When my home DHCP address changes, I want stuff done

Leave a Comment / DHCP, Firewalls/Gateways, IPv6, Networks / By

I recently moved from an appliance to a FreeBSD 14.2 gateway.

In this post:

These are the main things I need done when my IP address changes:

  1. restart OpenVPN
  2. restart my Hurricane Electric IPv6 tunnel with the new IP address – written
  3. Tell HE.net about my IP address change – written
  4. Notify OpenDNS.com about my IP address change
  5. Update a dynamic DNS entry so my VPN clients can reconnect

The last two items have yet to be scripted. They won’t take long, but they will be in the next post because I’ve run out of time today

The hooks

After posting on Mastodon about using devd.conf(5) for ADDR_ADD / ADDR_DEL (i.e. catch the event and launch a script to set DNS), I changed my mind. That sounds like a bunch of new code, and I don’t want to do that right now. Instead, I’m going to use the /etc/dhclient-exit-hooks file mentioned within /sbin/dhclient-script

Looking around, I found a script, written by a rather dodgy individual, responsible for much mayhem in the queuing world, and I think I’m going to use it as my starting point.

First, I need the scripts which will be launched from that hook.

Restart the HE tunnel

Based on the example provided at https://tunnelbroker.net, I created this script to build me a tunnel based on the IP address provided.

[21:49 gw01 dvl ~] % ls -l /usr/local/sbin/he-net.sh
-rwxr-xr-x  1 root wheel 288 2025.03.02 21:45 /usr/local/sbin/he-net.sh
[21:50 gw01 dvl ~] % cat /usr/local/sbin/he-net.sh  
#!/bin/sh

new_ip_address=$1

ifconfig gif0 down
ifconfig gif0 destroy

ifconfig gif0 create
ifconfig gif0 tunnel "$new_ip_address" 209.51.161.14
ifconfig gif0 inet6 2001:470:1f06:9ea::2 2001:470:1f06:9ea::1 prefixlen 128
route -n add -inet6 default 2001:470:1f06:9ea::1
ifconfig gif0 up
[21:50 gw01 dvl ~] %

That works just fine:

[21:50 gw01 dvl ~] % sudo /usr/local/sbin/he-net.sh 203.0.113.59
add net default: gateway 2001:470:1f06:9ea::1

This script will be invoked from within /etc/dhclient-exit-hooks.

Tell HE.net about my IP address change

I wonder, should I do this before recreating the tunnel?

You don’t want this script. You want the script from the next section.

Please note the following:

  • The script contains secrets – not ideal – See the next section for a better solution
  • The script is chmod o= to protect those secrets
  • The output is dumped to a temp file
  • The temp file contents is logged
[22:09 gw01 dvl ~] % ls -l /usr/local/sbin/he-notify.sh
-rwxr-x---  1 root wheel 268 2025.03.02 22:08 /usr/local/sbin/he-notify.sh
[22:09 gw01 dvl ~] % cat /usr/local/sbin/he-notify.sh     
#!/bin/sh

username="dan"
password="abc123"
hostname="random"

TMPFILE=$(mktemp /tmp/he-notify.sh-.XXXXXX)

fetch -qo "$TMPFILE" https://"$username":"$password"@ipv4.tunnelbroker.net/nic/update?hostname="$hostname"

logger -t $0 $(cat "$TMPFILE")
rm "$TMPFILE"

[22:09 gw01 dvl ~] %

Let’s do better

Here is the new script:

[22:17 gw01 dvl ~] % ls -l /usr/local/sbin/he-notify.sh          
-rwxr-xr-x  1 root wheel 289 2025.03.02 22:16 /usr/local/sbin/he-notify.sh
[22:17 gw01 dvl ~] % cat /usr/local/sbin/he-notify.sh
#!/bin/sh

if [ -r /usr/local/etc/he-notify.sh ]
then
   . /usr/local/etc/he-notify.sh
fi

TMPFILE=$(mktemp /tmp/he-notify.sh-.XXXXXX)

fetch -qo "$TMPFILE" https://"$username":"$password"@ipv4.tunnelbroker.net/nic/update?hostname="$hostname"

logger -t $0 $(cat "$TMPFILE")
rm "$TMPFILE"

You’ll notice the use of /usr/local/etc/he-notify.sh – here is how I created that:

[22:13 gw01 dvl ~] % sudo cp /usr/local/sbin/he-notify.sh /usr/local/etc/he-notify.sh
[22:13 gw01 dvl ~] % sudo chmod 0400 /usr/local/etc/he-notify.sh
[22:17 gw01 dvl ~] % sudo chmod 0755 /usr/local/sbin/he-notify.sh

Then I trimmed down the new file to contain only this:

[22:18 gw01 dvl ~] % sudo cat /usr/local/etc/he-notify.sh
#!/bin/sh

# intended for use by /usr/local/sbin/he-notify.sh

username="dan"
password="abc123"
hostname="random"

This new file is now the one which requires protection.

Running the new script looks like this:

[22:19 gw01 dvl ~] % sudo /usr/local/sbin/he-notify.sh     
[22:20 gw01 dvl ~] %

That logger statement records this in /var/log/messages:

Mar  2 22:20:57 gw01 /usr/local/sbin/he-notify.sh[60238]: nochg 203.0.113.59

I’m guessing that means no change. HE.net knows your current IP address because you’re invoking that script from there.

That’s all for today

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

Leave a Comment

Scroll to Top