use it as my starting point.
First, I need the scripts which will be launched from that hook.
Restart the HE tunnel
Based on the example provided at https://tunnelbroker.net, I created this script to build me a tunnel based on the IP address provided.
[21:49 gw01 dvl ~] % ls -l /usr/local/sbin/he-net.sh -rwxr-xr-x 1 root wheel 288 2025.03.02 21:45 /usr/local/sbin/he-net.sh [21:50 gw01 dvl ~] % cat /usr/local/sbin/he-net.sh #!/bin/sh new_ip_address=$1 ifconfig gif0 down ifconfig gif0 destroy ifconfig gif0 create ifconfig gif0 tunnel "$new_ip_address" 209.51.161.14 ifconfig gif0 inet6 2001:470:1f06:9ea::2 2001:470:1f06:9ea::1 prefixlen 128 route -n add -inet6 default 2001:470:1f06:9ea::1 ifconfig gif0 up [21:50 gw01 dvl ~] %
That works just fine:
[21:50 gw01 dvl ~] % sudo /usr/local/sbin/he-net.sh 203.0.113.59 add net default: gateway 2001:470:1f06:9ea::1
This script will be invoked from within /etc/dhclient-exit-hooks.
Tell HE.net about my IP address change
I wonder, should I do this before recreating the tunnel?
You don’t want this script. You want the script from the next section.
Please note the following:
- The script contains secrets – not ideal – See the next section for a better solution
- The script is chmod o= to protect those secrets
- The output is dumped to a temp file
- The temp file contents is logged
[22:09 gw01 dvl ~] % ls -l /usr/local/sbin/he-notify.sh -rwxr-x--- 1 root wheel 268 2025.03.02 22:08 /usr/local/sbin/he-notify.sh [22:09 gw01 dvl ~] % cat /usr/local/sbin/he-notify.sh #!/bin/sh username="dan" password="abc123" hostname="random" TMPFILE=$(mktemp /tmp/he-notify.sh-.XXXXXX) fetch -qo "$TMPFILE" https://"$username":"$password"@ipv4.tunnelbroker.net/nic/update?hostname="$hostname" logger -t $0 $(cat "$TMPFILE") rm "$TMPFILE" [22:09 gw01 dvl ~] %
Let’s do better
Here is the new script:
[22:17 gw01 dvl ~] % ls -l /usr/local/sbin/he-notify.sh -rwxr-xr-x 1 root wheel 289 2025.03.02 22:16 /usr/local/sbin/he-notify.sh [22:17 gw01 dvl ~] % cat /usr/local/sbin/he-notify.sh #!/bin/sh if [ -r /usr/local/etc/he-notify.sh ] then . /usr/local/etc/he-notify.sh fi TMPFILE=$(mktemp /tmp/he-notify.sh-.XXXXXX) fetch -qo "$TMPFILE" https://"$username":"$password"@ipv4.tunnelbroker.net/nic/update?hostname="$hostname" logger -t $0 $(cat "$TMPFILE") rm "$TMPFILE"
You’ll notice the use of /usr/local/etc/he-notify.sh – here is how I created that:
[22:13 gw01 dvl ~] % sudo cp /usr/local/sbin/he-notify.sh /usr/local/etc/he-notify.sh [22:13 gw01 dvl ~] % sudo chmod 0400 /usr/local/etc/he-notify.sh [22:17 gw01 dvl ~] % sudo chmod 0755 /usr/local/sbin/he-notify.sh
Then I trimmed down the new file to contain only this:
[22:18 gw01 dvl ~] % sudo cat /usr/local/etc/he-notify.sh #!/bin/sh # intended for use by /usr/local/sbin/he-notify.sh username="dan" password="abc123" hostname="random"
This new file is now the one which requires protection.
Running the new script looks like this:
[22:19 gw01 dvl ~] % sudo /usr/local/sbin/he-notify.sh [22:20 gw01 dvl ~] %
That logger statement records this in /var/log/messages:
Mar 2 22:20:57 gw01 /usr/local/sbin/he-notify.sh[60238]: nochg 203.0.113.59
I’m guessing that means no change. HE.net knows your current IP address because you’re invoking that script from there.
That’s all for today
