From ArchWiki
Jump to navigation Jump to search


netctl is a CLI-based tool used to configure and manage network connections via profiles. It is a native Arch Linux project for network configuration.


Install netctl from the official repositories.

Optional dependencies are shown in the table below.

Feature Dependency netctl program
(if relevant)
Automatic wireless connections wpa_actiond netctl-auto
Automatic wired connections ifplugd netctl-ifplugd
WPA wpa_supplicant
DHCP dhcpcd or dhclient
Wifi menus dialog
PPPoE ppp
Warning: You may be without connection after installing netctl if you run a different, conflicting network service. Use systemctl --type=service to ensure that no other network service is running.


It is advisable to read the following man pages before using netctl:


netctl uses profiles to manage network connections, with profile files stored in /etc/netctl/ and example configuration files in /etc/netctl/examples/. Common configurations include:

  • ethernet-dhcp
  • ethernet-static
  • wireless-wpa
  • wireless-wpa-static

To use an example profile, simply copy it from /etc/netctl/examples/ to /etc/netctl/ and configure it to your needs:

# cp /etc/netctl/examples/wireless-wpa /etc/netctl/profile
Warning: As of v197, udev no longer assigns network interface names according to the wlanX and ethX naming scheme. You should assume your network interface is named differently, and edit the interface name accordingly in the profile. See Network configuration#Device names for details.
Tip: For wireless settings, you can use wifi-menu -o as root to generate the profile file in /etc/netctl/.

Once you have created your profile, attempt to establish a connection:

# netctl start profile
Note: profile is the file name, not including the full path. Providing the full path will make netctl exit with an error code.

If the above command results in a failure, then use journalctl -xn and netctl status profile to obtain a more in depth explanation of the failure. Make the needed corrections to the failed configuration and try again.

Automatic operation

If you use only one profile (per interface) or want to switch profiles manually, the Basic method will do. Most common examples are servers, workstations, routers etc.

If you need to switch multiple profiles frequently, use Automatic switching of profiles. Most common examples are laptops.

Basic method

With this method, you can statically start only one profile per interface. First manually check that the profile can be started successfully, then it can be enabled using

# netctl enable profile

This will create and enable a systemd service that will start when the computer boots. Changes to the profile file will not propagate to the service file automatically. After such changes, it is necessary to reenable the profile:

# netctl reenable profile
Note: The connection is only established if the profile can be started succesfully at boot time (or when the service starts). That specifically means, in case of wired connection the cable must be plugged-in, in case of wireless connection the network must be in range.
Tip: To enable static IP profile on wired interface no matter if the cable is connected or not, use SkipNoCarrier=yes in your profile.

Automatic switching of profiles

netctl provides two special systemd services for automatic switching of profiles:

  • For wired interfaces: netctl-ifplugd@interface.service. Using this netctl profiles change as you plug the cable in and out.
  • For wireless interfaces: netctl-auto@interface.service. Using this netctl profiles change as you move from range of one network into range of other network.

First install required packages:

  • Package ifplugd is required to use netctl-ifplugd@interface.service.
  • Package wpa_actiond is required to use netctl-auto@interface.service.

Now create all the profiles that netctl-auto@interface.service or netctl-ifplugd@interface.service can start at /etc/netctl/

If you want some wireless profile not to be started automatically by netctl-auto@interface.service, you have to explicitly add ExcludeAuto=yes to that profile. You can use Priority= in the WPAConfigSection (see /etc/netctl/examples/wireless-wpa-configsection) to set priority of some profile when multiple profiles are available. netctl-ifplugd@interface.service will prefer profiles, which use DHCP. To prefer a profile with a static IP, you can use AutoWired=yes. See netctl.profile(5) for details.

Warning: Automatic selection of a WPA-enabled profile by netctl-auto is not possible with option Security=wpa-config, please use Security=wpa-configsection instead.

Once your profiles are set and verified to be working, simply enable these services using systemctl:

# systemctl enable netctl-auto@interface.service
# systemctl enable netctl-ifplugd@interface.service
  • If any of the profiles contain errors, such as an empty or misquoted Key= variable, the unit will fail to load with the message "Failed to read or parse configuration '/run/network/wpa_supplicant_wlan0.conf', even when that profile is not being used.
  • This method conflicts with the Basic method. If you have previously enabled a profile through netctl, run netctl disable profile to prevent the profile from starting twice at boot.

