diff --git a/security/tinc/Makefile b/security/tinc/Makefile
index 19cc944ff..ea9b6397a 100644
--- a/security/tinc/Makefile
+++ b/security/tinc/Makefile
@@ -1,5 +1,6 @@
 PLUGIN_NAME=		tinc
 PLUGIN_VERSION=		1.7
+PLUGIN_REVISION=	1
 PLUGIN_COMMENT=		Tinc VPN
 PLUGIN_DEPENDS=		tinc
 PLUGIN_MAINTAINER=	ad@opnsense.org
diff --git a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
index d9020a76c..2f73ae60b 100755
--- a/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
+++ b/security/tinc/src/opnsense/scripts/OPNsense/Tinc/tincd.py
@@ -96,7 +96,7 @@ def deploy(config_filename):
         if_up.append("configctl interface %s %s" % (interface_configd, interface_name))
         write_file("%s/tinc-up" % network.get_basepath(), '\n'.join(if_up) + "\n", 0o700)
 
-        # write subnet-up file and ship required binaries into the chroot
+        # write subnet-{up|down} scripts and ship required binaries into the chroot
         chroot_needs = set(['/bin/sh', '/sbin/route', '/libexec/ld-elf.so.1'])
         for item in list(chroot_needs):
             for line in subprocess.run(['/usr/bin/ldd', item],  capture_output=True, text=True).stdout.split('\n'):
@@ -109,6 +109,10 @@ def deploy(config_filename):
             "#!/bin/sh",
             "route add $SUBNET -iface %s\n" % interface_name
         ]), 0o700)
+        write_file("%s/subnet-down" % network.get_basepath(), '\n'.join([
+            "#!/bin/sh",
+            "route delete $SUBNET -iface %s\n" % interface_name
+        ]), 0o700)
 
         # configure and rename new tun device, place all in group "tinc" symlink associated tun device
         if interface_name not in interfaces: