Linux Wireless Networks

WLAN/WiFi and Bluetooth

Linux

Network

Published

May 3, 2007

Modified

November 30, 2023

WiFi

IEEE 802.11 wireless computer networking standards …protocols for implementing WLAN (Wireless Local Area Network) …basis for the Wi-Fi (Wireless Fidelity) brand …standard is updated by means of amendments …denoted by 802.11 followed by a non-capitalized letter for example IEEE 802.11a.

# find wireless devices
lspci | egrep -i --color 'wifi|wlan|wireless'

# find the card(s) driver(s)
lspci | egrep -i --color 'wifi|wlan|wireless' \
      | cut -d' ' -f1 \
      | xargs lspci -k -s

Physical Layer

Widely used in the 2.4Ghz and 5Ghz radio frequencies …industrial Scientific Medical (ISM) band (license free) …each spectrum is sub-divided into channels with a center frequency and bandwidth …these wavelengths work best for line-of-sight. Spread spectrum technology …DSSS (Direct Sequency Spread Spectrum) …OFDM (Orthogonal Frequecy-Division Multiplexing). IEEE 802.11 Standards and Frequency Band…

Standard	Frequencies
802.11a	5GHz
802.11b	2.4GHz
802.11g	2.4GHz
802.11n	2.4 & 5 GHz
802.11ac	below 6GHz

802.11b/g/n networks operate in the 2.4 GHz band:

ISM band: 2.400–2.500 GHz
14 channels, bandwidth approximately 20 to 22 MHz
Crowded frequency: Bluetooth, microwaves, telephones, garage door openers…
not all channels usable for WiFi in all countries..
channel overlapping between two adjacent WiFi AP devices cause frequency interference
maximum three non-overlapping channel can be found in 2.4 GHz band

802.11a/n/ac networks operate in the 5 GHz band

ISM band: 4.915–5.825 GHz spectrum
Channel width: 802.11n 40MHz, 802.11ac 80MHz
less crowded, 23 non-overlapping channels (not in all countries)

Operators mode, wireless devices called stations (STAs)

Wirelessly connected STAs (at least two) form a basic service set (BSS)
Controlled by a single coordination function (CF)

Ad-hoc mode without an AP

Direct communication between two stations (peer-to-peer model)
Isolated, no connection to other WiFi networks
…infrastructure mode using a wireless Access Point (AP)
- STA with additional coordination functions
- wireless devices must associate to an AP for network access

`rfkill`

rfkill subsystem registers devices capable of transmitting RF (WiFi, Bluetooth, GPS, FM, NFC) … hard blocked reflects some physical disablement …soft blocked is a software mechanism to enable or disable transmission

rfkill list                    # current state
rfkill block all               # turn off all RF
rfkill unblock all             # turn on all RF

Hard block can not be unblocked by software …check the BIOS for WiFi related settings …use the physical switch or a keyboard shortcut (typically using the Fn key) …multiple keys can exist i.e. one for WiFi and another one for Bluetooth. Kernel module configuration (check with modinfo -p rfkill)

cat >> /etc/modprobe.d/modprobe.conf <<EOF
options rfkill master_switch_mode=2
options rfkill default_state=1
EOF

`iw` & `iwlist`

iw (replaced iwconfig) (no support for WPA/WPA2)

iw list                                 # show wireless device capabilities
iw dev $dev scan | grep -i ssid         # scan for wireless APs
iw dev $dev link                        # link connection status
iw reg get                              # show regulatory domain
iw list | grep -A 15 Frequencies:       # query the number of available channels and their allowed transmit power

iwlist, scans for available wireless networks, and display their configuration

# make sure the Wifi interface is up
dev=wlan0
ip link set $dev up

# scanning for nearby wireless access points
iwlist scan | egrep -i SSID\|Address\|Channel\|Quality\|Auth

`wpa_cli`

Connect to an encrypted (WEP, WPA, WPA2) wireless network with wpa_supplicant:

wpa_cli                            # used to configure wpa_supplicant
wpa_cli interface ${dev:-wlan0}    # select wireless interface
wpa_cli scan                       # scan for access points
wpa_cli scan_results               # list available access points

# default configuration file
/etc/wpa_supplicant/wpa_supplicant.conf

# example config file
/usr/share/doc/wpa_supplicant/wpa_supplicant.conf

# configure the authentication with an AP
wpa_passphrase "$ssid" | sudo tee -a /etc/wpa_supplicant/wpa_supplicant.conf >/dev/null
# enter the password on the prompt

