1b0bfcc61b89559170948a8f354628bd00b8ebc4
[martlubbers.net.git] / nonm.html
1 <html>
2 <head>
3 <title>Wifi without network manager</title>
4 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
5 <meta name="viewport" content="width=device-width, initial-scale=1" />
6 </head>
7 <body>
8 <h2>What is this</h2>
9 <p>
10 With this setup, <tt>wpa_supplicant</tt> automatically changes network when needed.
11 Moreover, the network can be changed in userspace and new networks can be added.
12 All withouth the bloat of <tt>NetworkManager</tt> and <tt>ModemManager</tt>.
13 </p>
14
15 <h2>Requirements:</h2>
16 <ul>
17 <li><tt>wpa_supplicant</tt></li>
18 <li><tt>wpa_gui</tt></li>
19 </ul>
20
21 <h2><tt>wpa_supplicant</tt></h2>
22 <p>
23 <tt>/etc/network/interfaces</tt> needs for direct use with a <tt>wpa_supplicant</tt> daemon.
24 This is done by setting the wireless network as follows.
25 </p>
26
27 <pre>
28 allow-hotplug wlp2s0
29 iface wlp2s0 inet manual
30 wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
31 </pre>
32
33 <p>
34 This basically means that a <tt>wpa_supplicant</tt> will be watching the networks specified in the config and switch when in range.
35 Note that the <tt>iface</tt> is set to <tt>manual</tt> and not <tt>dhcp</tt>.
36 This means that below those lines you can configure your networks from the config manually.
37 So say that you have a network in the <tt>wpa_supplicant.conf</tt> with <tt>id_str="work"</tt>" that needs to be configured with dhcp, you add the following lines:
38 </p>
39
40 <pre>
41 iface work inet dhcp
42 </pre>
43
44 <p>
45 Setting <tt>id_str</tt>s for all networks is tedious so to create a default setting you can use the <tt>default</tt> network name to for example set all wifi networks to dhcp.
46 </p>
47
48 <pre>
49 iface default inet dhcp
50 </pre>
51
52 <h2><tt>wpa_supplicant.conf</tt></h2>
53 <p>
54 The config file for <tt>wpa_supplicant</tt> should at least contain the following lines.
55 The <tt>interface</tt> line defines the control socket and states that all users in the <tt>netdev</tt> group may control <tt>wpa_supplicant</tt>.
56 The <tt>update_config</tt> line states that the config file may be updated, thus having persistent changes.
57 Users you allow changing the config therefore have to be added to <tt>netdev</tt>.
58 </p>
59
60 <pre>
61 interface=DIR=/run/wpa_supplicant GROUP=netdev
62 update_config=1
63 </pre>
64
65 <p>
66 Followed are all the network configurations.
67 For these configuration consult the manpage for <tt>wpa_supplicant</tt>.
68 E.g. for <tt>WPA2</tt> networks you can use the <tt>wpa_passphrase</tt> tool.
69 For eduroam, don't handcraft configs either, use the configuration assistant available <a href="https://cat.eduroam.org/">here</a>.
70 This tool will generate a <tt>wpa_supplicant.conf</tt> if it fails to talk to networkmanager.
71 </p>
72
73 <h2><tt>wpa_gui</tt></h2>
74 <p>
75 Editing the config file is tedious and error prone.
76 Moreover, it requires a restart of <tt>wpa_supplicant</tt> to reinistate the config.
77 Luckily there are two tools that allow you to do this in-place using either the command line (<tt>wpa_cli</tt> is not discussed here) and via a GUI(<tt>wpa_gui</tt>).
78 If your user is a member of the <tt>netdev</tt> group you can just start it up.
79 Note that it resides by default in <tt>/usr/sbin</tt>.
80 <tt>wpa_gui</tt> is a graphical frontend where you can add, remove, diagnose and change wireless networks with <em>almost</em> as much functionality as <tt>wpa_cli</tt>.
81 </p>
82
83 <h2><tt>eduroam</tt></h2>
84 <p>
85 Eduroam gives a nice configuration assistant tools nowadays that will generate a <tt>wpa_supplicant.conf</tt> entry for you.
86 Previously you could hash your password using md4 but I haven't tested whether this still works.
87 </p>
88
89 <h3>update: cat broken</h3>
90 The tool worked before&trade; but not anymore on my debian testing version.
91 Therefore I've pasted my config here for later reference.
92 You get the <tt>ca_cert</tt> from the assistant tool.
93 I might upload that here as well.
94 <pre>
95 network={
96 ssid="eduroam"
97 proto=RSN
98 key_mgmt=WPA-EAP
99 pairwise=CCMP
100 auth_alg=OPEN
101 eap=PEAP
102 identity="YOURUSERNAME@ru.nl"
103 anonymous_identity="anonymous@ru.nl"
104 password="YOURPASSWORD"
105 # ca_cert="/home/frobnicator/.cat_installer/ca.pem"
106 domain_suffix_match="authenticatie.ru.nl"
107 phase2="auth=MSCHAPV2"
108 }
109 </pre>
110 </p>
111
112 <h2><tt>openssl update</tt></h2>
113 <p>
114 The new version of openssl disables everything lower than TLSv1.2.
115 If you see errors in <tt>/var/log/syslog</tt> about <tt>TLS</tt> you have to allow lower version TLS versions by changing the last two lines in <tt>/etc/ssl/openssl.cnf</tt> to:
116 <pre>
117 MinProtocol = TLSv1.0
118 CipherString = DEFAULT@SECLEVEL=1
119 </pre>
120 </p>
121 </body>
122 </html>