User Tools

Site Tools


networkmanager

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
networkmanager [2019/02/23 12:41]
Andrew Zaborowski Version update for 1.14.6 / 1.16 but drop some old information too
networkmanager [2022/09/23 15:21]
Andrew Zaborowski [Converting network profiles] Minor update
Line 1: Line 1:
-==== Using IWD with Network Manager ====+===== Using IWD with Network Manager ​=====
  
 [[https://​wiki.gnome.org/​Projects/​NetworkManager|Network Manager]] version 1.12 integrated a basic IWD-based wifi backend as an alternative to wpa_supplicant. ​ To use Network Manager (NM) with the IWD backend one NM configuration change is necessary. ​ Additionally the versions of the two software packages need to be compatible, this is because IWD's API and capabilities are evolving and the NM backend is adapting to those changes. ​ IWD and the NM backend are work in progress and the capabilities are still limited. [[https://​wiki.gnome.org/​Projects/​NetworkManager|Network Manager]] version 1.12 integrated a basic IWD-based wifi backend as an alternative to wpa_supplicant. ​ To use Network Manager (NM) with the IWD backend one NM configuration change is necessary. ​ Additionally the versions of the two software packages need to be compatible, this is because IWD's API and capabilities are evolving and the NM backend is adapting to those changes. ​ IWD and the NM backend are work in progress and the capabilities are still limited.
  
 ^ IWD version ​   ^ Compatible NM versions ​   ^ Capabilities ​                                                                                                    ^ ^ IWD version ​   ^ Compatible NM versions ​   ^ Capabilities ​                                                                                                    ^
-| 0.3 to 0.4     | 1.12.* ​            ​| Open and WPA/WPA2 Personal wifi networks, WPA2 Enterprise (see below), No AP mode, no hidden or Ad-hoc networks | +| 0.3 to 0.4     | 1.12.* ​        ​| OpenWPA/WPA2 Personal wifi networks, WPA2 Enterprise (see below), No AP mode, no hidden or Ad-hoc networks | 
-| 0.5 to 0.7     | 1.14.0 ​            ​| Open and WPA/WPA2 Personal and Enterprise networks, No AP mode, no hidden or Ad-hoc networks | +| 0.5 to 0.7     | 1.14.0 ​        ​| OpenWPA/WPA2 Personal and Enterprise networks, No AP mode, no hidden or Ad-hoc networks | 
-| 0.8 and later  ​| 1.14.{0,​2,​4} ​      | Open and WPA/WPA2 Personal and Enterprise networks, No AP mode, no hidden or Ad-hoc networks | +| 0.8 to 0.23    ​| 1.14.*         | OpenWPA/WPA2 Personal and Enterprise networks, No AP mode, no hidden or Ad-hoc networks | 
-| 0.8 and later  | 1.14.6, 1.16, 1.17 | Open and WPA/WPA2 Personal and Enterprise networks, AP/Ad-hoc modes, no hidden ​networks |+| 0.8 to 0.23    | 1.16.0 to 1.28-rc1 | Open, WPA/WPA2 Personal and Enterprise networks, Infrastructure/​AP/​Ad-hoc modes, no hidden networks or P2P | 
 +| 1.0 and later  | 1.20.6 and later | OpenWPA/​WPA2/​WPA3 Personal and Enterprise networks, Infrastructure/​AP/​Ad-hoc modes, no hidden networks or P2P | 
 +1.0 and later  | 1.24.0 and later | Open, WPA/​WPA2/​WPA3 Personal ​and Enterprise networks, Infrastructure/​AP/​Ad-hoc modes, infrastructure-mode Hidden networks, no P2P | 
 +| 1.0 and later  | 1.30.0 and later | Open, WPA/WPA2/WPA3 Personal and Enterprise networks, ​Infrastructure/​AP/Ad-hoc modes, infrastructure-mode Hidden networks, no P2P, IWD-side autoconnect | 
 +| 1.0 and later  | 1.32.0 and later | Open, WPA/​WPA2/​WPA3 Personal and Enterprise ​networks, Infrastructure/​AP/​Ad-hoc modes, infrastructure-mode Hidden networks, no P2P, IWD-side autoconnect,​ network config editing from NM |
  
-=== Building NM ===+==== Building NM ====
  
 If you can use an NM build provided by the Linux distribution that will simplify things a lot.  So far Arch linux is known to ship compatible [[https://​wiki.archlinux.org/​index.php/​Iwd|iwd]] and [[https://​wiki.archlinux.org/​index.php/​NetworkManager#​Using_iwd_as_the_Wi-Fi_backend|NM]] packages so there'​s no need to manually build the sources. If you can use an NM build provided by the Linux distribution that will simplify things a lot.  So far Arch linux is known to ship compatible [[https://​wiki.archlinux.org/​index.php/​Iwd|iwd]] and [[https://​wiki.archlinux.org/​index.php/​NetworkManager#​Using_iwd_as_the_Wi-Fi_backend|NM]] packages so there'​s no need to manually build the sources.
  
