Difference between revisions of "Netctl"

From ArchWiki
Jump to: navigation, search
m (moved link to 'See also' section)
(Tips and tricks: DHCP timeout issues added)
(22 intermediate revisions by 8 users not shown)
Line 11: Line 11:
 
{{Article summary heading|Overview}}
 
{{Article summary heading|Overview}}
 
{{Article summary text|{{Networking overview}}}}
 
{{Article summary text|{{Networking overview}}}}
{{Article summary heading|Resources}}
+
{{Article summary heading|Related}}
 
{{Article summary wiki|Bridge with netctl}}
 
{{Article summary wiki|Bridge with netctl}}
 
{{Article summary end}}
 
{{Article summary end}}
  
Netctl is a CLI-based tool used to configure and manage network connections via profiles. It is a native Arch Linux project that replaces the old ''netcfg'' utility.
+
''netctl'' is a CLI-based tool used to configure and manage network connections via profiles. It is a native Arch Linux project that replaces the old ''netcfg'' utility.
  
 
== Installation ==
 
== Installation ==
Line 23: Line 23:
 
The {{Pkg|netctl}} package is available in the [[official repositories]]. Installing netctl will replace {{AUR|netcfg}}.  
 
The {{Pkg|netctl}} package is available in the [[official repositories]]. Installing netctl will replace {{AUR|netcfg}}.  
  
{{Pkg|netctl}} and {{AUR|netcfg}} are conflicting packages. You will be potentially connectionless after installing '''netctl''' if your profiles are misconfigured.
+
{{Pkg|netctl}} and {{AUR|netcfg}} are conflicting packages. You will be potentially connectionless after installing ''netctl'' if your profiles are misconfigured.
  
{{Note|It may be a good idea to use {{ic|1=systemctl --type=service}} to ensure that no other service is running that may want to configure the network. Multiple networking services will conflict.}}
+
{{Note|It may be a good idea to use {{ic|1=systemctl --type=service}} to ensure that no other service is running that may want to configure the network. Multiple networking services will conflict.}}
  
 
== Required reading ==
 
== Required reading ==
Line 36: Line 36:
 
== Configuration ==
 
== Configuration ==
  
{{ic|netctl}} uses profiles to manage network connections, profile files are stored in {{ic|/etc/netctl/}}. Example configuration files are provided for the user to assist them in configuring their network connection. These example profiles are located in {{ic|/etc/netctl/examples/}}. The common configurations include:
+
''netctl'' uses profiles to manage network connections, profile files are stored in {{ic|/etc/netctl/}}. Example configuration files are provided for the user to assist them in configuring their network connection. These example profiles are located in {{ic|/etc/netctl/examples/}}. The common configurations include:
 
* ethernet-dhcp
 
* ethernet-dhcp
 
* ethernet-static
 
* ethernet-static
 
* wireless-wpa
 
* wireless-wpa
 
* wireless-wpa-static
 
* wireless-wpa-static
 
For wireless settings, you can use {{ic|wifi-menu -o}} to generate the profile file in {{ic|/etc/netctl/}}.
 
  
 
To use an example profile, simply copy one of them from {{ic|/etc/netctl/examples/}} to {{ic|/etc/netctl/}} and configure it to your needs:
 
To use an example profile, simply copy one of them from {{ic|/etc/netctl/examples/}} to {{ic|/etc/netctl/}} and configure it to your needs:
 +
 
  # cp /etc/netctl/examples/wireless-wpa /etc/netctl/''profile''
 
  # cp /etc/netctl/examples/wireless-wpa /etc/netctl/''profile''
 +
 +
{{Tip|For wireless settings, you can use {{ic|wifi-menu -o}} to generate the profile file in {{ic|/etc/netctl/}}.}}
  
 
Once you have created your profile, make an attempt to establish a connection using the newly created profile by running:
 
Once you have created your profile, make an attempt to establish a connection using the newly created profile by running:
 +
 
  # netctl start ''profile''
 
  # netctl start ''profile''
  
{{Note|''profile'' is the file name, not including the full path. Providing the full path will make netctl return with an error code.}}
+
{{Note|''profile'' is the file name, not including the full path. Providing the full path will make ''netctl'' exit with an error code.}}
  
 
If issuing the above command results in a failure, then use {{ic|journalctl -xn}} and {{ic|netctl status ''profile''}} in order to obtain a more in depth explanation of the failure. Make the needed corrections to the failed configuration and retest.
 
