[martlubbers.net.git] / nonm.html

<html>
        <head>
                <title>Wifi without network manager</title>
                <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
                <meta name="viewport" content="width=device-width, initial-scale=1" />
        </head>
        <body>
                <h2>What is this</h2>
                <p>
                With this setup, <tt>wpa_supplicant</tt> automatically changes network when needed.
                Moreover, the network can be changed in userspace and new networks can be added.
                All withouth the bloat of <tt>NetworkManager</tt> and <tt>ModemManager</tt>.
                </p>

                <h2>Requirements:</h2>
                <ul>
                        <li><tt>wpa_supplicant</tt></li>
                        <li><tt>wpa_gui</tt></li>
                </ul>

                <h2><tt>wpa_supplicant</tt></h2>
                <p>
                <tt>/etc/network/interfaces</tt> needs for direct use with a <tt>wpa_supplicant</tt> daemon.
                This is done by setting the wireless network as follows.
                </p>

                <pre>
allow-hotplug wlp2s0
iface wlp2s0 inet manual
        wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
                </pre>

                <p>
                This basically means that a <tt>wpa_supplicant</tt> will be watching the networks specified in the config and switch when in range.
                Note that the <tt>iface</tt> is set to <tt>manual</tt> and not <tt>dhcp</tt>.
                This means that below those lines you can configure your networks from the config manually.
                So say that you have a network in the <tt>wpa_supplicant.conf</tt> with <tt>id_str="work"</tt>" that needs to be configured with dhcp, you add the following lines:
                </p>

                <pre>
iface work inet dhcp
                </pre>

                <p>
                Setting <tt>id_str</tt>s for all networks is tedious so to create a default setting you can use the <tt>default</tt> network name to for example set all wifi networks to dhcp.
                </p>

                <pre>
iface default inet dhcp
                </pre>

                <h2><tt>wpa_supplicant.conf</tt></h2>
                <p>
                The config file for <tt>wpa_supplicant</tt> should at least contain the following lines.
                The <tt>interface</tt> line defines the control socket and states that all users in the <tt>netdev</tt> group may control <tt>wpa_supplicant</tt>.
                The <tt>update_config</tt> line states that the config file may be updated, thus having persistent changes.
                Users you allow changing the config therefore have to be added to <tt>netdev</tt>.
                </p>

                <pre>
interface=DIR=/run/wpa_supplicant GROUP=netdev
update_config=1
                </pre>

                <p>
                Followed are all the network configurations.
                For these configuration consult the manpage for <tt>wpa_supplicant</tt>.
                E.g. for <tt>WPA2</tt> networks you can use the <tt>wpa_passphrase</tt> tool.
                For eduroam, don't handcraft configs either, use the configuration assistant available <a href="https://cat.eduroam.org/">here</a>.
                This tool will generate a <tt>wpa_supplicant.conf</tt> if it fails to talk to networkmanager.
                </p>

                <h2><tt>wpa_gui</tt></h2>
                <p>
                Editing the config file is tedious and error prone.
                Moreover, it requires a restart of <tt>wpa_supplicant</tt> to reinistate the config.
                Luckily there are two tools that allow you to do this in-place using either the command line (<tt>wpa_cli</tt> is not discussed here) and via a GUI(<tt>wpa_gui</tt>).
                If your user is a member of the <tt>netdev</tt> group you can just start it up.
                Note that it resides by default in <tt>/usr/sbin</tt>.
                <tt>wpa_gui</tt> is a graphical frontend where you can add, remove, diagnose and change wireless networks with <em>almost</em> as much functionality as <tt>wpa_cli</tt>.
                </p>

                <h2><tt>eduroam</tt></h2>
                <p>
                Eduroam gives a nice configuration assistant tools nowadays that will generate a <tt>wpa_supplicant.conf</tt> entry for you.
                Previously you could hash your password using md4 but I haven't tested whether this still works.
                </p>

                <h3>update: cat broken</h3>
                The tool worked before&trade; but not anymore on my debian testing version.
                Therefore I've pasted my config here for later reference.
                You get the <tt>ca_cert</tt> from the assistant tool.
                I might upload that here as well.
                <pre>
network={
        ssid="eduroam"
        proto=RSN
        key_mgmt=WPA-EAP
        pairwise=CCMP
        auth_alg=OPEN
        eap=PEAP
        identity="YOURUSERNAME@ru.nl"
        anonymous_identity="anonymous@ru.nl"
        password="YOURPASSWORD"
#       ca_cert="/home/frobnicator/.cat_installer/ca.pem"
        domain_suffix_match="authenticatie.ru.nl"
        phase2="auth=MSCHAPV2"
}
                </pre>
                </p>

                <h2><tt>openssl update</tt></h2>
                <p>
                The new version of openssl disables everything lower than TLSv1.2.
                If you see errors in <tt>/var/log/syslog</tt> about <tt>TLS</tt> you have to allow lower version TLS versions by changing the last two lines in <tt>/etc/ssl/openssl.cnf</tt> to:
                <pre>
MinProtocol = TLSv1.0
CipherString = DEFAULT@SECLEVEL=1
                </pre>
                </p>
        </body>
</html>