September 18

Linux: How to Connect and roam wifi networks with wpasupplicant

First things first:

Before we begin, let us stop network manager or wicd so as not to have interference:

sudo service network-manager stop
sudo service wicd stop
pkill nm-applet

Or, if you’re using systemd instead of init:

sudo systemctl stop network-manager.service
sudo systemctl stop wicd.service
pkill nm-applet

Manual configuration, no encryption, WEP, and WPA

If you want to try the manual config before you dwell into the whole interfaces thing, here’s how. First we will bring our interface up:

sudo ip link set wlan0 up

Now we will proceed as though there’s no encryption, with iwconfig:

sudo iwconfig wlan0 essid YOURSSID

If we want to add WEP encryption:

sudo iwconfig wlan0 key KEY

for the hex key or for ASCI:

sudo iwconfig wlan0 key s:KEY

Make sure the connection is made:

sudo iwconfig wlan0

And run

sudo dhclient wlan0

WPA is slightly different. After bringing the interface up with ip, we will add this to /etc/wpasupplicant/wpa_supplicant.conf

# WPA-PSK/TKIP
update_config=1
ctrl_interface=/var/run/wpa_supplicant

network={
ssid=”your-ssid”
psk=”your-psk-key”
}

Run

sudo wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant.conf

Proceed with dhclient.

Configuration with ifupdown

Let/s edit the /etc/network/interfaces file and set our options to a static or roaming connection:

sudo nano /etc/network/interfaces

or if you prefer graphical:

gksudo geany /etc/network/interfaces

Obviously, replace nano and geany with your terminal or GUI editor of choice.

Static connection, WEP or WPA

WEP is the old and unsecure encryption algorithm for routers and clients, though some manufacturers still supply routers with WEP set as default. WPA is basically unbreakable. If you do decide to use WEP, this is what you need to add to the file:

allow-hotplug wlan0
iface wlan0 inet dhcp
wireless-mode managed
wireless-essid YOURSSID
wireless-key YOURKEY

If you want ifupdown to call on iwconfig and dhclient, or if you want it to call wpasupplicant:

allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-key-mgmt NONE
wpa-ssid SSID
wpa-wep-key0 PSSKEY (in ASCI)
wpa-wep-tx-keyidx 0

For the first configuration, take note: when entering the key you can either use its hex value (if you look it up in your router, you’ll see the hex value, or the key in ASCI. If you use ASCI, you have to prepend “s:” to the key, like this

wireless-key s:ASCIKEY

A WPA network is not only more secure, but also easier to manage. the contents of /etc/network/interfaces should look thus:

allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-ssid YOURSSID
wpa-key YOURKEY (in ASCI)

Once you’re entered all the values, bring the network interface up with:

sudo ifdown wlan0 && sudo ifup wlan0

Roaming configuration, helpers:

For people who actually take their laptops with them, constantly editing a text file isn’t the best of options. Luckily, wpasupplicant is perfectly capable of roaming (connecting to a list of known networks, and if you so choose, unencrypted ones). The /e/n/i config would then look like this:

allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa-roam.conf

We will create the /etc/wpa_supplicant/wpa-roam.conf file, and add some options and out networks:

update_config=1
ctrl_interface=DIR=/var/run/wpa_supplicant
GROUP=netdev

# This one is for connecting to any unsecured network your machine comes into contect with, just comment out if you don’t like this:

network={
key_mgmt=NONE
}

# The actual roaming settings go here:

network={
ssid=”YOUR SSID AT HOME”
psk=”PASSOWRD”
id_str=”home”
}

network={
ssid=”YOUR SSID AT WORK”
psk=”PASSOWRD”
id_str=”work”
}

Edit: as daggoth pointed out, once you’ve started adding interfaces to wpa-roam.conf, /e/n/i also needs to be modified:

When I first tried to connect to wifi with ifupdown and wpa-roam/wpa_gui, the network connected okay, but without the config of an IP address. So had to type in ‘dhclient wlan0’ just to make it usable. The reason why that happened is because after wpa_supplicant has established an encrypted connection, it will then again call ifup, and requests it to map the physical interface ‘wlan0’ onto some other logical interface, which in most cases is named ‘default’.

But if that logical interface ‘default’ isn’t defined in the /e/n/i, then when the wpa_supplicant script requests ifup to map ‘wlan0’ onto ‘default’, then the ifup will just exit with an error, becos the ‘default’ interface is undefined. Such that the dhcp/static config of an IP address will never occur. So to prevent that, we need to append this line to the /e/n/i

iface default inet dhcp

And similarly, for each id_str=”some_name” entry contained within the network stanzas defined in your /etc/wpa_supplicant/wpa-roam.conf file, another logical interface needs to be declared in you /e/n/i. And these multiple logical interface declarations can each specify a different kinds of dhcp/static configuration, as required. So yes, it is very flexible…

I hope that all makes sense. Clear as mud, huh? But if not, then I think this manpage entry here may help…

$ man wpa_action |sed ’70,$ !d’

So, in the case of this tutorial, we’d add

[face default inet dhcp
iface work inet dhcp
iface home inet dhcp

There are countless further examples in /usr/share/doc/wpasupplicant/examples/. Once you’ve configured wpa roaming, bring the network up:

sudo ifdown wlan0 && sudo ifup wlan0

wpasupplicant has two helpers for roaming. wpa_cli gets installed along with wpasupplicant, and wpa_gui doesn’t. wpa-gui is a QT frontend for wpasupplicant, and is pretty easy to operate. I have yet to understand how wpa_cli works exactly, will let you know if I ever do. To install wpa_gui:

sudo apt-get install wpagui

and start it from a root shell or with gksudo.

Ceni to make your life easier

You don’t have to do all the file editing by hand. Aptosid has an excellent utility for configuring /e/n/i for you, called ceni. You can obtain it via smxi or directly from aptosid. Create a file /etc/apt/sources.list.d/aptosid.list and add this in:

deb ftp://ftp.spline.de/pub/aptosid/debian/ sid main fix.main

Then run:

sudo apt-get update && sudo apt-get install ceni

You can remove the aptosid list from sources after that. If you use ceni, it will automatically change permissions on your /e/n/i so only root can read it, if you’re doing stuff manually:

sudo chmod 0600 /etc/network/interfaces
sudo chmod 0600 /etc/wpa_supplicant/wpa-roam.conf

Now disable network manager or wicd:

sudo update-rc.d network-manager remove
sudo update-rc.d wicd remove

Or, for systemd

sudo systemctl disable network-manager.service
sudo systemctl disable wicd.service

And that should be it.

By: Ed


Copyright 2021. All rights reserved.

Posted September 18, 2013 by Timothy Conrad in category "Linux

About the Author

If I were to describe myself with one word it would be, creative. I am interested in almost everything which keeps me rather busy. Here you will find some of my technical musings. Securely email me using - PGP: 4CB8 91EB 0C0A A530 3BE9 6D76 B076 96F1 6135 0A1B