Difference between revisions of "Iwd"

From ArchWiki
Jump to navigation Jump to search
(move sentence from new section to old, combining section [WIP])
(combine device renaming section [WIP])
Line 249: Line 249:
Then one can enable the {{ic|iwd@''device''.service}} unit for the specific wireless ''device''.
Then one can enable the {{ic|iwd@''device''.service}} unit for the specific wireless ''device''.
Alternatively, set a proper dependency for iwd to run after systemd/udevd by creating a [[drop-in file]] as follows: [https://lists.01.org/pipermail/iwd/2019-March/005837.html]
See {{Bug|61367}}.
See {{Bug|61367}}.
Line 256: Line 262:
{{Accuracy|1=Is "After=network-pre.target" needed? If so, is "After=systemd-udevd" even needed? See [https://lists.01.org/pipermail/iwd/2019-March/005839.html] and {{man|7|systemd-special}}.}}
{{Accuracy|1=Is "After=network-pre.target" needed? If so, is "After=systemd-udevd" even needed? See [https://lists.01.org/pipermail/iwd/2019-March/005839.html] and {{man|7|systemd-special}}.}}
All network devices are renamed by systenmd/udevd on boot to have predictable names. [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/]  This causes an annoying issue when a network device name varies from boot to boot. The solution is to set a proper dependency for iwd to run after systemd/udevd by creating a [[drop-in file]] as follows: [https://lists.01.org/pipermail/iwd/2019-March/005837.html]
All network devices are renamed by systenmd/udevd on boot to have predictable names. [https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/]  This causes an annoying issue when a network device name varies from boot to boot.  
== See also ==
== See also ==

Revision as of 18:57, 31 March 2019

iwd (iNet wireless daemon) is a wireless daemon for Linux written by Intel that aims to replace WPA supplicant. The core goal of the project is to optimize resource utilization by not depending on any external libraries and instead utilizing features provided by the Linux Kernel to the maximum extent possible. [1]

iwd can work in standalone mode or in combination with comprehensive network managers like ConnMan, systemd-networkd and NetworkManager.


Install the iwd package.


The iwd package provides the client program iwctl, the daemon iwd and the Wi-Fi monitoring tool iwmon.

Start/enable iwd.service so it can be controlled using the iwctl command.


To get an interactive prompt do:

# iwctl

The interactive prompt is then displayed with a prefix of [iwd]#.

  • In the iwctl prompt you can auto-complete commands and device names by hitting Tab.
  • You can use all commands as command line arguments without entering an interactive prompt. For example: iwctl device wlp3s0 show.

To list all available commands:

[iwd]# help

Connect to a network

First, if you do not know your wireless device name, list all wifi devices:

[iwd]# device list

Then, to scan for networks:

[iwd]# station device scan

You can then list all available networks:

[iwd]# station device get-networks

Finally, to connect to a network:

[iwd]# station device connect SSID

If a passphrase is required, you will be prompted to enter it.

  • iwd automatically stores network passphrases in the /var/lib/iwd directory and uses them to auto-connect in the future. See #Optional configuration.
  • To connect to a network with spaces in the SSID, the network name should be double quoted when connecting.
  • iwd only supports PSK pass-phrases from 8 to 63 ASCII-encoded characters. The following error message will be given if the requirements are not met: "PMK generation failed. Ensure Crypto Engine is properly configured"

Disconnect from a network

To disconnect from a network:

[iwd]# station device disconnect

Show device information

To display the details of a WiFi device, like MAC address, state and connected network:

[iwd]# device device show

Manage known networks

To list networks you have connected to previously:

[iwd]# known-networks list

To forget a known network:

[iwd]# known-networks forget SSID

WPA Enterprise


For connecting to a EAP-PWD protected enterprice access point you need to create a file called: essid.8021x in the folder /var/lib/iwd with the following content:



If you do not want autoconnect to the AP you can set the option to False and connect manually to the access point via iwctl. The same applies to the password, if you do not want to store it plaintext leave the option out of the file and just connect to the enterprise AP.


Like EAP-PWD, you also need to create a essid.8021x in the folder. Before you proceed to write the configuration file, this is also a good time to find out which CA certificate your organization uses. This is an example configuration file that uses MSCHAPv2 password authentication:


Tip: If you are planning on using eduroam and you are affiliated with a US-based institution, your CA is likely Addtrust External CA Root, as your institution probably issues certificates through Internet2's InCommon. However, you should always refer to your organization's help desk if in doubt.