If issuing the above command results in a failure, then use {{ic|journalctl -xn}} and {{ic|netctl status ''profile''}} in order to obtain a more in depth explanation of the failure. Make the needed corrections to the failed configuration and retest.
Line 56: Line 58:
 
=== Automatic operation ===
 
=== Automatic operation ===
  
If you use only one profile (per interface) or want to switch profiles manually, the [[#Basic method|basic method]] will do. Most common examples are servers, workstations, routers etc.
+
If you use only one profile (per interface) or want to switch profiles manually, the [[#Basic method|Basic method]] will do. Most common examples are servers, workstations, routers etc.
  
 
If you need to switch multiple profiles frequently, use [[#Automatic switching of profiles|Automatic switching of profiles]]. Most common examples are laptops.
 
If you need to switch multiple profiles frequently, use [[#Automatic switching of profiles|Automatic switching of profiles]]. Most common examples are laptops.
Line 62: Line 64:
 
==== Basic method ====
 
==== Basic method ====
  
With this method, you can statically start only one profile per interface. First manually check that the profile can be started  successfully, then it can be {{ic|enabled}} using
+
With this method, you can statically start only one profile per interface. First manually check that the profile can be started  successfully, then it can be enabled using
  
 
  # netctl enable ''profile''
 
  # netctl enable ''profile''
  
This will create and enable a [[systemd]] service that will start when the computer boots.
+
This will create and enable a [[systemd]] service that will start when the computer boots. Changes to the profile file will not propagate to the service file automatically. After such changes, it is necessary to reenable the profile:
 +
 
 +
# netctl reenable ''profile''
  
 
{{Note|The connection is only established if the profile can be started succesfully at boot time (or when the service starts). That specifically means, in case of wired connection the cable must be plugged-in, in case of wireless connection the network must be in range.}}
 
{{Note|The connection is only established if the profile can be started succesfully at boot time (or when the service starts). That specifically means, in case of wired connection the cable must be plugged-in, in case of wireless connection the network must be in range.}}
Line 74: Line 78:
 
==== Automatic switching of profiles ====
 
==== Automatic switching of profiles ====
  
{{ic|netctl}} provides two special [[systemd]] services for automatic switching of profiles: {{ic|netctl-auto@''interface''.service}} for wireless interfaces, and {{ic|netctl-ifplugd@''interface''.service}} for wired interfaces. Using {{ic|netctl-auto@''interface''.service}}, netctl profiles change as you move from range of one network into range of other network. Using {{ic|netctl-ifplugd@''interface''.service}}, netctl profiles change as you plug the cable in and out.
+
''netctl'' provides two special [[systemd]] services for automatic switching of profiles:
  
{{Note|{{ic|netcfg}} used {{ic|net-auto-wireless.service}} and {{ic|net-auto-wired.service}} for this purpose.}}
+
* For wired interfaces: {{ic|netctl-ifplugd@''interface''.service}}. Using this netctl profiles change as you plug the cable in and out.
 +
* For wireless interfaces: {{ic|netctl-auto@''interface''.service}}. Using this netctl profiles change as you move from range of one network into range of other network.
 +
 
 +
{{Note|''netcfg'' used {{ic|net-auto-wireless.service}} and {{ic|net-auto-wired.service}} for this purpose.}}
  
 
First [[pacman|install]] required packages:
 
First [[pacman|install]] required packages:
Line 82: Line 89:
 
* Package {{Pkg|ifplugd}} is required to use {{ic|netctl-ifplugd@''interface''.service}}.
 
* Package {{Pkg|ifplugd}} is required to use {{ic|netctl-ifplugd@''interface''.service}}.
  
Now configure all profiles that {{ic|netctl-auto@''interface''.service}} or {{ic|netctl-ifplugd@''interface''.service}} can start. If you want some wireless profile '''not''' to be started automatically by {{ic|netctl-auto@''interface''.service}}, you have to explicitly add {{ic|1=ExcludeAuto=yes}} to that profile. You can use {{ic|1=Priority=}} to set priority of some profile when multiple profiles are available. {{ic|netctl-ifplugd@''interface''.service}} will prefer profiles, which use dhcp. To prefer a profile with a static IP, you can use {{ic|1=AutoWired=yes}}. See {{ic|netctl.profile(5)}} for details.
+
Now configure all profiles that {{ic|netctl-auto@''interface''.service}} or {{ic|netctl-ifplugd@''interface''.service}} can start.
  