Configure the country code

>>> grep country /etc/wpa_supplicant/wpa_supplicant.conf
country=DE

# reconfigure after a configuration change:
>>> sudo wpa_cli -i ${dev:-wlan0} reconfigure

Start the WiFi access client in background and get an IP address from DHCP

# start in background
>>> wpa_supplicant -B -c $file -i $dev
>>> ip link show $dev
#                                            ... and state should go ↓↓...
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode ....
    link/ether 10:bf:48:4c:33:f8 brd ff:ff:ff:ff:ff:ff

# query DHCP for an IP-address
>>> dhcpcd $dev
>>> ip link show $dev
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 10:bf:48:4c:33:f8 brd ff:ff:ff:ff:ff:ff
#        ↓↓↓↓↓↓↓↓↓↓↓ ... IP address should be visible
    inet 192.168.1.7/24 brd 192.168.1.255 scope global noprefixroute wlp3s0
       valid_lft forever preferred_lft forever

`iwd` & `iwctl`

iwd (iNet wireless daemon) aims to replace WPA supplicant

no external dependencies, base on kernel features (D-Bus, cryptographic interface)
designed to deal with multiple clients from the outset
can be combined with systemd-networkd

Build depending on the Linux distribution, update iwd to a recent version [^1]

tmp=$(mktemp -d) && cd $tmp

# dependencies on Debian
sudo apt install -y libtool libreadline-dev libdbus-glib-1-dev

# download the required source code
git clone https://kernel.googlesource.com/pub/scm/libs/ell/ell.git

# It is not required to build or install Embedded Linux library
git clone git://git.kernel.org/pub/scm/network/wireless/iwd.git && cd iwd

# configure, build, and install
./bootstrap
./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc
make
sudo make install
rm -rf $tmp

# load the systemd configuration
sudo systemctl daemon-reload

# print version information
/usr/libexec/iwd --version

Make sure to configure following prerequisites …bring up the interfaces with systemd-networkd …configure DNS resolution with systemd-resolved …minimal configuration to assign IP address(es) and set up routes using a built-in DHCP client:

cat > /etc/iwd/main.conf <<EOF
[General]
EnableNetworkConfiguration=true
EOF
# Enable the service to manage Wifi connections automatically
sudo systemctl enable --now iwd

In case you want to debug connection problems, start in foreground

# locate the service executable
systemctl cat iwd.service | grep ExecStart
ExecStart=/usr/libexec/iwd
# run in foreground with debug mode 
sudo IWD_TLS_DEBUG=1 /usr/libexec/iwd -d

Use the command-line interface iwctl to select a WiFi connection:

iwctl device list                    # list wireless devices
iwctl device <dev> show              # show device details
iwctl station list                   # list state
iwctl station <dev> scan             # scan for networks
iwctl station <dev> get-networks     # list networks
iwctl station <dev> connect <ssid>   # connect to network
# access point connection configuration is store
/var/lib/iwd/*.{open,psk,8021x}      # network configuration files

Configure the DNS resolution

[Network]
NameResolvingService=resolvconf
# systemd is used by default

the PreSharedKey can be calculated with wpa_passphrase …included with wpa_supplicant …from the SSID and the WIFI passphrase

>>> wpa_passphrase <ssid>
# reading passphrase from stdin
************
network={
    ssid="<ssid>"
    #psk="***********"
    psk=9d1c20628cabdb224a1a420723478f585f4579efd4b206301b8c0d6e5ddc8296
}

cat > /var/lib/iwd/<ssid>.psk <<EOF
[Security]
PreSharedKey=9d1c20628cabdb224a1a420723478f585f4579efd4b206301b8c0d6e5ddc8296
EOF

(Not working!) connect to eduroam

ca=https://www.pki.dfn.de/fileadmin/PKI/zertifikate/T-TeleSec_GlobalRoot_Class_2.crt
sudo wget -q $ca -O /var/lib/iwd/eduroam.cer
openssl x509 -inform DER \
             -in /var/lib/iwd/eduroam.cer \
             -out /var/lib/iwd/eduroam.crt
# create a configuration to access Eduroam
domain=devops.test
user=devops
password=12345678
cat << EOF | sudo tee /var/lib/iwd/eduroam.8021x
[Settings]
AutoConnect=true
[Security]
EAP-Method=PEAP
EAP-Identity=anonymous@${domain}
EAP-PEAP-CACert=/var/lib/iwd/eduroam.crt
EAP-PEAP-ServerDomainMask=radius.${domain}
EAP-PEAP-Phase2-Method=MSCHAPV2
EAP-PEAP-Phase2-Identity=${user}@${domain}
EAP-PEAP-Phase2-Password=${password}
EOF