-Even though a distribution may ship an NM-1.12 or 1.14 package, the IWD backend may not have been enabled. ​ This is done with with ''​--with-iwd''​ switch to ''​./​configure''​ during the build process (or ''​./​autogen''​). ​ Pass other ''​./​configure''​ options as required and follow with standard compilation and installation instructions. ​ See the ''​./​configure --help''​ output for the possible options, some will be required and some can not be used depending on what other packages are installed on your system and their settings -- this page will not cover other options.+Even though a distribution may ship an NM-1.12 or later package, the IWD backend may not have been enabled. ​ This is done with with ''​--with-iwd''​ switch to ''​./​configure''​ during the build process (or ''​./​autogen''​). ​ Pass other ''​./​configure''​ options as required and follow with standard compilation and installation instructions. ​ See the ''​./​configure --help''​ output for the possible options, some will be required and some can not be used depending on what other packages are installed on your system and their settings -- this page will not cover other options.
  
-<​code>​ +<​code ​bash
-$ wget https://​github.com/​NetworkManager/​NetworkManager/​archive/​1.14.0.tar.gz +$ wget https://​github.com/​NetworkManager/​NetworkManager/​archive/​1.30.2.tar.gz 
-$ tar -xvzf 1.14.0.tar.gz +$ tar -xvzf 1.30.2.tar.gz 
-$ cd NetworkManager-1.14.0 +$ cd NetworkManager-1.30.2 
-$ ./​autogen.sh --with-crypto=gnutls --disable-ppp --without-tests --disable-ovs --without-wext ​--without-libnm-glib ​--disable-maintainer-mode --disable-qt --disable-gtk-doc --disable-introspection --with-iwd+$ ./​autogen.sh --with-crypto=gnutls --disable-ppp --without-tests --disable-ovs --without-wext --disable-maintainer-mode --disable-qt --disable-gtk-doc --disable-introspection --with-iwd
 $ make -j 3 $ make -j 3
 # make install # make install
Line 26: Line 30:
 Note that on some distributions,​ including Ubuntu, an NM installation in ''/​usr/​local''​ may be disallowed to launch the DHCP client subprocess by the Linux audit mechanism and a permission needs to be added through ''​app_armor''​. ​ Before that is done, making connections,​ of any type, from Network Manager, will fail after about a 1 minute timeout (dmesg will show a line similar to this: ''​[98438.542859] audit: type=1400 audit(1532953834.917:​242):​ apparmor="​DENIED"​ operation="​open"​ profile="/​sbin/​dhclient"​ name="/​usr/​local/​var/​lib/​NetworkManager/​dhclient-wlp2s0.conf"​ pid=31241 comm="​dhclient"​ requested_mask="​r"​ denied_mask="​r"​ fsuid=0 ouid=0''​). ​ You can either add necessary rules to ''/​etc/​apparmor.d/​local/​sbin.dhclient''​ (see ''/​etc/​apparmor.d/​sbin.dhclient''​) or temporarily unload the dhclient-related rules with: Note that on some distributions,​ including Ubuntu, an NM installation in ''/​usr/​local''​ may be disallowed to launch the DHCP client subprocess by the Linux audit mechanism and a permission needs to be added through ''​app_armor''​. ​ Before that is done, making connections,​ of any type, from Network Manager, will fail after about a 1 minute timeout (dmesg will show a line similar to this: ''​[98438.542859] audit: type=1400 audit(1532953834.917:​242):​ apparmor="​DENIED"​ operation="​open"​ profile="/​sbin/​dhclient"​ name="/​usr/​local/​var/​lib/​NetworkManager/​dhclient-wlp2s0.conf"​ pid=31241 comm="​dhclient"​ requested_mask="​r"​ denied_mask="​r"​ fsuid=0 ouid=0''​). ​ You can either add necessary rules to ''/​etc/​apparmor.d/​local/​sbin.dhclient''​ (see ''/​etc/​apparmor.d/​sbin.dhclient''​) or temporarily unload the dhclient-related rules with:
  
-<​code>#​ apparmor_parser -R /​etc/​apparmor.d/​sbin.dhclient</​code>​ +<​code ​bash># apparmor_parser -R /​etc/​apparmor.d/​sbin.dhclient</​code>​ 
-<​code>#​ /​etc/​init.d/​apparmor stop</​code>​+<​code ​bash># /​etc/​init.d/​apparmor stop</​code>​
  
-=== NM configuration ===+==== NM configuration ​====
 To switch NM from the wpa_supplicant backend to the IWD backend the following lines need to be added in ''​nm.conf''​. ​ This file is normally located at ''/​etc/​NetworkManager/​conf.d/​nm.conf''​ but if you've built NM from source it may be in your ''/​usr/​local/​etc/​NetworkManager/​conf.d/''​ instead. To switch NM from the wpa_supplicant backend to the IWD backend the following lines need to be added in ''​nm.conf''​. ​ This file is normally located at ''/​etc/​NetworkManager/​conf.d/​nm.conf''​ but if you've built NM from source it may be in your ''/​usr/​local/​etc/​NetworkManager/​conf.d/''​ instead.
  