{{Warning|Automatic selection of a WPA-enabled profile by netctl-auto is not possible with option {{ic|1=Security=wpa-config}}, please use {{ic|1=Security=wpa-configsection}} instead.}}
+
If you want some wireless profile '''not''' to be started automatically by {{ic|netctl-auto@''interface''.service}}, you have to explicitly add {{ic|1=ExcludeAuto=yes}} to that profile. You can use {{ic|1=Priority=}} to set priority of some profile when multiple profiles are available. {{ic|netctl-ifplugd@''interface''.service}} will prefer profiles, which use [[Wikipedia:DHCP|DHCP]]. To prefer a profile with a static IP, you can use {{ic|1=AutoWired=yes}}. See {{ic|netctl.profile(5)}} for details.
 +
 
 +
{{Warning|Automatic selection of a WPA-enabled profile by ''netctl-auto'' is not possible with option {{ic|1=Security=wpa-config}}, please use {{ic|1=Security=wpa-configsection}} instead.}}
  
 
Once your profiles are set and verified to be working, simply enable these services using ''systemctl'':
 
Once your profiles are set and verified to be working, simply enable these services using ''systemctl'':
 +
 
  # systemctl enable netctl-auto@''interface''.service  
 
  # systemctl enable netctl-auto@''interface''.service  
 
  # systemctl enable netctl-ifplugd@''interface''.service   
 
  # systemctl enable netctl-ifplugd@''interface''.service   
  
{{Warning|If any of the profiles contain errors, such as an empty {{ic|1=Key=}} variable, the unit will fail to load at boot.}}
+
{{Warning|
 +
* If any of the profiles contain errors, such as an empty {{ic|1=Key=}} variable, the unit will fail to load at boot.
 +
* This method conflicts with the [[#Basic method|Basic method]]. If you have previously enabled a profile through ''netctl'', run {{ic|netctl disable ''profile''}} to prevent the profile from starting twice at boot.}}
  
{{Warning|This method conflicts with the [[#Basic method|basic method]]. If you have previously enabled a profile through {{ic|netctl}}, run {{bc|# netctl disable ''profile''}} to prevent the profile from starting twice at boot.}}
+
Since netctl 1.3, it possible to manually control an interface otherwise managed by netctl-auto without having to stop the netctl-auto service. This is done using the netctl-auto command. To have a list of available actions just run:
 +
  # netctl-auto --help
  
 
=== Migrating from netcfg ===
 
=== Migrating from netcfg ===
  
{{ic|netctl}} uses {{ic|/etc/netctl}} to store its profiles, ''not'' {{ic|/etc/network.d}} ({{ic|netcfg}}'s profile storage location).
+
''netctl'' uses {{ic|/etc/netctl/}} to store its profiles, '''not''' {{ic|/etc/network.d/}} (used by ''netcfg'').
  
In order to migrate from netcfg, at least the following is needed:
+
In order to migrate from ''netcfg'', at least the following is needed:
 
* Disable the netcfg service: {{ic|systemctl disable netcfg.service}}.
 
* Disable the netcfg service: {{ic|systemctl disable netcfg.service}}.
* Uninstall netcfg and install netctl.
+
* Uninstall ''netcfg'' and install ''netctl''.
 
* Move network profile files to the new directory.
 
* Move network profile files to the new directory.
 
* Rename variables therein according to {{ic|netctl.profile(5)}} (Most variable names have only {{ic|UpperCamelCase}} i.e {{ic|CONNECTION}} becomes {{ic|Connection}}).
 
* Rename variables therein according to {{ic|netctl.profile(5)}} (Most variable names have only {{ic|UpperCamelCase}} i.e {{ic|CONNECTION}} becomes {{ic|Connection}}).
Line 108: Line 121:
 
* Run {{ic|netctl enable ''profile''}} for every profile in the old {{ic|NETWORKS}} array. ''last'' doesn't work this way, see {{ic|netctl.special(7)}}.
 
* Run {{ic|netctl enable ''profile''}} for every profile in the old {{ic|NETWORKS}} array. ''last'' doesn't work this way, see {{ic|netctl.special(7)}}.
 
* Use {{ic|netctl list}} and/or {{ic|netctl start ''profile''}} instead of ''netcfg-menu''. ''wifi-menu'' remains available.
 
* Use {{ic|netctl list}} and/or {{ic|netctl start ''profile''}} instead of ''netcfg-menu''. ''wifi-menu'' remains available.
* Unlike {{ic|netcfg}}, by default {{ic|netctl}} fails to bring up a [[wikipedia:Network interface controller|NIC]] when it is not connected to another powered up NIC. To solve this problem, add {{ic|1=SkipNoCarrier=yes}} at the end of your {{ic|/etc/netctl/''profile''}}.
+
* Unlike ''netcfg'', by default ''netctl'' fails to bring up a [[wikipedia:Network interface controller|NIC]] when it is not connected to another powered up NIC. To solve this problem, add {{ic|1=SkipNoCarrier=yes}} at the end of your {{ic|/etc/netctl/''profile''}}.
  