Signal Strength

Measured in dBm (decibel milliwatts) …absolute number representing power level in mW …expressed in negative values …logarithmic scale, the closer to 0 dBm, the better the signal is.

dBm	Quality
-30	Maximum, close to access point
-50	Excellent
-60	Good
-67	Reliable (enough for VoIP, non HD video)
-70	Week (enough for HTTP, mail)
-80	Unreliable
-90	Unusable

wavemon, TUI to monitor signal strength …RSSI (Received Signal Strength Indicator), relative quality of a received signal to a client. Main factors that can weaken your Wi-Fi quality …physical obstruction, competing WiFi networks and/or interfering electronics.

# monitor link quality
watch -n 1 cat /proc/net/wireless

Security

Cf. Wireless Security Measures

Component	Description
WEP	Original encryption protocol superseded by WPA
WPA	(Wi-Fi Protected Access) …introduced as an interim security enhancement over WEP …designed to be deployed on existing devices as firmware upgrade …“WPA Personal” use a PSK (preshared key) for authentication …“WPA Enterprise” uses an authentication server to generate keys/certificates …uses TKIP for encryption
WPA2	Based on final 802.11i amendment (2004) …uses a 256bit AES key for encryption …supports PSK, and EAP authentication methods using RADIUS servers
EAP	(Extensible Authentication Protocol) …further improves WPA over the IEEE 802.1X standard …authentication framework based on RFC standards …WPA[2,3] uses EAP as authentication mechanism …types: EAP-TLS, EAP-TTLS (supports other auth. protocols in a TLS tunnel)
PEAP	(encapsulates EAP in a TLS tunnel) …PKI base server certificate ..EAP-MSCHAPv2 (authenticate to a Microsoft MS_CHAPv2 database)

`connman`

/etc/connman/main.conf                # configuration file
systemctl ... connman                 # service managment
/var/lib/connman/                     # profile settings
connmanctl enable wifi                # power Wi-Fi on
           disable wifi
           scan wifi                  # scan for WLAN networks

Establish your first connection with an interactive session:

connmanctl
connmanctl> agent on
# scan for access points (AP)
connmanctl> scan wifi
# show available APs
connmanctl> services
*A  ..--WAVENET--..      wifi_185e0f65e843_2e2e2d2d574156454e45542d2d2e2e_managed_psk
# leading asterisk indicates a previously used AP
# connect to an AP
connmanctl> connect wifi_185e0f65e843_2e2e2d2d574156454e45542d2d2e2e_managed_psk
# disconnect
connmanctl> quit

After authorisation with the AP has been established:

connmanctl services
connmanctl connect ...

`hostapd`

hostapd daemon to act as WiFi access point …hardware needs to support the access point operation

>>> iw list 
...
        Supported interface modes:
                 * IBSS
                 * managed
                 * AP
...

Configuration in /etc/hostapd/hostapd.conf

apt install -y hostapd
cat > /etc/hostapd/hostapd.conf <<EOF
interface=wlan0
driver=nl80211
ssid=..--2--..
country_code=DE
ieee80211d=1
hw_mode=g
channel=1
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=test1234
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_group_rekey=86400
EOF

# run in foreground
hostapd /etc/hostapd/hostapd.conf
# start the service
systemctl unmask hostapd
systemctl enable --now hostapd

Static IP address assigned to the wireless port

cat <<EOF | tee -a /etc/dhcpcd.conf
interface wlan0
    static ip_address=192.168.4.1/24
    nohook wpa_supplicant
EOF
systemctl restart dhcpcd

DHCP Server with dnsmasq

# install a DHCP server
apt install -y dnsmasq
# enable DHCP on the WiFi interface
cat > /etc/dnsmasq.conf <<EOF
interface=wlan0
dhcp-range=192.168.4.2,192.168.4.20,255.255.255.0,24h
EOF
# restart the DHCP server
systemctl restart dnsmasq

Routing and Masquerade

cat > /etc/sysctl.d/05-ip-forward.conf <<EOF
net.ipv4.ip_forward=1
EOF
sysctl --system
# masquerade for outbound traffic on eth
iptables -t nat -A  POSTROUTING -o eth0 -j MASQUERADE
iptables-save > /etc/iptables.ipv4.nat

Edit /etc/rc.local and add this just above exit 0

iptables-restore < /etc/iptables.ipv4.nat

Bluetooth

[^bluez] BlueZ Bluetooth protocol stack for Linux
http://www.bluez.org

/etc/bluetooth/{input,main,network}.conf     # bluethoothd configuration
systemctl enable --now bluetooth             # start bluethoothd
journalctl -u bluetooth                      # bluethoothd logs
bluetoothctl                                 # command line interface
sudo dmesg | grep Bluetooth                  # check kernel messages

Turn the physical Bluetooth device on/off with rfkill:

rfkill unblock bluetooth
rfkill block bluetooth

A2DP

bluetoothd emits an error like to following if support for audio streaming is not installed:

a2dp-sink profile connect failed for ... Protocol not available

A2DP is the “Advanced Audio Distribution Profile” which describes how Bluetooth devices can stream stereo-quality audio to remote devices.

