I have ended up with some scripts for running VPNs between connections with dynamic IP addresses. My starting point was scripts from here so I thought I’d post back what I now use. I use the comments fields to identify which elements to update for a connection.
The first script finds the local IP address for a connection and checks whether it needs to be updated:
:local WANInterfaceIP;
:local WANResolvedIP;
:local WANInterface;
:local WANHostname;
/ip dns cache flush;
:set WANInterface "pppoe-out1";
:set WANHostname "hostname1";
:set WANResolvedIP [:resolve $WANHostname];
:set WANInterfaceIP [/ip address get [find interface=$WANInterface] address];
:set WANInterfaceIP [:pick $WANInterfaceIP 0 [:find $WANInterfaceIP "/"]];
/log info "VPN CHECKWANIP DNS: WAN InterfaceIP: $WANInterfaceIP WAN ResolvedIP: $WANResolvedIP for $WANHostname";
:if ($WANResolvedIP != $WANInterfaceIP) do={
/log info "VPN CHECKWANIP DNS: Update required to DNS for WAN interface: $WANResolvedIP to $WANInterfaceIP";
/tool fetch mode=http user="username" password="password" url="http://dynupdate.no-ip.com/nic/update\3Fhostname=$WANHostname&myip=$WANInterfaceIP" keep-result=no
/log info "VPN CHECKWANIP DNS: Update to DNS for WAN interface completed";
} else {
/log info "VPN CHECKWANIP DNS: Update NOT required to DNS for WAN interface: $WANInterfaceIP";
}
:set WANInterface "pppoe-out2";
:set WANHostname "hostname2";
:set WANResolvedIP [:resolve $WANHostname];
:set WANInterfaceIP [/ip address get [find interface=$WANInterface] address];
:set WANInterfaceIP [:pick $WANInterfaceIP 0 [:find $WANInterfaceIP "/"]];
/log info "VPN CHECKWANIP DNS: WAN InterfaceIP: $WANInterfaceIP WAN ResolvedIP: $WANResolvedIP for $WANHostname";
:if ($WANResolvedIP != $WANInterfaceIP) do={
/log info "VPN CHECKWANIP DNS: Update required to DNS for WAN interface: $WANResolvedIP to $WANInterfaceIP";
/tool fetch mode=http user="username" password="password" url="http://dynupdate.no-ip.com/nic/update\3Fhostname=$WANHostname&myip=$WANInterfaceIP" keep-result=no
/log info "VPN CHECKWANIP DNS: Update to DNS for WAN interface completed";
} else {
/log info "VPN CHECKWANIP DNS: Update NOT required to DNS for WAN interface: $WANInterfaceIP";
}
The second script checks the IP address(es) for the local and remote ends by querying DNS and updates settings as necessary:
/ip dns cache flush;
:local CurrentPeerIPSitename [:resolve Sitename.com];
:global PreviousPeerIPSitename;
:if ($CurrentPeerIPSitename != $PreviousPeerIPSitename) do={
/log info "VPN CHECKPEERIP: Update required to Sitename peer IP address: $CurrentPeerIPSitename";
/set PreviousPeerIPSitename $CurrentPeerIPSitename;
/interface ipip set remote-address=$CurrentPeerIPSitename [find comment="Sitename"];
/ip ipsec peer set address="$CurrentPeerIPSitename/32" [find comment="Sitename"];
/ip ipsec policy set sa-dst-address="$CurrentPeerIPSitename" dst-address="$CurrentPeerIPSitename/32" [find comment="Sitename"];
/ip ipsec remote-peers kill-connections;
} else {
/log info "VPN CHECKPEERIP: Update NOT required to Sitename peer IP address: $CurrentPeerIPSitename";
}
:local CurrentLocalIP;
:global PreviousLocalIP;
:set CurrentLocalIP [put [/ip address get [find interface="pppoe-out1"] address]];
:set CurrentLocalIP [:pick $CurrentLocalIP 0 [:find $CurrentLocalIP "/"]];
:if ($CurrentLocalIP != $PreviousLocalIP) do={
/log info "VPN CHECKLOCALIP: Update required to local WAN IP address: $CurrentLocalIP";
/set PreviousLocalIP $CurrentLocalIP;
/interface ipip set local-address=$CurrentLocalIP [find comment="Sitename"];
/ip ipsec policy set sa-src-address=$CurrentLocalIP src-address="$CurrentLocalIP/32" [find comment="Sitename"];
/ip ipsec remote-peers kill-connections;
} else {
/log info "VPN CHECKLOCALIP: Update NOT required to local WAN IP address: $CurrentLocalIP";
}
I’m sure there are better solutions but I thought worth sharing.