 
=== Passphrase obfuscation (256-bit PSK) ===
 
=== Passphrase obfuscation (256-bit PSK) ===
Line 114: Line 127:
 
{{Note|Although "encrypted", the key that you put in the profile configuration is enough to connect to a WPA-PSK network. Therefore this process is only useful for hiding the human-readable version of the passphrase. This will not prevent anyone with read access to this file from connecting to the network. You should ask yourself if there is any use in this at all, since using the same passphrase for anything else is a very poor security measure.}}
 
{{Note|Although "encrypted", the key that you put in the profile configuration is enough to connect to a WPA-PSK network. Therefore this process is only useful for hiding the human-readable version of the passphrase. This will not prevent anyone with read access to this file from connecting to the network. You should ask yourself if there is any use in this at all, since using the same passphrase for anything else is a very poor security measure.}}
  
Users ''not'' wishing to have the passphrase to their wireless network stored in ''plain text'' have the option of storing the corresponding 256-bit pre-shared key (PSK) instead, which is calculated from the passphrase and the SSID using standard algorithms.
+
Users '''not''' wishing to have the passphrase to their wireless network stored in ''plain text'' have the option of storing the corresponding 256-bit pre-shared key (PSK) instead, which is calculated from the passphrase and the SSID using standard algorithms.
  
* Method 1: Use {{ic|wifi-menu -o}} to generate a config file in {{ic|/etc/netctl}}  
+
* Method 1: Use {{ic|wifi-menu -o}} to generate a config file in {{ic|/etc/netctl/}}  
* Method 2: Manual settings as follows. If the passphrase fails, try removing the \" in Key= (see note below)
+
* Method 2: Manual settings as follows.
  
 
For both methods it is suggested to {{ic|chmod 600 /etc/netctl/<config_file>}} to prevent user access to the password.
 
For both methods it is suggested to {{ic|chmod 600 /etc/netctl/<config_file>}} to prevent user access to the password.
  
 
Calculate your 256-bit PSK using [[WPA_supplicant#Configuration_file|wpa_passphrase]]:
 
Calculate your 256-bit PSK using [[WPA_supplicant#Configuration_file|wpa_passphrase]]:
{{hc|$ wpa_passphrase archlinux freenode|2=
+
{{hc|$ wpa_passphrase ''your_essid'' ''passphrase''|2=
 
   network={
 
   network={
   ssid="archlinux"
+
   ssid="''your_essid''"
   #psk="freenode"
+
   #psk="''passphrase''"
 
   psk=64cf3ced850ecef39197bb7b7b301fc39437a6aa6c6a599d0534b16af578e04a
 
   psk=64cf3ced850ecef39197bb7b7b301fc39437a6aa6c6a599d0534b16af578e04a
 
}
 
}
Line 133: Line 146:
  
 
In a second terminal window, copy the example file {{ic|wireless-wpa}} from {{ic|/etc/netctl/examples}} to {{ic|/etc/netctl}}:
 
In a second terminal window, copy the example file {{ic|wireless-wpa}} from {{ic|/etc/netctl/examples}} to {{ic|/etc/netctl}}:
 +
 
  # cp /etc/netctl/examples/wireless-wpa /etc/netctl/wireless-wpa
 
  # cp /etc/netctl/examples/wireless-wpa /etc/netctl/wireless-wpa
  
You will then need to edit {{ic|/etc/netctl/wireless-wpa}} using your favorite text editor and add the ''pre-shared key'', that was generated earlier using wpa_passphrase, to the {{ic|'''Key'''}} variable of this profile.
+
You will then need to edit {{ic|/etc/netctl/wireless-wpa}} using your favorite text editor and add the ''pre-shared key'', that was generated earlier using wpa_passphrase, to the {{ic|Key}} variable of this profile.
  