Install the additional pulseaudio-bluetooth package:

sudo apt install -y pulseaudio pulseaudio-module-bluetooth bluez-firmware
sudo systemctl restart bluetooth
pulseaudio --kill && pulseaudio --start

Usage

Pairing is the process of making two devices know about each other

Exchange link-keys to secure the communication
Can be initiated from both endpoints
Includes an authentication that requires confirmation by the user

Outbound pairing & connection:

bluetoothctl scan on     # wait until devices are discovered
bluetoothctl devices     # list found device MAC address and name
bluetoothctl agent on    # start an authentication agend
bluetoothctl pair $mac   # pair with a device
# after paring connect to the device

Inbound pairing:

# make the device discoverable and pairable
bluetoothctl discoverable on
bluetoothctl pairable on

An agent may be used to guide interactive device paring. Register an agent BlueZ service with:

bluetoothctl agent KeyboardOnly

If no agent is registered paring will be attempted without user interaction

--- title: Linux Wireless Networks subtitle: WLAN/WiFi and Bluetooth categories: - Linux - Network date: 2007/05/03 date-modified: 2023/11/30 toc-expand: 3 --- # WiFi IEEE **802.11** wireless computer networking standards ...protocols for implementing WLAN (Wireless Local Area Network) ...basis for the Wi-Fi (Wireless Fidelity) brand ...standard is updated by means of amendments ...denoted by 802.11 followed by a non-capitalized letter for example IEEE 802.11a. ```sh # find wireless devices lspci | egrep -i --color 'wifi|wlan|wireless' # find the card(s) driver(s) lspci | egrep -i --color 'wifi|wlan|wireless' \ | cut -d' ' -f1 \ | xargs lspci -k -s ``` ## Physical Layer Widely used in the **2.4Ghz** and **5Ghz** radio frequencies ...industrial Scientific Medical (ISM) band (license free) ...each spectrum is sub-divided into **channels** with a center frequency and bandwidth ...these wavelengths work best for line-of-sight. Spread spectrum technology ...DSSS (Direct Sequency Spread Spectrum) ...OFDM (Orthogonal Frequecy-Division Multiplexing). IEEE 802.11 Standards and Frequency Band... Standard | Frequencies -|------ 802.11a | 5GHz 802.11b | 2.4GHz 802.11g | 2.4GHz 802.11n | 2.4 & 5 GHz 802.11ac | below 6GHz **802.11b/g/n** networks operate in the 2.4 GHz band: - ISM band: 2.400–2.500 GHz - 14 channels, bandwidth approximately 20 to 22 MHz - Crowded frequency: Bluetooth, microwaves, telephones, garage door openers... - not all channels usable for WiFi in all countries.. - channel overlapping between two adjacent WiFi AP devices cause frequency interference - maximum three non-overlapping channel can be found in 2.4 GHz band **802.11a/n/ac** networks operate in the 5 GHz band - ISM band: 4.915–5.825 GHz spectrum - Channel width: 802.11n 40MHz, 802.11ac 80MHz - less crowded, 23 non-overlapping channels (not in all countries) **Operators mode**, wireless devices called **stations** (STAs) - Wirelessly connected STAs (at least two) form a basic service set (BSS) - Controlled by a single **coordination function** (CF) **Ad-hoc mode** without an AP - Direct communication between two stations (peer-to-peer model) - Isolated, no connection to other WiFi networks - ...infrastructure mode using a wireless **Access Point** (AP) - STA with additional coordination functions - wireless devices must associate to an AP for network access ## `rfkill` `rfkill` subsystem registers devices capable of transmitting RF (WiFi, Bluetooth, GPS, FM, NFC) ... **hard blocked** reflects some physical disablement ...