Since netctl 1.3, it possible to manually control an interface otherwise managed by netctl-auto without having to stop the netctl-auto service. This is done using the netctl-auto command. To have a list of available actions just run:

 # netctl-auto --help

Migrating from netcfg

netctl uses /etc/netctl/ to store its profiles, not /etc/network.d/ (used by netcfg).

In order to migrate from netcfg, at least the following is needed:

  • Disable the netcfg service: systemctl disable netcfg.service.
  • Uninstall netcfg and install netctl.
  • Move network profile files to the new directory.
  • Rename variables therein according to netctl.profile(5) (Most variable names have only UpperCamelCase i.e CONNECTION becomes Connection).
  • For static IP configuration make sure the Address variables have a netmask after the IP (e.g. Address=('' '') in the example profile).
  • If you setup a wireless profile according in the wireless-wpa-configsection example, note that this overrides wpa_supplicant options defined above the brackets. For a connection to a hidden wireless network, add scan_ssid=1 to the options in the wireless-wpa-configsection; Hidden=yes does not work there.
  • Unquote interface variables and other variables that do not strictly need quoting (this is mainly a style thing).
  • Run netctl enable profile for every profile in the old NETWORKS array. last option does not work this way, see the description of netctl.service in netctl.special(7).
  • Use netctl list and netctl start profile instead of netcfg-menu. wifi-menu remains available.
  • Unlike netcfg, by default netctl fails to bring up a NIC when it is not connected to another powered up NIC. To solve this problem, add SkipNoCarrier=yes at the end of your /etc/netctl/profile.

Passphrase obfuscation (256-bit PSK)

Note: Although "encrypted", the key that you put in the profile configuration is enough to connect to a WPA-PSK network. Therefore this process is only useful for hiding the human-readable version of the passphrase. This will not prevent anyone with read access to this file from connecting to the network. You should ask yourself if there is any use in this at all, since using the same passphrase for anything else is a very poor security measure.

Users not wishing to have the passphrase to their wireless network stored in plain text have the option of storing the corresponding 256-bit pre-shared key (PSK) instead, which is calculated from the passphrase and the SSID using standard algorithms.

  • Method 1: Use wifi-menu -o to generate a config file in /etc/netctl/
  • Method 2: Manual settings as follows.

For both methods it is suggested to chmod 600 /etc/netctl/<config_file> to prevent user access to the password.

Calculate your 256-bit PSK using wpa_passphrase:

$ wpa_passphrase your_essid passphrase
Note: This information will be used in your profile, so do not close the terminal.

In a second terminal window, copy the example file wireless-wpa from /etc/netctl/examples to /etc/netctl:

# cp /etc/netctl/examples/wireless-wpa /etc/netctl/wireless-wpa

You will then need to edit /etc/netctl/wireless-wpa using your favorite text editor and add the pre-shared key, that was generated earlier using wpa_passphrase, to the Key variable of this profile.

Once completed your network profile wireless-wpa containing a 256-bit PSK should resemble:

Description='A simple WPA encrypted wireless connection using 256-bit PSK'
  • Make sure to use the special quoting rules for the Key variable as explained at the end of netctl.profile(5).
  • If the passphrase fails, try removing the \" in the Key variable.

Tips and tricks

Using an Experimental GUI

If you want a graphical user interface to manage netctl and your connections and you are not afraid of highly experimental unofficial packages you can install netguiAUR from AUR. Note, however, that netgui is still in beta status and you should be familiar with the general netctl syntax to debug possible issues. Another GUI alternative is netctl-guiAUR which provides a Qt-based graphical interface, DBus daemon and KDE widget.

Set default dhcp client for all profiles

If you want to set a default dhcp client for all profiles on an interface, create an executable file /etc/netctl/interfaces/<interface> with the following line:


Replace 'netcfg current'

If you used netcfg current in the past, you can use # netctl-auto current as a replacement for connections started with netctl-auto (feature since netctl-1.3).

To manually parse the connections, you can also use:

# netctl list | awk '/*/ {print $2}'


See WPA2_Enterprise#netctl.