 
Once completed your network profile {{ic|wireless-wpa}} containing a 256-bit PSK should resemble:
 
Once completed your network profile {{ic|wireless-wpa}} containing a 256-bit PSK should resemble:
Line 145: Line 159:
 
Security=wpa
 
Security=wpa
 
IP=dhcp
 
IP=dhcp
ESSID=archlinux
+
ESSID=''your_essid''
 
Key=\"64cf3ced850ecef39197bb7b7b301fc39437a6aa6c6a599d0534b16af578e04a
 
Key=\"64cf3ced850ecef39197bb7b7b301fc39437a6aa6c6a599d0534b16af578e04a
 
}}
 
}}
  
{{Note|Make sure to use the '''special non-quoted rules''' for {{ic|1=Key=}} that are explained at the end of [https://github.com/joukewitteveen/netctl/blob/master/docs/netctl.profile.5.txt netctl.profile(5)].}}
+
{{Note|
 +
* Make sure to use the '''special quoting rules''' for the {{ic|Key}} variable as explained at the end of [https://github.com/joukewitteveen/netctl/blob/master/docs/netctl.profile.5.txt netctl.profile(5)].
 +
* If the passphrase fails, try removing the {{ic|\"}} in the {{ic|Key}} variable.}}
  
 
== Tips and tricks ==
 
== Tips and tricks ==
 +
  
 
=== Replace 'netcfg current' ===
 
=== Replace 'netcfg current' ===
  
As of April 2013 there is no netctl alternative to {{ic|netcfg current}}. If you relied on it for something, like a status bar for a tiling window manager, you can now use:
+
If you used {{ic|netcfg current}} in the past, you can use {{ic|# netctl-auto current}} as a replacement for connections started with {{ic|netctl-auto}} (feature since netctl-1.3).
 +
 
 +
To manually parse the connections, you can also use:  
  
 
  # netctl list | awk '/*/ {print $2}'
 
  # netctl list | awk '/*/ {print $2}'
 
or, when {{ic|netctl-auto}} was used to connect:
 
 
# wpa_cli -i ''interface'' status | sed -n 's/^id_str=//p'
 
 
{{Note|Since netctl-1.3 (currently in <nowiki>[testing]</nowiki>), {{ic|netctl-auto}} does have a {{ic|current}} command: {{bc|# netctl-auto current}}}}
 
  
 
=== Eduroam ===
 
=== Eduroam ===
  
 
Some universities use a system called "Eduroam" to manage their wireless networks. For this system, a WPA config-section profile with the following format is often useful:
 
Some universities use a system called "Eduroam" to manage their wireless networks. For this system, a WPA config-section profile with the following format is often useful:
 +
 
{{hc|/etc/netctl/wlan0-eduroam|<nowiki>
 
{{hc|/etc/netctl/wlan0-eduroam|<nowiki>
 
Description='Eduroam-profile for <user>'
 
Description='Eduroam-profile for <user>'
Line 183: Line 197:
 
  'identity="<user>"'
 
  'identity="<user>"'
 
  'password="<password>"'
 
  'password="<password>"'
 +
)</nowiki>
 +
}}
 +
 +
{{Tip|To prevent storing your password as plaintext, you can generate a password hash with {{ic|$ echo -n <password> &#124; iconv -t utf16le &#124; openssl md4}}. Then use it as {{ic|'password&#61;hash:<hash>'}}.}}
 +
 +
For TTLS and certified universities this setup works:
 +
 +
{{hc|/etc/netctl/wlan0-eduroam|<nowiki>
 +
Description='Eduroam university'
 +
Interface=wlan0
 +
Connection=wireless
 +
Security=wpa-configsection
 +
IP=dhcp
 +
ESSID=eduroam
 +
WPAConfigSection=(
 +
    'ssid="eduroam"'
 +
    'key_mgmt=WPA-EAP'
 +
    'eap=TTLS'
 +
    'group=TKIP'
 +
    'anonymous_identity="anonymous@domain_university"'
 +
    'identity="XXX@domain_university"'
 +
    'password="XXX"'
 +
    'ca_cert="Path/to/the/certificate"'
 +
    'phase2="auth=PAP"'
 
)</nowiki>
 
)</nowiki>
 
}}
 
}}
Line 292: Line 330:
  
 
If you have a wired and wireless connection to the same network, you can probably now disconnect and reconnect the wired connection without losing connectivity. In most cases, even streaming music won't skip!
 
If you have a wired and wireless connection to the same network, you can probably now disconnect and reconnect the wired connection without losing connectivity. In most cases, even streaming music won't skip!
 +
 +
=== Remove old dhcpcd lease ===
 +
 +
{{Expansion|missing description}}
 +
 +
# rm /var/lib/dhcpcd/dhcpcd-wlan0.lease
 +
 +
=== DHCP timeout issues ===
 +
 +
If you are having timeout issues when requesting leases via DHCP you can set the timeout value higher than netctl's 10 seconds by default. Create a file in {{ic|/etc/netctl/hooks/}} or {{ic|/etc/netctl/interfaces/}}, add {{ic|1=TimeoutDHCP=30}} to it for a timeout of 30 seconds and make the file executable.
  