-<​code>​+<​code ​ini>
 [device] [device]
 wifi.backend=iwd wifi.backend=iwd
 </​code>​ </​code>​
  
-The example above switches all NM-managed WiFi devices to use the IWD backend. ​ NM configuration syntax allows for other possibilties,​ see NM documentation in ''​**NetworkManager.conf**(5)''​.+The example above switches all NM-managed WiFi devices to use the IWD backend. ​ NM configuration syntax allows for other possibilties, ​for details ​see [[https://​developer.gnome.org/​NetworkManager/​1.31/​NetworkManager.conf.html#​id-1.2.3.12|the relevant section]] of ''​**NetworkManager.conf**(5)''​.
  
 After this Network Manager needs to be restarted. ​ The wpa_supplicant daemon will often still be running in the background and needs to be explicitly stopped with ''​killall wpa_supplicant''​. ​ IWD is currently not automatically started by NM, see [[gettingstarted|Getting Started]] about starting IWD -- this can be done either before or after starting NM.  wpa_supplicant and IWD should not generally be active at the same time, neither will be able to manage WiFi connections correctly during the time both are active. After this Network Manager needs to be restarted. ​ The wpa_supplicant daemon will often still be running in the background and needs to be explicitly stopped with ''​killall wpa_supplicant''​. ​ IWD is currently not automatically started by NM, see [[gettingstarted|Getting Started]] about starting IWD -- this can be done either before or after starting NM.  wpa_supplicant and IWD should not generally be active at the same time, neither will be able to manage WiFi connections correctly during the time both are active.
Line 43: Line 47:
 Once this is done you should be able to see a list of available networks from your Network Manager client interface (nm-applet, Gnome Shell or one of the command line NM clients) and be able to connect to Open and WPA/​WPA2-Personal networks (Pre-Shared Key networks) as normal. Once this is done you should be able to see a list of available networks from your Network Manager client interface (nm-applet, Gnome Shell or one of the command line NM clients) and be able to connect to Open and WPA/​WPA2-Personal networks (Pre-Shared Key networks) as normal.
  