TLS Based EAP Methods

Until Linux kernel v4.20, to connect to EAP-TLS, EAP-TTLS, and EAP-PEAP, the kernel has to be patched. Edit the PKGBUILD for the kernel and add the following sources


And add the following line to the end of the kernel config:


Then update the checksums of the PKGBUILD with updpkgsums (from pacman-contrib):

$ updpkgsums

and build the package.

Other cases

More example tests can be found in the test cases of the upstream repository.

Optional configuration

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Mention what can be configured and how? (Discuss in Talk:Iwd#)

File /etc/iwd/main.conf can be used for main configuration.

By default, iwd stores the network configuration in /var/lib/iwd directory. The configuration file is named as network.type where network is network SSID and type is network type i.e. one of "open", "wep", "psk", "8021x". The file is used to store the encrypted PreSharedKey and optionally the cleartext Passphrase and can be created by the user without invoking iwctl. The file can also be used for other configuration pertaining to that network SSID.

A minimal example file to connect to a WPA2/PSK secured network with SSID "spaceship" and passphrase "test1234":


The PreSharedKey can be calculated with wpa_passphrase from the SSID and the WIFI passphrase:

$ wpa_passphrase "spaceship" "test1234"
Note: The SSID of the network is used as a filename only when it contains only alphanumeric characters or one of - _. If it contains any other characters, the name will instead be an =-character followed by the hex-encoded version of the SSID.

Disable auto-connect for a particular network

Create / edit file /var/lib/iwd/network.type. Add the following section to it:

/var/lib/iwd/spaceship.psk (for example)

Disable periodic scan for available networks

By default when iwd is in disconnected state, it periodically scans for available networks. To disable periodic scan (so as to always scan manually), create / edit file /etc/iwd/main.conf and add the following section to it:


Deny console (local) user from modifying the settings

By default iwd D-Bus interface allows any console user to connect to iwd daemon and modify the settings, even if that user is not a root user.

If you do not want to allow console user to modify the settings but allow reading the status information, then create a D-Bus configuration file as follows.

<!-- prevent local users from changing iwd settings, but allow
     reading status information. overrides some part of
     /usr/share/dbus-1/system.d/iwd-dbus.conf. -->

<!-- This configuration file specifies the required security policies
     for iNet Wireless Daemon to work. -->

<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"

  <policy at_console="true">
    <deny send_destination="net.connman.iwd"/>
    <allow send_destination="net.connman.iwd" send_interface="org.freedesktop.DBus.Properties" send_member="GetAll" />
    <allow send_destination="net.connman.iwd" send_interface="org.freedesktop.DBus.Properties" send_member="Get" />
    <allow send_destination="net.connman.iwd" send_interface="org.freedesktop.DBus.ObjectManager" send_member="GetManagedObjects" />
    <allow send_destination="net.connman.iwd" send_interface="net.connman.iwd.Device" send_member="RegisterSignalLevelAgent" />
    <allow send_destination="net.connman.iwd" send_interface="net.connman.iwd.Device" send_member="UnregisterSignalLevelAgent" />

Tip: Remove <allow> lines above to deny reading the status information as well.


Connect issues after reboot

A low entropy pool can cause connection problems in particular noticeable after reboot. See Random number generation for suggestions to increase the entropy pool.

Systemd unit fails on startup due to device not being available

Some users have reported that the provided systemd unit does not wait for the wireless device to become available. [2] Unfortunately, if iwd is started before udev renaming is done, the network device will be blocked and renaming will fail. Thus, the unit fails on startup. To fix this, one can create a systemd unit with the following content:

Description=Wireless service on %I

ExecStart=/usr/lib/iwd/iwd --interface %i

Then one can enable the iwd@device.service unit for the specific wireless device.

Alternatively, set a proper dependency for iwd to run after systemd/udevd by creating a drop-in file as follows: [3]


See FS#61367.

Network device name varies from boot to boot

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: Is "After=network-pre.target" needed? If so, is "After=systemd-udevd" even needed? See [4] and systemd-special(7). (Discuss in Talk:Iwd#)

All network devices are renamed by systenmd/udevd on boot to have predictable names. [5] This causes an annoying issue when a network device name varies from boot to boot.

See also