 
== See also ==
 
== See also ==
  
 
* [https://bbs.archlinux.org/viewtopic.php?id=157670 Official announcement thread]
 
* [https://bbs.archlinux.org/viewtopic.php?id=157670 Official announcement thread]
 +
* There is a cinnamon applet available in the AUR: {{AUR|cinnamon-applet-netctl-systray-menu}}

Revision as of 20:17, 22 October 2013

Summary help replacing me
A guide to configuring the network using netctl and network profile scripts.
Overview
Template:Networking overview
Related
Bridge with netctl

netctl is a CLI-based tool used to configure and manage network connections via profiles. It is a native Arch Linux project that replaces the old netcfg utility.

Installation

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Optional dependencies should be mentioned. (Discuss in Talk:Netctl#)

The netctl package is available in the official repositories. Installing netctl will replace netcfgAUR.

netctl and netcfgAUR are conflicting packages. You will be potentially connectionless after installing netctl if your profiles are misconfigured.

Note: It may be a good idea to use systemctl --type=service to ensure that no other service is running that may want to configure the network. Multiple networking services will conflict.

Required reading

It is advisable to read the following man pages before using netctl:

Configuration

netctl uses profiles to manage network connections, profile files are stored in /etc/netctl/. Example configuration files are provided for the user to assist them in configuring their network connection. These example profiles are located in /etc/netctl/examples/. The common configurations include:

  • ethernet-dhcp
  • ethernet-static
  • wireless-wpa
  • wireless-wpa-static

To use an example profile, simply copy one of them from /etc/netctl/examples/ to /etc/netctl/ and configure it to your needs:

# cp /etc/netctl/examples/wireless-wpa /etc/netctl/profile
Tip: For wireless settings, you can use wifi-menu -o to generate the profile file in /etc/netctl/.

Once you have created your profile, make an attempt to establish a connection using the newly created profile by running:

# netctl start profile
Note: profile is the file name, not including the full path. Providing the full path will make netctl exit with an error code.

If issuing the above command results in a failure, then use journalctl -xn and netctl status profile in order to obtain a more in depth explanation of the failure. Make the needed corrections to the failed configuration and retest.

Automatic operation

If you use only one profile (per interface) or want to switch profiles manually, the Basic method will do. Most common examples are servers, workstations, routers etc.

If you need to switch multiple profiles frequently, use Automatic switching of profiles. Most common examples are laptops.

Basic method

With this method, you can statically start only one profile per interface. First manually check that the profile can be started successfully, then it can be enabled using

# netctl enable profile

This will create and enable a systemd service that will start when the computer boots. Changes to the profile file will not propagate to the service file automatically. After such changes, it is necessary to reenable the profile:

# netctl reenable profile
Note: The connection is only established if the profile can be started succesfully at boot time (or when the service starts). That specifically means, in case of wired connection the cable must be plugged-in, in case of wireless connection the network must be in range.
Tip: To enable static IP profile on wired interface no matter if the cable is connected or not, use SkipNoCarrier=yes in your profile.

Automatic switching of profiles

netctl provides two special systemd services for automatic switching of profiles:

  • For wired interfaces: netctl-ifplugd@interface.service. Using this netctl profiles change as you plug the cable in and out.
  • For wireless interfaces: netctl-auto@interface.service. Using this netctl profiles change as you move from range of one network into range of other network.
Note: netcfg used net-auto-wireless.service and net-auto-wired.service for this purpose.

First install required packages:

  • Package wpa_actiond is required to use netctl-auto@interface.service.
  • Package ifplugd is required to use netctl-ifplugd@interface.service.

Now configure all profiles that netctl-auto@interface.service or netctl-ifplugd@interface.service can start.

If you want some wireless profile not to be started automatically by netctl-auto@interface.service, you have to explicitly add ExcludeAuto=yes to that profile. You can use Priority= to set priority of some profile when multiple profiles are available. netctl-ifplugd@interface.service will prefer profiles, which use DHCP. To prefer a profile with a static IP, you can use AutoWired=yes. See netctl.profile(5) for details.

Warning: Automatic selection of a WPA-enabled profile by netctl-auto is not possible with option Security=wpa-config, please use Security=wpa-configsection instead.

Once your profiles are set and verified to be working, simply enable these services using systemctl:

# systemctl enable netctl-auto@interface.service 
# systemctl enable netctl-ifplugd@interface.service  
Warning:
  • If any of the profiles contain errors, such as an empty Key= variable, the unit will fail to load at boot.
  • This method conflicts with the Basic method. If you have previously enabled a profile through netctl, run netctl disable profile to prevent the profile from starting twice at boot.

