Wifi without network manager

Languages: en nl nds (home)

2020-09-16

Table of contents

With this setup, wpa_supplicant automatically changes network when needed. Moreover, the network can be changed in userspace and new networks can be added. All withouth the bloat of NetworkManager and ModemManager.

Requirements

wpa_supplicant

/etc/network/interfaces needs for direct use with a wpa_supplicant daemon. This is done by setting the wireless network as follows.

allow-hotplug wlp2s0
iface wlp2s0 inet manual
	wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf

This basically means that a wpa_supplicant will be watching the networks specified in the config and switch when in range. Note that the iface is set to manual and not dhcp. This means that below those lines you can configure your networks from the config manually. So say that you have a network in the wpa_supplicant.conf with id_str="work" that needs to be configured with dhcp, you add the following lines:

iface work inet dhcp

Setting id_strs for all networks is tedious so to create a default setting you can use the default network name to for example set all wifi networks to dhcp.

iface default inet dhcp

wpa_supplicant.conf

The config file for wpa_supplicant should at least contain the following lines. The interface line defines the control socket and states that all users in the netdev group may control wpa_supplicant. The update_config line states that the config file may be updated, thus having persistent changes. Users you allow changing the config therefore have to be added to netdev.

	<pre> interface=DIR=/run/wpa_supplicant GROUP=netdev update_config=1
	</pre>

	<p>
	Followed are all the network configurations.
	For these configuration consult the manpage for `wpa_supplicant`.
	E.g. for `WPA2` networks you can use the `wpa_passphrase` tool.
	For eduroam, don't handcraft configs either, use the [configuration assistant](https://cat.eduroam.org/).
	This tool will generate a `wpa_supplicant.conf` if it fails to talk to networkmanager.
	</p>

wpa_gui

Editing the config file is tedious and error prone. Moreover, it requires a restart of wpa_supplicant to reinistate the config. Luckily there are two tools that allow you to do this in-place using either the command line (wpa_cli is not discussed here) and via a GUI(wpa_gui). If your user is a member of the netdev group you can just start it up. Note that it resides by default in /usr/sbin. wpa_gui is a graphical frontend where you can add, remove, diagnose and change wireless networks with almost as much functionality as wpa_cli.

Eduroam

Eduroam gives a nice configuration assistant tools nowadays that will generate a wpa_supplicant.conf entry for you. Previously you could hash your password using md4 but I haven’t tested whether this still works.

update: cat broken

The tool worked before™ but not anymore on my debian testing version. Therefore I’ve pasted my config here for later reference. You get the ca_cert from the assistant tool. I might upload that here as well.

network={
	ssid="eduroam"
	proto=RSN
	key_mgmt=WPA-EAP
	pairwise=CCMP
	auth_alg=OPEN
	eap=PEAP
	identity="YOURUSERNAME@ru.nl"
	anonymous_identity="anonymous@ru.nl"
	password="YOURPASSWORD"
#	ca_cert="/home/frobnicator/.cat_installer/ca.pem"
	domain_suffix_match="authenticatie.ru.nl"
	phase2="auth=MSCHAPV2"
}

openssl update (not needed anymore)

The new version of openssl disables everything lower than TLSv1.2. If you see errors in /var/log/syslog about TLS you have to allow lower version TLS versions by changing the last two lines in /etc/ssl/openssl.cnf to:

MinProtocol = TLSv1.0
CipherString = DEFAULT@SECLEVEL=1

Interaction with wired interfaces

When you have an ethernet jack as well in your laptop you might be tempted to put this in your /etc/network/interfaces as well

auto enp0s31f6
iface enp0s31f6 inet dhcp

However, this results in your machine eagerly waiting for a connection at boot because a connected ethernet jack means a connected card, and the card is always connected in a laptop. ifupdown-extra contains scripts to fix this. Just link /etc/network/if-up.d/00check-network-cable to /etc/network/if-pre-up.d/00check-network-cable and be good to go. If your system has predictable network names you might need to apply this patch first.

Eduroam (2022-10-18)

Publicroam offers eduroam-like wifi but does not provide very good linux installation instructions. After some trial and error, this worked for me:

network={
	ssid="publicroam"
	scan_ssid=1
	key_mgmt=WPA-EAP
	eap=PEAP
	identity="USERNAME"
	password="PASSWORD"
	phase1="peaplabel=0"
	phase2="auth=MSCHAPV2"
}