diff --git a/skel/scripts/subnet-ula-hosts b/skel/scripts/subnet-ula-hosts
new file mode 100644
index 0000000..1d7ba6b
--- /dev/null
+++ b/skel/scripts/subnet-ula-hosts
@@ -0,0 +1,31 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+ULA_PREFIX="fd00:1213:acab::"
+ETCHOSTS="etchosts"
+# Added at the end of each line in the hosts file.
+COMMENT="# Managed by tinc $NAME"
+
+function mac_to_ip6_token() {
+    # https://tools.ietf.org/html/rfc2464
+    # TODO: Sanitize this so that nothing bad happens if someone sends a
+    #       malicious subnet string to tinc, something like aa:';rm -rf /.
+    
+    # "aa:bb:cc:dd:ee:ff" → hexets=( "aa" "bb" "cc" "dd" "ee" "ff" )
+    readarray -td: hexets <<< "$1"
+    # first = 0xaa xor 2 = a8
+    first=`printf '%02x' $(( 0x${hexets[0]} ^ 2 ))`
+    # a8bb:ccff:fedd:eeff
+    printf '%s%s:%sff:fe%s:%s%s\n' $first ${hexets[@]:1}
+}
+
+ip="$ULA_PREFIX$(mac_to_ip6_token "$SUBNET")"
+
+# TODO: Sanitize this too, maybe NODE = 'accounts.google.com\n1.2.3.4 foo' ?
+sed -i "/$NODE\.$NAME $COMMENT/d" "$ETCHOSTS"
+sed -i "/^$ip .* $COMMENT$/d" "$ETCHOSTS"
+
+if [ "$1" == "up" ]; then
+    echo "$ip $NODE.$NAME $COMMENT" >> "$ETCHOSTS"
+fi
diff --git a/skel/subnet-down b/skel/subnet-down
new file mode 100755
index 0000000..ed83315
--- /dev/null
+++ b/skel/subnet-down
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+cd `dirname "$0"`
+. ./run-script
diff --git a/skel/subnet-up b/skel/subnet-up
new file mode 100755
index 0000000..ed83315
--- /dev/null
+++ b/skel/subnet-up
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+cd `dirname "$0"`
+. ./run-script