Since netctl 1.3, it possible to manually control an interface otherwise managed by netctl-auto without having to stop the netctl-auto service. This is done using the netctl-auto command. To have a list of available actions just run:

 # netctl-auto --help

Migrating from netcfg

netctl uses /etc/netctl/ to store its profiles, not /etc/network.d/ (used by netcfg).

In order to migrate from netcfg, at least the following is needed:

  • Disable the netcfg service: systemctl disable netcfg.service.
  • Uninstall netcfg and install netctl.
  • Move network profile files to the new directory.
  • Rename variables therein according to netctl.profile(5) (Most variable names have only UpperCamelCase i.e CONNECTION becomes Connection).
  • For static IP configuration make sure the Address variables have a netmask after the IP (e.g. Address=('192.168.1.23/24' '192.168.1.87/24') in the example profile).
  • If you setup a wireless profile according in the wireless-wpa-configsection example, note that this overrides wpa_supplicant options defined above the brackets. For a connection to a hidden wireless network, add scan_ssid=1 to the options in the wireless-wpa-configsection; Hidden=yes does not work there.
  • Unquote interface variables and other variables that don't strictly need quoting (this is mainly a style thing).
  • Run netctl enable profile for every profile in the old NETWORKS array. last doesn't work this way, see netctl.special(7).
  • Use netctl list and/or netctl start profile instead of netcfg-menu. wifi-menu remains available.
  • Unlike netcfg, by default netctl fails to bring up a NIC when it is not connected to another powered up NIC. To solve this problem, add SkipNoCarrier=yes at the end of your /etc/netctl/profile.

Passphrase obfuscation (256-bit PSK)

Note: Although "encrypted", the key that you put in the profile configuration is enough to connect to a WPA-PSK network. Therefore this process is only useful for hiding the human-readable version of the passphrase. This will not prevent anyone with read access to this file from connecting to the network. You should ask yourself if there is any use in this at all, since using the same passphrase for anything else is a very poor security measure.

Users not wishing to have the passphrase to their wireless network stored in plain text have the option of storing the corresponding 256-bit pre-shared key (PSK) instead, which is calculated from the passphrase and the SSID using standard algorithms.

  • Method 1: Use wifi-menu -o to generate a config file in /etc/netctl/
  • Method 2: Manual settings as follows.

For both methods it is suggested to chmod 600 /etc/netctl/<config_file> to prevent user access to the password.

Calculate your 256-bit PSK using wpa_passphrase:

$ wpa_passphrase your_essid passphrase
network={
  ssid="your_essid"
  #psk="passphrase"
  psk=64cf3ced850ecef39197bb7b7b301fc39437a6aa6c6a599d0534b16af578e04a
}
Note: This information will be used in your profile, so do not close the terminal.

In a second terminal window, copy the example file wireless-wpa from /etc/netctl/examples to /etc/netctl:

# cp /etc/netctl/examples/wireless-wpa /etc/netctl/wireless-wpa

You will then need to edit /etc/netctl/wireless-wpa using your favorite text editor and add the pre-shared key, that was generated earlier using wpa_passphrase, to the Key variable of this profile.

Once completed your network profile wireless-wpa containing a 256-bit PSK should resemble:

/etc/netctl/wireless-wpa
Description='A simple WPA encrypted wireless connection using 256-bit PSK'
Interface=wlp2s2
Connection=wireless
Security=wpa
IP=dhcp
ESSID=your_essid
Key=\"64cf3ced850ecef39197bb7b7b301fc39437a6aa6c6a599d0534b16af578e04a
Note:
  • Make sure to use the special quoting rules for the Key variable as explained at the end of netctl.profile(5).
  • If the passphrase fails, try removing the \" in the Key variable.

Tips and tricks

Replace 'netcfg current'

If you used netcfg current in the past, you can use # netctl-auto current as a replacement for connections started with netctl-auto (feature since netctl-1.3).

To manually parse the connections, you can also use:

# netctl list | awk '/*/ {print $2}'

Eduroam

Some universities use a system called "Eduroam" to manage their wireless networks. For this system, a WPA config-section profile with the following format is often useful:

/etc/netctl/wlan0-eduroam
Description='Eduroam-profile for <user>'
Interface=wlan0
Connection=wireless
Security=wpa-configsection
IP=dhcp
WPAConfigSection=(
 'ssid="eduroam"'
 'proto=RSN'
 'key_mgmt=WPA-EAP'
 'pairwise=CCMP'
 'auth_alg=OPEN'
 'eap=PEAP'
 'identity="<user>"'
 'password="<password>"'
)
Tip: To prevent storing your password as plaintext, you can generate a password hash with $ echo -n <password> | iconv -t utf16le | openssl md4. Then use it as 'password=hash:<hash>'.

