diff --git a/dnclient/Dockerfile b/dnclient/Dockerfile
index 762aa62..9ae8eeb 100644
--- a/dnclient/Dockerfile
+++ b/dnclient/Dockerfile
@@ -1,12 +1,12 @@
 ARG BUILD_FROM=definednet/dnclient:latest
 
-# Extract dnclient binary from official image (avoids inheriting its VOLUME)
+# Extract binaries from official image (avoids inheriting its VOLUME declaration)
 FROM ${BUILD_FROM} AS source
 
 FROM alpine:3.21
 RUN apk add --no-cache iptables ip6tables ca-certificates
 
-COPY --from=source /usr/bin/dnclient /usr/bin/dnclient
+COPY --from=source /usr/local/bin/dnclient /usr/local/bin/dnclient
 COPY run.sh /
 RUN chmod a+x /run.sh
 
diff --git a/dnclient/run.sh b/dnclient/run.sh
index 7e0554e..0556e02 100644
--- a/dnclient/run.sh
+++ b/dnclient/run.sh
@@ -1,20 +1,52 @@
-#!/usr/bin/env sh
-set -e
+#!/bin/sh
+set -euo pipefail
 
 PERSIST_DIR="/data/defined"
+SYSTEM_DIR="/etc/defined"
+CONTROL_SOCKET="/var/run/dnclient.sock"
 
 # Ensure persistent directory exists and symlink /etc/defined to it
 mkdir -p "${PERSIST_DIR}"
-ln -sfn "${PERSIST_DIR}" /etc/defined
+ln -sfn "${PERSIST_DIR}" "${SYSTEM_DIR}"
 
-# Read enrollment code from HA options
-ENROLLMENT_CODE="$(cat /data/options.json | sed -n 's/.*"enrollment_code" *: *"\([^"]*\)".*/\1/p')"
-
-# Only set enrollment code if non-empty and host is not already enrolled
-if [ -n "${ENROLLMENT_CODE}" ] && [ ! -f "${PERSIST_DIR}/config.yml" ]; then
-    export DN_ENROLLMENT_CODE="${ENROLLMENT_CODE}"
-    echo "Enrolling host with provided enrollment code..."
+# Create the tun device so it doesn't need to be mounted
+mkdir -p /dev/net
+if [ ! -c /dev/net/tun ]; then
+    mknod /dev/net/tun c 10 200
+    chmod 600 /dev/net/tun
 fi
 
-echo "Starting dnclient..."
-exec dnclient
+# Read enrollment code from HA options
+ENROLLMENT_CODE="$(sed -n 's/.*"enrollment_code" *: *"\([^"]*\)".*/\1/p' /data/options.json)"
+
+# Start dnclient
+dnclient run -server "${DN_API_SERVER:-https://api.defined.net}" &
+
+# Wait for control socket
+for i in $(seq 1 11); do
+    if [ -S "$CONTROL_SOCKET" ]; then
+        break
+    fi
+    if [ "$i" -eq 11 ]; then
+        echo "Timed out waiting for dnclient."
+        exit 1
+    fi
+    echo "Waiting for dnclient $CONTROL_SOCKET ($i/10)..."
+    sleep 1
+done
+
+# Enroll if not already enrolled
+if [ ! -f "${PERSIST_DIR}/dnclient.yml" ]; then
+    if [ -z "${ENROLLMENT_CODE}" ]; then
+        echo "Please provide an enrollment code in the add-on configuration."
+        exit 1
+    fi
+    export DN_ENROLLMENT_CODE="${ENROLLMENT_CODE}"
+    if ! dnclient enroll -code "$DN_ENROLLMENT_CODE"; then
+        echo "Enrollment failed."
+        exit 1
+    fi
+    echo "Enrollment complete."
+fi
+
+wait