Wpa supplicant: Difference between revisions

(5 intermediate revisions by 3 users not shown)

Line 12:

To be able to use <code>wpa_gui</code> or <code>wpa_cli</code> as user put the following in your <code>configuration.nix</code> file:

<~~syntaxHighlight~~ lang=nix>

networking.wireless.userControlled~~.enable~~ = true;

networking.wireless.userControlled = true;

</~~syntaxHighlight~~>

</syntaxhighlight>

Also your user must be part of the <code>~~wheel~~</code> group (replace USER with your username):

Also your user must be part of the <code>wpa_supplicant</code> group (replace USER with your username):

Line 55:

enable = true; # Enables wireless support via wpa_supplicant.

networks."MYSSID".psk = "myPresharedKey";

~~extraConfig = "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel";~~

~~# output ends up in /run/wpa_supplicant/wpa_supplicant.conf~~

};

</syntaxhighlight>

Line 112:

Line 110:

Where you need to change the <code>wlan0</code> with your own wifi network interface. You can list your interfaces by running <code>ip link</code>, your wifi network interface should have "wl" prepended. Note that the above snippet fully randomizes your MAC address, for more information you can read macchanger's manpage. This obviously requires you to have the <code>macchanger</code> package installed.

== ~~Eduroam~~ ==

== [[eduroam]] ==

Nowadays, using EAP-PWD is preferred over MSCHAPv2 when connecting to [[eduroam]] or other institutional networks. It provides stronger [https://www.rfc-editor.org/rfc/rfc5931#page-35 security claims] and is simpler to set up. It also never transmits your password, doesn't require certificates and needs less authentication roundtrips. The identity and password should be given to you by your institution.<syntaxHighlight lang=nixos>

Nowadays, using EAP-PWD is preferred over MSCHAPv2 when connecting to eduroam or other institutional networks. It provides stronger [https://www.rfc-editor.org/rfc/rfc5931#page-35 security claims] and is simpler to set up. It also never transmits your password, doesn't require certificates and needs less authentication roundtrips. The identity and password should be given to you by your institution.

networking.wireless.networks.eduroam = {

auth = ''

Line 126:

Line 121:

};

</syntaxHighlight>

=== Restrictions on Certificate Location ===

For certificate-based setups, due to security hardening for wpa_supplicant in NixOS 26.05 and later users of wpa_supplicant face restrictions on where eduroam certificates can be stored<ref>https://discourse.nixos.org/t/breaking-changes-announcement-for-unstable/17574/116</ref>. Certificates should be placed in either <code>/etc/ssl/certs</code> or <code>/etc/wpa_supplicant</code> and should be owned by (or accessible to) the wpa_supplicant user.

Some eduroam configuration scripts may hardcode paths in its relevant <code>/etc/NetworkManager/system-connections/<connection>.nmconnection</code>. In this case, editing the <code>ca-cert</code>, <code>client-cert</code>, and <code>private-key</code> to point at their new location should suffice.

== WEP support ==

Line 161:

== External links ==

* [https://www.stura.htw-dresden.de/stura/ref/hopo/dk/nachrichten/eduroam-meets-nixos (german) article ''eduroam meets NixOS'' (with configuration)] (instance ''University of Applied Sciences Dresden'': The [https://cat.eduroam.org/?idp=5106&profile=5098 eduroam installer for GNU/Linux] works [https://www.htw-dresden.de/en/university/organisation/zid/service-overview-and-instructions/wi-fi-/-wlan/eduroam/linux for example for Ubuntu] but not [[NixOS]])

* [https://github.com/NixOS/nixpkgs/issues/177501 NixOs: Can't connect to a WEP network: failure to add network: invalid message format]

[[Category:Software]]

[[Category:Networking]]

@@ Line 12: / Line 12: @@
 To be able to use <code>wpa_gui</code> or <code>wpa_cli</code> as user put the following in your <code>configuration.nix</code> file:
-<syntaxHighlight lang=nix>
+<syntaxhighlight lang="nix">
-networking.wireless.userControlled.enable = true;
+networking.wireless.userControlled = true;
-</syntaxHighlight>
+</syntaxhighlight>
-Also your user must be part of the <code>wheel</code> group (replace USER with your username):
+Also your user must be part of the <code>wpa_supplicant</code> group (replace USER with your username):
 <syntaxHighlight lang=nix>
@@ Line 55: / Line 55: @@
      enable = true;  # Enables wireless support via wpa_supplicant.
      networks."MYSSID".psk = "myPresharedKey";
-    extraConfig = "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel";
-    # output ends up in /run/wpa_supplicant/wpa_supplicant.conf
    };
 </syntaxhighlight>
@@ Line 112: / Line 110: @@
 Where you need to change the <code>wlan0</code> with your own wifi network interface. You can list your interfaces by running <code>ip link</code>, your wifi network interface should have "wl" prepended. Note that the above snippet fully randomizes your MAC address, for more information you can read macchanger's manpage. This obviously requires you to have the <code>macchanger</code> package installed.
-== Eduroam ==
+== [[eduroam]] ==
+Nowadays, using EAP-PWD is preferred over MSCHAPv2 when connecting to [[eduroam]] or other institutional networks. It provides stronger [https://www.rfc-editor.org/rfc/rfc5931#page-35 security claims] and is simpler to set up. It also never transmits your password, doesn't require certificates and needs less authentication roundtrips. The identity and password should be given to you by your institution.<syntaxHighlight lang=nixos>
-Nowadays, using EAP-PWD is preferred over MSCHAPv2 when connecting to eduroam or other institutional networks. It provides stronger [https://www.rfc-editor.org/rfc/rfc5931#page-35 security claims] and is simpler to set up. It also never transmits your password, doesn't require certificates and needs less authentication roundtrips. The identity and password should be given to you by your institution.
-<syntaxHighlight lang=nixos>
   networking.wireless.networks.eduroam = {
     auth = ''
@@ Line 126: / Line 121: @@
   };
 </syntaxHighlight>
+=== Restrictions on Certificate Location ===
+For certificate-based setups, due to security hardening for wpa_supplicant in NixOS 26.05 and later users of wpa_supplicant face restrictions on where eduroam certificates can be stored<ref>https://discourse.nixos.org/t/breaking-changes-announcement-for-unstable/17574/116</ref>. Certificates should be placed in either <code>/etc/ssl/certs</code> or <code>/etc/wpa_supplicant</code> and should be owned by (or accessible to) the wpa_supplicant user.
+Some eduroam configuration scripts may hardcode paths in its relevant <code>/etc/NetworkManager/system-connections/<connection>.nmconnection</code>. In this case, editing the <code>ca-cert</code>, <code>client-cert</code>, and <code>private-key</code> to point at their new location should suffice.
 == WEP support ==
@@ Line 161: / Line 161: @@
 == External links ==
-* [https://www.stura.htw-dresden.de/stura/ref/hopo/dk/nachrichten/eduroam-meets-nixos (german) article ''eduroam meets NixOS'' (with configuration)] (instance ''University of Applied Sciences Dresden'': The [https://cat.eduroam.org/?idp=5106&profile=5098 eduroam installer for GNU/Linux] works [https://www.htw-dresden.de/en/university/organisation/zid/service-overview-and-instructions/wi-fi-/-wlan/eduroam/linux for example for Ubuntu] but not [[NixOS]])
 * [https://github.com/NixOS/nixpkgs/issues/177501 NixOs: Can't connect to a WEP network: failure to add network: invalid message format]
 [[Category:Software]]
 [[Category:Networking]]