nonm.md

   1 ---
   2 title: Wifi without network manager
   3 date: 2020-09-16
   4 ---
   5 With this setup, `wpa_supplicant` automatically changes network when needed.
   6 Moreover, the network can be changed in userspace and new networks can be added.
   7 All withouth the bloat of `NetworkManager` and `ModemManager`.
   8
   9 ## Table of contents
  10
  11 - [Requirements](#requirements)
  12 - [`wpa_supplicant`](#wpa_supplicant)
  13 - [`wpa_supplicant.conf`](#wpa_supplicantconf)
  14 - [`wpa_gui`](#wpa_gui)
  15 - [Eduroam](#eduroam)
  16         - [update: cat broken](#update)
  17         - [openssl update](#openssl)
  18 - [interaction](#interaction)
  19
  20 ## Requirements
  21
  22 - `wpa_supplicant`
  23 - `wpa_gui`
  24
  25
  26 ## `wpa_supplicant`
  27 `/etc/network/interfaces` needs for direct use with a `wpa_supplicant` daemon.
  28 This is done by setting the wireless network as follows.
  29
  30 ```
  31 allow-hotplug wlp2s0
  32 iface wlp2s0 inet manual
  33         wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
  34 ```
  35
  36 This basically means that a `wpa_supplicant` will be watching the networks specified in the config and switch when in range.
  37 Note that the `iface` is set to `manual` and not `dhcp`.
  38 This means that below those lines you can configure your networks from the config manually.
  39 So say that you have a network in the `wpa_supplicant.conf` with `id_str="work"` that needs to be configured with dhcp, you add the following lines:
  40
  41 ```
  42 iface work inet dhcp
  43 ```
  44
  45 Setting `id_str`s for all networks is tedious so to create a default setting you can use the `default` network name to for example set all wifi networks to dhcp.
  46
  47 ```
  48 iface default inet dhcp
  49 ```
  50
  51 ## `wpa_supplicant.conf`
  52 The config file for `wpa_supplicant` should at least contain the following lines.
  53 The `interface` line defines the control socket and states that all users in the `netdev` group may control `wpa_supplicant`.
  54 The `update_config` line states that the config file may be updated, thus having persistent changes.
  55 Users you allow changing the config therefore have to be added to `netdev`.
  56
  57                 <pre>
  58 interface=DIR=/run/wpa_supplicant GROUP=netdev
  59 update_config=1
  60                 </pre>
  61
  62                 <p>
  63                 Followed are all the network configurations.
  64                 For these configuration consult the manpage for `wpa_supplicant`.
  65                 E.g. for `WPA2` networks you can use the `wpa_passphrase` tool.
  66                 For eduroam, don't handcraft configs either, use the [configuration assistant](https://cat.eduroam.org/).
  67                 This tool will generate a `wpa_supplicant.conf` if it fails to talk to networkmanager.
  68                 </p>
  69
  70 ## `wpa_gui`
  71 Editing the config file is tedious and error prone.
  72 Moreover, it requires a restart of `wpa_supplicant` to reinistate the config.
  73 Luckily there are two tools that allow you to do this in-place using either the command line (`wpa_cli` is not discussed here) and via a GUI(`wpa_gui`).
  74 If your user is a member of the `netdev` group you can just start it up.
  75 Note that it resides by default in `/usr/sbin`.
  76 `wpa_gui` is a graphical frontend where you can add, remove, diagnose and change wireless networks with _almost_ as much functionality as `wpa_cli`.
  77
  78 ## Eduroam
  79 Eduroam gives a nice configuration assistant tools nowadays that will generate a `wpa_supplicant.conf` entry for you.
  80 Previously you could hash your password using md4 but I haven't tested whether this still works.
  81
  82 ### update: cat broken
  83 The tool worked before&trade; but not anymore on my debian testing version.
  84 Therefore I've pasted my config here for later reference.
  85 You get the `ca_cert` from the assistant tool.
  86 I might upload that here as well.
  87
  88 ```
  89 network={
  90         ssid="eduroam"
  91         proto=RSN
  92         key_mgmt=WPA-EAP
  93         pairwise=CCMP
  94         auth_alg=OPEN
  95         eap=PEAP
  96         identity="YOURUSERNAME@ru.nl"
  97         anonymous_identity="anonymous@ru.nl"
  98         password="YOURPASSWORD"
  99 #       ca_cert="/home/frobnicator/.cat_installer/ca.pem"
 100         domain_suffix_match="authenticatie.ru.nl"
 101         phase2="auth=MSCHAPV2"
 102 }
 103 ```
 104
 105 ### openssl update (not needed anymore)
 106 The new version of openssl disables everything lower than TLSv1.2.
 107 If you see errors in `/var/log/syslog` about `TLS` you have to allow lower version TLS versions by changing the last two lines in `/etc/ssl/openssl.cnf` to:
 108
 109 ```
 110 MinProtocol = TLSv1.0
 111 CipherString = DEFAULT@SECLEVEL=1
 112 ```
 113
 114 ## Interaction with wired interfaces
 115 When you have an ethernet jack as well in your laptop you might be tempted to put this in your `/etc/network/interfaces` as well
 116
 117 ```
 118 auto enp0s31f6
 119 iface enp0s31f6 inet dhcp
 120 ```
 121
 122 However, this results in your machine eagerly waiting for a connection at boot because a _connected_ ethernet jack means a connected card, and the card is always connected in a laptop.
 123 `ifupdown-extra` contains scripts to fix this.
 124 Just link `/etc/network/if-up.d/00check-network-cable` to `/etc/network/if-pre-up.d/00check-network-cable` and be good to go.
 125 If your system has _predictable_ network names you might need to apply [this](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970359) patch first.