Category Archives: ipv6

Using IWD instead of wpa_supplicant

I always feel like I am a few years behind. Here is another example. Here at nearly the end of 2021 I have learned about IWD (iNet Wireless Daemon), which is a replacement for wpa_supplicant.

This is just to record a few facts about experiences over the last couple of days, subsequent to receiving and setting up a new laptop. I install Arch on this laptop, and initially followed what I had previously done in the earlier post: Switching to systemd-networkd.

One of the problems described in that post is that if one follows what it says, a side-effect is the loss of any very good “graphical” way to switch a laptop from one SSID to another. I detail there how I used a downloaded package called wpa_gui to do that, but while it is a good step forward, it is a bit clunky. Maybe I’m not using it exactly right… I mean no disrespect to its authors, and am glad it exists; but I went looking for something else. And I discovered the IWD package.

When I downloaded and installed IWD, in ignorance, I managed to completely eliminate my wireless device and spent a good deal of time recovering. Following are some things I learned. But there are two different changes in my environment going on here, and while they are related I’m not claiming that one requires the other. One of the changes is the substitution of IWD for wpa_supplicant as the party responsible for interacting with wireless radios, selecting one, authenticating to it, and making it available as a device. The second change is that I have begun to use NetworkManager again, in conjunction with systemd-networkd.

IWD is a systemd service, as is wpa_supplicant, NetworkManager, and systemd-networkd, and it is possible to create a great deal of confusion when all of these bits are installed on the same system. If one desires to have more confusion, one has only to do all this on an ubuntu system, where the presence of Canonical’s netplan software adds another order of magnitude increase in complexity, and additional opportunities for foot target practice.

One of the big opportunities for confusion arises when IWD renames network devices. If one has “.network” files (for steering systemd-networkd) which rely upon matches on the device names, surprise! the device names (like wlp11S0) get changed to (e.g.) wlan0 by IWD.

I probably don’t understand all this well enough to attempt to explain it, and will probably only look foolish if I try, so instead I will just detail where I ended up on two of my laptops.

I have enabled the services IWD, systemd-networkd and NetworkManager. In /etc/NetworkManager/NetworkManager.conf I have a [device] section containing the setting “wifi.backend=iwd” which instructs NetworkManager to rely on IWD rather than wpa_supplicant, and prevents NetworkManager from trying to start a wpa_supplicant. I have removed the local service file /etc/systemd/system/wpa_supplicant/wpa_supplicant@wlp11s0 (which I had described in my previous blog post), and have stopped and disabled (and even masked) the associated wpa_supplicant@wlp11s0 service as well as the plain wpa_supplicant service.

In /etc/systemd/network I have a .network file for 09_<laptop> containing the networkd description, same as before, except that the [match] now says “name=wl*” instead of the previous “name=wlp*” (because of IWD changing the name from wlp11s0 to wlan0).

Finally, one of these laptops is still ubuntu, so one gets the additional joy of netplan. There, in the /etc/netplan directory I went back to a yaml file which names the “renderer” as NetworkManager instead of systemd-networkd. My current, perhaps flawed understanding of this setting in netplan is that when netplan runs at boot time it uses the (collected and merged) yaml files to build at boot time the files for either systemd-networkd (in /run/systemd/network/), or for NetworkManager (in /run/NetworkManager/). These generated files will then get combined with similar files from /lib and from /etc (the latter having greatest priority, the former having least, and /run in the middle).

Going back to NetworkManager has one downside for me, the thing which drove me earlier to abandon NetworkManager in favor of systemd-networkd, and that is the specification of the IPv6 DUID to be used when soliciting an IPv6 address from DHCPv6. I can’t find information about how to stipulate the DUID to be used (for example in this nm_connection documentation). What I have done is develop better tools to figure out what NetworkManager decided to send, so I can arrange for the DHCPDv6 server to assign a static address to that DUID.

Switching to systemd-networkd

Since moving to IPv6 I have had two recurrent problem: one with some conflict between systemd and the kernel over the /proc/sys/net/ipv6/conf/*/accept_ra, and the second with losing the static ipv6 address assignments on some boxes. I believe the former problem to have something to do with systemd wanting to have control of the sysctl variables, such as accept_ra.

