_posts/en/2020-09-16-nonm.md

   1 ---
   2 layout: post
   3 title: Wifi without network manager
   4 date: 2020-09-16
   5 language: en
   6 language_reference: nonm
   7 published: true
   8 ---
   9
  10 {% include toc.html %}
  11
  12 With this setup, `wpa_supplicant` automatically changes network when needed.
  13 Moreover, the network can be changed in userspace and new networks can be added.
  14 All withouth the bloat of `NetworkManager` and `ModemManager`.
  15
  16 ## Requirements
  17
  18 - `wpa_supplicant`
  19 - `wpa_gui`
  20
  21
  22 ## `wpa_supplicant`
  23 `/etc/network/interfaces` needs for direct use with a `wpa_supplicant` daemon.
  24 This is done by setting the wireless network as follows.
  25
  26 ```
  27 allow-hotplug wlp2s0
  28 iface wlp2s0 inet manual
  29         wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
  30 ```
  31
  32 This basically means that a `wpa_supplicant` will be watching the networks specified in the config and switch when in range.
  33 Note that the `iface` is set to `manual` and not `dhcp`.
  34 This means that below those lines you can configure your networks from the config manually.
  35 So say that you have a network in the `wpa_supplicant.conf` with `id_str="work"` that needs to be configured with dhcp, you add the following lines:
  36
  37 ```
  38 iface work inet dhcp
  39 ```
  40
  41 Setting `id_str`s for all networks is tedious so to create a default setting you can use the `default` network name to for example set all wifi networks to dhcp.
  42
  43 ```
  44 iface default inet dhcp
  45 ```
  46
  47 ## `wpa_supplicant.conf`
  48 The config file for `wpa_supplicant` should at least contain the following lines.
  49 The `interface` line defines the control socket and states that all users in the `netdev` group may control `wpa_supplicant`.
  50 The `update_config` line states that the config file may be updated, thus having persistent changes.
  51 Users you allow changing the config therefore have to be added to `netdev`.
  52
  53                 <pre>
  54 interface=DIR=/run/wpa_supplicant GROUP=netdev
  55 update_config=1
  56                 </pre>
  57
  58                 <p>
  59                 Followed are all the network configurations.
  60                 For these configuration consult the manpage for `wpa_supplicant`.
  61                 E.g. for `WPA2` networks you can use the `wpa_passphrase` tool.
  62                 For eduroam, don't handcraft configs either, use the [configuration assistant](https://cat.eduroam.org/).
  63                 This tool will generate a `wpa_supplicant.conf` if it fails to talk to networkmanager.
  64                 </p>
  65
  66 ## `wpa_gui`
  67 Editing the config file is tedious and error prone.
  68 Moreover, it requires a restart of `wpa_supplicant` to reinistate the config.
  69 Luckily there are two tools that allow you to do this in-place using either the command line (`wpa_cli` is not discussed here) and via a GUI(`wpa_gui`).
  70 If your user is a member of the `netdev` group you can just start it up.
  71 Note that it resides by default in `/usr/sbin`.
  72 `wpa_gui` is a graphical frontend where you can add, remove, diagnose and change wireless networks with _almost_ as much functionality as `wpa_cli`.
  73
  74 ## Eduroam
  75 Eduroam gives a nice configuration assistant tools nowadays that will generate a `wpa_supplicant.conf` entry for you.
  76 Previously you could hash your password using md4 but I haven't tested whether this still works.
  77
  78 ### update: cat broken
  79 The tool worked before&trade; but not anymore on my debian testing version.
  80 Therefore I've pasted my config here for later reference.
  81 You get the `ca_cert` from the assistant tool.
  82 I might upload that here as well.
  83
  84 ```
  85 network={
  86         ssid="eduroam"
  87         proto=RSN
  88         key_mgmt=WPA-EAP
  89         pairwise=CCMP
  90         auth_alg=OPEN
  91         eap=PEAP
  92         identity="YOURUSERNAME@ru.nl"
  93         anonymous_identity="anonymous@ru.nl"
  94         password="YOURPASSWORD"
  95 #       ca_cert="/home/frobnicator/.cat_installer/ca.pem"
  96         domain_suffix_match="authenticatie.ru.nl"
  97         phase2="auth=MSCHAPV2"
  98 }
  99 ```
 100
 101 ### openssl update (not needed anymore)
 102 The new version of openssl disables everything lower than TLSv1.2.
 103 If you see errors in `/var/log/syslog` about `TLS` you have to allow lower version TLS versions by changing the last two lines in `/etc/ssl/openssl.cnf` to:
 104
 105 ```
 106 MinProtocol = TLSv1.0
 107 CipherString = DEFAULT@SECLEVEL=1
 108 ```
 109
 110 ## Interaction with wired interfaces
 111 When you have an ethernet jack as well in your laptop you might be tempted to put this in your `/etc/network/interfaces` as well
 112
 113 ```
 114 auto enp0s31f6
 115 iface enp0s31f6 inet dhcp
 116 ```
 117
 118 However, this results in your machine eagerly waiting for a connection at boot because a _connected_ ethernet jack means a connected card, and the card is always connected in a laptop.
 119 `ifupdown-extra` contains scripts to fix this.
 120 Just link `/etc/network/if-up.d/00check-network-cable` to `/etc/network/if-pre-up.d/00check-network-cable` and be good to go.
 121 If your system has _predictable_ network names you might need to apply [this](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970359) patch first.
 122
 123 ## Eduroam (2022-10-18)
 124 Publicroam offers eduroam-like wifi but does not provide very good linux installation instructions.
 125 After some trial and error, this worked for me:
 126
 127 ```
 128 network={
 129         ssid="publicroam"
 130         scan_ssid=1
 131         key_mgmt=WPA-EAP
 132         eap=PEAP
 133         identity="USERNAME"
 134         password="PASSWORD"
 135         phase1="peaplabel=0"
 136         phase2="auth=MSCHAPV2"
 137 }
 138 ```