For TTLS and certified universities this setup works:

/etc/netctl/wlan0-eduroam
Description='Eduroam university'
Interface=wlan0 
Connection=wireless
Security=wpa-configsection
IP=dhcp
ESSID=eduroam
WPAConfigSection=(
    'ssid="eduroam"'
    'key_mgmt=WPA-EAP'
    'eap=TTLS'
    'group=TKIP'
    'anonymous_identity="anonymous@domain_university"'
    'identity="XXX@domain_university"'
    'password="XXX"'
    'ca_cert="Path/to/the/certificate"'
    'phase2="auth=PAP"'
)

Bonding

From kernel documentation:

The Linux bonding driver provides a method for aggregating multiple network interfaces into a single logical "bonded" interface. The behavior of the bonded interfaces depends on the mode. Generally speaking, modes provide either hot standby or load balancing services. Additionally, link integrity monitoring may be performed.

Load balancing

To use bonding with netctl, additional package from official repositories is required: ifenslave.

Copy /etc/netctl/examples/bonding to /etc/netctl/bonding and edit it, for example:

/etc/netctl/bonding
Description='Bond Interface'
Interface='bond0'
Connection=bond
BindsToInterfaces=('eth0' 'eth1')
IP=dhcp
IP6=stateless

Now you can disable your old configuration and set bonding to be started automatically. Switch to the new profile, for example:

# netctl switch-to bonding
Note: This uses the round-robin policy, which is the default for the bonding driver. See official documentation for details.
Tip: To check the status and bonding mode:
$ cat /proc/net/bonding/bond0

Wired to wireless failover

This example describes how to use bonding to fallback to wireless when the wired ethernet goes down. The presence of network connection on each interface is detected and dhcpcd is started when connection on either or both interfaces is established.

You'll need additional packages from the official repositories: ifplugd, ifenslave and wpa_supplicant.

First configure the bonding driver to use active-backup:

/etc/modprobe.d/bonding.conf
options bonding mode=active-backup
options bonding miimon=100
options bonding primary=eth0
options bonding max_bonds=0

The max_bonds option avoids the Interface bond0 already exists error.

Next, configure a netctl profile to enslave the two hardware interfaces:

/etc/netctl/failover
Description='A wired connection with failover to wireless'
Interface='bond0'
Connection=bond
BindsToInterfaces=('eth0' 'wlan0')
IP='no'
SkipNoCarrier='no'

Enable the profile on startup.

# netctl enable failover

Configure wpa_supplicant to associate with known networks. This can be done with a netctl profile (remember to use IP='no') and a wpa_supplicant service running constantly, or on-demand with wpa_cli. Ways to do this are covered on the wpa_supplicant page.

Create an ifplugd action for automatic DHCP assignment on the bonded interface:

/etc/ifplugd/bond_dhcp.action
#!/bin/sh

case "$2" in
  up)
    systemctl start "dhcpcd@$1.service" && exit 0
    ;;
  down)
    systemctl stop "dhcpcd@$1.service" && exit 0
    ;;
  *)
    echo "Wrong arguments" > /dev/stderr
    ;;
esac
exit 1

and make it executable

# chmod +x /etc/ifplugd/bond_dhcp.action

Then create the systemd service which starts ifplugd for bond0:

/etc/systemd/system/net-auto-bonded@.service
[Unit]
Description=Provides automatic dhcp resolution for bonded failover connection
Requires=netctl@failover.service
After=netctl@failover.service

[Service]
ExecStart=/usr/bin/ifplugd -i %i -r /etc/ifplugd/bond_dhcp.action -fIns

[Install]
WantedBy=multi-user.target

Enable the net-auto-bonded service and reboot:

# systemctl enable net-auto-bonded@bond0.service
# reboot

If you have a wired and wireless connection to the same network, you can probably now disconnect and reconnect the wired connection without losing connectivity. In most cases, even streaming music won't skip!

Remove old dhcpcd lease

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: missing description (Discuss in Talk:Netctl#)
# rm /var/lib/dhcpcd/dhcpcd-wlan0.lease

DHCP timeout issues

If you are having timeout issues when requesting leases via DHCP you can set the timeout value higher than netctl's 10 seconds by default. Create a file in /etc/netctl/hooks/ or /etc/netctl/interfaces/, add TimeoutDHCP=30 to it for a timeout of 30 seconds and make the file executable.

See also