From kernel documentation:

The Linux bonding driver provides a method for aggregating multiple network interfaces into a single logical "bonded" interface. The behavior of the bonded interfaces depends on the mode. Generally speaking, modes provide either hot standby or load balancing services. Additionally, link integrity monitoring may be performed.

Load balancing

To use bonding with netctl, additional package from official repositories is required: ifenslave.

Copy /etc/netctl/examples/bonding to /etc/netctl/bonding and edit it, for example:

Description='Bond Interface'
BindsToInterfaces=('eth0' 'eth1')

Now you can disable your old configuration and set bonding to be started automatically. Switch to the new profile, for example:

# netctl switch-to bonding
Note: This uses the round-robin policy, which is the default for the bonding driver. See official documentation for details.
Tip: To check the status and bonding mode:
$ cat /proc/net/bonding/bond0

Wired to wireless failover

This example describes how to use bonding to fallback to wireless when the wired ethernet goes down. This is most useful when both the wired and wireless interface will be connected to the same network. Your wireless router/access point must be configured in bridge mode.

You will need additional packages from the official repositories: ifenslave and wpa_supplicant.

Fisrt enable the bonding module to be loaded upon boot time, as instructed on Kernel modules#Loading:


Then, configure the options of the bonding driver to use active-backup and configure the primary parameter to the device you want to be the active one (normally the wired interface). Also, be sure to use the same device name as returned when running ip link:

options bonding mode=active-backup miimon=100 primary=eth0 max_bonds=0

The miimon option is needed, for the link failure detection. The max_bonds option avoids the Interface bond0 already exists error. More information can be obtained on the kernel documentation.

Next, configure a netctl profile to enslave the two hardware interfaces. Use the name of all the devices you want to enslave. If you have more than two wired or wireless interfaces, you can enslave all of them on a bond interface. But, for most cases you will have only two devices, a wired and a wireless one:

Description='A wired connection with failover to wireless'
BindsToInterfaces=('eth0' 'wlan0')

Disable any other profiles (specially a wired or wireless) you had enabled before and then enable the failover profile on startup:

# netctl enable failover

Now you need to configure wpa_supplicant to connect to any know network you wish. You should create a file for each interface and enable it on systemd. Create the following file with this content:


And append to the end of this file any networks you want to connect:


To generate the obfuscated PSK you can run wpa_passphrase as on the WPA supplicant#Connecting with wpa_passphrase page.

Now, enable the wpa_supplicant service on the network interface:

# systemctl enable wpa_supplicant@wlan0

You can try now to reboot your machine and see if your configuration worked.

Note: If you get this error on boot bonding:
wlan0 is up - this may be due to an out of date ifenslave

Then this is happening because the wpa_supplicant is being run before the failover netctl profile. This happens because systemd runs everything in parallel, unless told otherwise. ifenslave need all the interfaces to be down before bonding them to the bond0 interface. And, since the wpa_supplicant need to put the interface up to be able to scan for networks, this might cause the interface to not be enslaved and your bonding to only have the wired interface.

If this is your case, then you will need to setup a custom dependency on the wpa_supplicant@wlan0 service in relation with the netctl@failover profile. More specifically, the wpa_supplicant must be started after the netctl profile. To accomplish this, create a custom dependency file based on the instructions provided here: systemd#Handling dependencies


After that you can try to reboot your system again and see if it works. You can check the status of your bonding by running:

# journalctl -u netctl@failover.service


# ip link

You should see something like this:

1: eth0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master bond0 state UP mode DEFAULT group default qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
2: wlan0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP mode DORMANT group default qlen 1000
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
3: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff

Now, you can test your failover setup, by initiating a big download. Unplug your wired interface. Your download should keep going over the wireless interface. Then, plug your wired interface again and it should keep working. You can debug with the following comands:

# journalctl -u netctl@failover.service


# journalctl -u wpa_supplicant@wlan0.service

Using any interface

In some cases it may be desirable to allow a profile to use any interface on the system. A common example use case is using a common disk image across many machines with differing hardware (this is especially useful if they are headless). If you use the kernel's naming scheme, and your machine has only one ethernet interface, you can probably guess that eth0 is the right interface. If you use udev's Predictable Network Interface Names, however, names will be assigned based on the specific hardware itself (e.g. enp1s0), rather than simply the order that the hardware was detected (e.g. eth0, eth1). This means that a netctl profile may work on one machine and not another, because they each have different interface names.