The latter problem is due to the various bits of software that want to have a say in the control of the network. In part some of this is my own fault, as I do have these various bits installed – and if they weren’t installed they could not be causing trouble.

I installed NetworkManager in some places, even when it hadn’t been installed by default, because I wanted to be able to control things with the network applet in gnome. I installed dhclient even though it wasn’t installed, because I wanted better ability to see and control the dhcpv6 leases, particularly the DUID, and network manager made that difficult (and astonishingly, in some cases simply didn’t work).

Continue reading Switching to systemd-networkd

IPv6 Re-implementation

This is a follow up to the activities in IPv6 implementation, which was published on March 2nd and revised up through March 19th, as new challenges were addressed. Since March 19th a great deal of what I wrote has been revised, as I have learned a lot more.

The main issue was that there remained a number of problems with the implementation of IPv6 in my residence.

  • The biggest was the question how to handle the delegated prefix, particularly in renumbering. Over the course of the last several months I have to note that Comcast has never changed my prefix, except early on, when I forced it to do so by changing my DUID. And I don’t think it likely that my prefix would change unless some great catastrophe befalls which results in my being down for a very extended period – like 30 days; or more likely there is some change in my service (a change in ISP, or perhaps fiber arriving in my area).
  • The first implementation required that I make patches to the code of my router. This meant that I would have to figure out how to carry those patches forward in the event of firmware updates from Ubiquiti, the maker of the Edgerouter-X that I am using.
  • The implementation was pretty fragile, with a lot of unrelated bits in different places. In particular there was a lot of hand-waving in trying to assign and maintain a separate network for the virtual machines on one of the interior boxes.
Continue reading IPv6 Re-implementation

IPv6 implementation

This post describes my first attempt at implementation of IPv6, a process that took place over a span of a couple of months. After this was done, and was working, a “better way” emerged, which will be the subject of an additional post. I leave this in here for the sake of documenting what I did the first time, but in the unlikely event that anyone finds this while looking on the net for information about implementing a similar arrangement, I urge you to find the other post, and read it as well. This implementation was fragile.

A few weeks back (10 Feb) my friend Mr. G and I exchanged an email in which he said of a possible project “…but this would be an opportunity to learn IPv6”, reminding me that I have for a long time wanted to learn more about IPv6. Part of the genesis of that email conversation was a recent switch by my brother-in-law to a new ISP that employed CGN, so called Carrier Grade Nat, which had disrupted arrangements I had in place for reaching my brother-in-law’s home network. Mr G. opined that the move towards CGN, and other things the ISPs were doing, raised the specter that someday, perhaps sooner than we expect, anyone desiring to do more with their network than occasionally use a browser would find ourselves having to move to ipv6.

More, I have actually wanted to use IPv6 for a long while, but had been under the impression (erroneously) that Comcast really wasn’t ready for this, that all they would give me was a 6to4 tunnel, which I barely understood anyway.

Continue reading IPv6 implementation

Odd VPN Problem

I have had trouble twice now with modifying a working vpn configuration, and then being unable to get it to start. Both times I never actually solved it, so much as eliminating the problem by switching to a different nordvpn config file.

There was a penetration at nordvpn in which some passwords and userinfo were leaked. I wanted to change my password, and did, and had to get into the vpn router and change it there. And after I did the vpn just would not start. Eventually, I switched to another vpn endpoint, put in a new .conf file in /etc/openvpn/client and it came right up.

I don’t know what this is about.

March 26, 2021: I spent all morning on this again. I was changing scripts on Rosemary and also, double and triple checking that I did not allow IPv6 on obelisk/rosemary (if routable IPv6 addresses are available they will be used in preference to the IPv4 vpn, which is the whole point of obelisk). After a reboot of obelisk, it lost dns. I spent several hours trying to solve this, most of the time spent on obelisk. The vpn would come up, and I could ping raw addresses, but the dns wouldn’t work. I don’t even see what this has to do with the vpn tunnel.

Yet in the end, out of desperation, I tried bringing in a new nordvpn conf file (actually it comes in as an ovpn file, and once I put a password link in it it is saved as a conf file). A link in /etc/openvpn points to whichever of these is active. So I installed a new one, rebooted the router (again), and like magic it began to work.