-==== Limitations ====+ 
 +The following settings fine-tune NM's IWD backend. 
 + 
 +---- 
 + 
 +//(Since 1.30)// Selects between IWD-driven (when ''​yes'',​ default) or NM-driven (when ''​no''​) autoconnect logic: 
 +<code ini> 
 +[device] 
 +wifi.iwd.autoconnect=yes 
 +</​code>​ 
 + 
 +For details see [[https://​developer.gnome.org/​NetworkManager/​1.31/​NetworkManager.conf.html#​id-1.2.3.12|the relevant section]] of ''​**NetworkManager.conf**(5)''​. 
 + 
 +---- 
 + 
 +//(Since 1.32)// Tells NM to re-write IWD network configurations whenever an NM network profile is changed thus enabling editing settings such as EAP authentication from //​nm-connection-editor//​ GUI.  With IWD versions 1.15 and later this is mechanism on by default (set to ''​no''​ or an empty string to disable). ​ With IWD versions 1.14 you must specify a valid path (''​iwd-config-path=/​var/​lib/​iwd''​) to enable. 
 + 
 +<code ini> 
 +[main] 
 +iwd-config-path=auto 
 +</​code>​ 
 + 
 +For details see [[https://​developer.gnome.org/​NetworkManager/​1.31/​NetworkManager.conf.html#​id-1.2.3.7|the relevant section]] of ''​**NetworkManager.conf**(5)''​. 
 + 
 +//​Warning://​ when enabled NM profiles are the authoritative ones and IWD's ''/​var/​lib/​iwd''​ files can get overwritten any time. 
 + 
 +//​Warning://​ setting connection properties not supported by IWD will make the conversion fail.  For example the nm-connection-editor'​s //All users may connect to this network// option must be checked (in gnome-control-center/​gnome-shell it is named //Make available to other users//), connections can not be user-owned with IWD. 
 + 
 +//​Warning://​ 802.1X (EAP) network configurations often reference certificate and user private key files (usually ''​.pem''​). ​ NM may be allowed to access the whole filesystem but IWD's [[https://​git.kernel.org/​pub/​scm/​network/​wireless/​iwd.git/​tree/​src/​iwd.service.in|default systemd unit file]] sets ''​ProtectHome=yes''​ which would cause connections to fail when trying to access certificate files in user home directories. ​ If you intend to use ''​iwd-config-path''​ (**note distro maintainers**) make sure that NM and IWD have the same level of filesystem access, in their systemd unit files or otherwise. 
 + 
 +==== Converting network profiles ==== 
 + 
 +If you've been using the NM + wpa_supplicant combo and switched to IWD it's possible to bulk-convert your existing network profiles to [[networkconfigurationsettings|the IWD format]], so that you can keep using them with the IWD backend. ​ Especially useful for EAP (802.1X) networks. ​ You will need to have the ''​iwd-config-path''​ mechanism enabled, now on by default (see previous section). ​ Optimally these steps would be done automatically by distribution scripts such as Debian'​s ''​update-alternatives''​ but they require a few changes to the profile settings (it might be preferrable to notify the user this is happening). ​ This is how to do it: 
 + 
 +  - Remove any ''​[connection].interface-name=''​ and ''​[connection].permissions=''​ settings from the profiles. ​ In some NM versions some of those keys were set by default on new profiles. ​ IWD profiles are global so any user can activate them on any interface, so NM's IWD backend will refuse to use profiles that have any permissions set on them. 
 +  - Delete, then restore all NM profiles. ​ The IWD backend will notice new NM profiles being added and will automatically create IWD network configuration files for each one.  From that point on, the ''​iwd-config-path''​ mechanism will automatically keep the IWD configuration files in sync with NM connection profiles when you add, modify or delete them. 
 + 
 +This can look something like this: 
 + 
 +<code bash> 
 +cd /​etc/​NetworkManager/​system-connections 
 +mkdir ../​system-connections-iwd 
 +for f in *; do grep -v '​^\(mac-address\|interface-name\|permissions\|bssid\)='​ "​$f"​ > ../​system-connections-iwd/"​$f";​ done 
 +chmod 0600 ../​system-connections-iwd/​* 
 +cd /​etc/​NetworkManager 
 +mv system-connections system-connections-backup 
 +dbus-send --system --print-reply --dest=org.freedesktop.NetworkManager /​org/​freedesktop/​NetworkManager/​Settings org.freedesktop.NetworkManager.Settings.ReloadConnections 
 +sleep 1 
 +mv system-connections-iwd system-connections 
 +dbus-send --system --print-reply --dest=org.freedesktop.NetworkManager /​org/​freedesktop/​NetworkManager/​Settings org.freedesktop.NetworkManager.Settings.ReloadConnections 
 +</​code>​ 
 + 
 +Check if you can now see all your usual network names in ''/​var/​lib/​iwd''​ to confirm if it worked. 
 +(Note this method will flush NM "​agent-owned secrets"​ -- a rarely-used NM feature) 
 + 
 +===== Limitations ​=====
  
 === EAP-PWD, EAP-GTC, EAP-MsCHAPv2 Identity === === EAP-PWD, EAP-GTC, EAP-MsCHAPv2 Identity ===
Line 61: Line 120:
 The NM-side profile for the 802.1X network should match the settings stored in the IWD provisioning file for given network, as closely as possible, but using the standard NM settings sytntax (''​**nm-settings**(5)'',​ ''​**nm-settings-keyfile**(5)''​) -- this will allow the NM clients to ask users for the right secrets during a connection attempt, if any secrets are required. ​ If no connection-time secrets are needed, e.g. because they'​re provided in the provisioning file already, then the NM profile can have any settings in it -- the profile will not be used by IWD, it only tells NM that given network is known and connectable. The NM-side profile for the 802.1X network should match the settings stored in the IWD provisioning file for given network, as closely as possible, but using the standard NM settings sytntax (''​**nm-settings**(5)'',​ ''​**nm-settings-keyfile**(5)''​) -- this will allow the NM clients to ask users for the right secrets during a connection attempt, if any secrets are required. ​ If no connection-time secrets are needed, e.g. because they'​re provided in the provisioning file already, then the NM profile can have any settings in it -- the profile will not be used by IWD, it only tells NM that given network is known and connectable.
  
 +===== Distribution info =====
 +
 +Debian: https://​wiki.debian.org/​NetworkManager/​iwd
 +
 +Arch: https://​wiki.archlinux.org/​index.php/​NetworkManager#​Using_iwd_as_the_Wi-Fi_backend
 +
 +Gentoo: https://​wiki.gentoo.org/​wiki/​Iwd#​NetworkManager
 +
 +NixOS: https://​nixos.wiki/​wiki/​Iwd#​iwd_as_backend_for_NetworkManager
networkmanager.txt · Last modified: 2022/09/23 15:21 by Andrew Zaborowski