A quick and dirty solution is to make use of the /etc/netctl/interfaces/ directory. Choose a name for your interface alias (en-any in this example), and write the following to a file with that name (making sure it is executable).

for interface in /sys/class/net/en*; do
Interface=$(basename $interface)
echo "en-any: using interface $Interface";

Then create a profile that uses the interface. Pay special attention to the Interface directive. The rest are only provided as examples.


When the wired profile is started, any machine using the two files above will automatically bring up and configure the first ethernet interface found on the system, regardless of what name udev assigned to it. Note that this is not the most robust way to go about configuring interfaces. If you use multiple interfaces, netctl may try to assign the same interface to them, and will likely cause a disruption in connectivity. If you do not mind a more complicated solution, netctl-auto is likely to be more reliable.

Using hooks

netcl supports basic hooks ExecUpPost and ExecDownPost that are triggered on change of a connection state. Whenever a profile is read, all executable scripts in /etc/netctl/hooks/ are sourced. Example of a script that runs a command after a connection is established:


ExecUpPost="systemctl start crashplan.service; systemctl start dropbox@<username>.service"

Problems with reconnecting on resume

Some tricky networks or interfaces might not work properly after your computer been asleep for some time. To work around this, you can write a systemd service like the following (netctl-auto and wlan0 are used in the example; replace them with whatever command you would use to restart your network interface):

Description=Restart netctl-auto on resume.

ExecStart=/usr/bin/systemctl restart netctl-auto@wlan0
ExecStart=/usr/bin/echo netctl-wlan0-resume: Successfully restarted netctl-auto@wlan0


Now enable the newly created service netctl-wlan0-resume.


Job for netctl@wlan(...).service failed

Some people have an issue when they connect to a network with netctl, for example:

# netctl start wlan0-ssid
Job for netctl@wlan0\x2ssid.service failed. See 'systemctl status netctl@wlan0\x2ssid.service' and 'journalctl -xn' for details.

When then looking at journalctl -xn, either of the following are shown:

1. If your device (wlan0 in this case) is up:

network[2322]: The interface of network profile 'wlan0-ssid' is already up

Setting the interface down should resolve the problem:

# ip link set wlan0 down

Then retry:

# netctl start wlan0-ssid

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: The following is an unsolved issue, using different DHCP client is just a poor/unexplained workaround. (Discuss in Talk:Netctl#)

2. If it is down:

dhcpcd[261]: wlan0: ipv4_sendrawpacket: Network is down

One way to solve this is to use a different DHCP client, for example dhclient. After installing the package configure netctl to use it:


Adding the ForceConnect option may also be helpful:




Save it and try to connect with the profile:

# netctl start wlan0-ssid

dhcpcd: ipv4_addroute: File exists

On some systems dhcpcd in combination with netctl causes timeout issues on resume, particularly when having swichted networks in the meantime. netctl will report that you are successfully connected but you still receive timeout issues. In this case, the old default route still exists and is not being renewed. A workaround to avoid this misbehaviour is to switch to dhclient as the default dhcp client. More information on the issue can be found here.

DHCP timeout issues

If you are having timeout issues when requesting leases via DHCP you can set the timeout value higher than netctl's 30 seconds by default. Create a file in /etc/netctl/hooks/ or /etc/netctl/interfaces/, add TimeoutDHCP=40 to it for a timeout of 40 seconds and make the file executable.

Connection timeout issues

If you are having timeout issues that are unrelated to DHCP (on a static ethernet connection for example), and are experiencing errors similar to the following when starting your profile:

# journalctl _SYSTEMD_UNIT=netctl@profile.service
Starting network profile 'profile'...
No connection found on interface 'eth0' (timeout)
Failed to bring the network up for profile 'profile'

Then you should increase carrier and up timeouts by adding TimeoutUp= and TimeoutCarrier= to your profile file:


Do not forget to reenable your profile:

# netctl reenable profile

See also