**soft blocked** is a software mechanism to enable or disable transmission ```sh rfkill list # current state rfkill block all # turn off all RF rfkill unblock all # turn on all RF ``` Hard block can not be unblocked by software ...check the BIOS for WiFi related settings ...use the physical switch or a keyboard shortcut (typically using the `Fn` key) ...multiple keys can exist i.e. one for WiFi and another one for Bluetooth. Kernel module configuration (check with `modinfo -p rfkill`) ```sh cat >> /etc/modprobe.d/modprobe.conf <<EOF options rfkill master_switch_mode=2 options rfkill default_state=1 EOF ``` ## `iw` & `iwlist` `iw` (replaced `iwconfig`) (no support for WPA/WPA2) ```sh iw list # show wireless device capabilities iw dev $dev scan | grep -i ssid # scan for wireless APs iw dev $dev link # link connection status iw reg get # show regulatory domain iw list | grep -A 15 Frequencies: # query the number of available channels and their allowed transmit power ``` `iwlist`, scans for available wireless networks, and display their configuration ```sh # make sure the Wifi interface is up dev=wlan0 ip link set $dev up # scanning for nearby wireless access points iwlist scan | egrep -i SSID\|Address\|Channel\|Quality\|Auth ``` ## `wpa_cli` Connect to an encrypted (WEP, WPA, WPA2) wireless network with [wpa_supplicant][wpa]: [wpa]: http://w1.fi/wpa_supplicant/ ```sh wpa_cli # used to configure wpa_supplicant wpa_cli interface ${dev:-wlan0} # select wireless interface wpa_cli scan # scan for access points wpa_cli scan_results # list available access points # default configuration file /etc/wpa_supplicant/wpa_supplicant.conf # example config file /usr/share/doc/wpa_supplicant/wpa_supplicant.conf # configure the authentication with an AP wpa_passphrase "$ssid" | sudo tee -a /etc/wpa_supplicant/wpa_supplicant.conf >/dev/null # enter the password on the prompt ``` Configure the **country code** ```sh >>> grep country /etc/wpa_supplicant/wpa_supplicant.conf country=DE # reconfigure after a configuration change: >>> sudo wpa_cli -i ${dev:-wlan0} reconfigure ``` Start the WiFi access client in background and get an IP address from DHCP ```sh # start in background >>> wpa_supplicant -B -c $file -i $dev >>> ip link show $dev # ... and state should go ↓↓... 3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode .... link/ether 10:bf:48:4c:33:f8 brd ff:ff:ff:ff:ff:ff # query DHCP for an IP-address >>> dhcpcd $dev >>> ip link show $dev 3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 10:bf:48:4c:33:f8 brd ff:ff:ff:ff:ff:ff # ↓↓↓↓↓↓↓↓↓↓↓ ... IP address should be visible inet 192.168.1.7/24 brd 192.168.1.255 scope global noprefixroute wlp3s0 valid_lft forever preferred_lft forever ``` ## `iwd` & `iwctl` `iwd` (iNet wireless daemon) aims to replace WPA supplicant - no external dependencies, base on kernel features (D-Bus, cryptographic interface) - designed to deal with multiple clients from the outset - can be combined with `systemd-networkd` Build depending on the Linux distribution, update `iwd` to a recent version [^1] ```sh tmp=$(mktemp -d) && cd $tmp # dependencies on Debian sudo apt install -y libtool libreadline-dev libdbus-glib-1-dev # download the required source code git clone https://kernel.googlesource.com/pub/scm/libs/ell/ell.git # It is not required to build or install Embedded Linux library git clone git://git.kernel.org/pub/scm/network/wireless/iwd.git && cd iwd # configure, build, and install ./bootstrap ./configure --prefix=/usr --localstatedir=/var --sysconfdir=/etc make sudo make install rm -rf $tmp # load the systemd configuration sudo systemctl daemon-reload # print version information /usr/libexec/iwd --version ``` Make sure to configure following prerequisites ...bring up the interfaces with `systemd-networkd` ...configure DNS resolution with `systemd-resolved` ...minimal configuration to assign IP address(es) and set up routes using a built-in DHCP client: ```sh cat > /etc/iwd/main.conf <<EOF [General] EnableNetworkConfiguration=true EOF # Enable the service to manage Wifi connections automatically sudo systemctl enable --now iwd ``` In case you want to debug connection problems, start in foreground ```sh # locate the service executable systemctl cat iwd.service | grep ExecStart ExecStart=/usr/libexec/iwd # run in foreground with debug mode sudo IWD_TLS_DEBUG=1 /usr/libexec/iwd -d ``` Use the command-line interface `iwctl` to select a WiFi connection: ```sh iwctl device list # list wireless devices iwctl device <dev> show # show device details iwctl station list # list state iwctl station <dev> scan # scan for networks iwctl station <dev> get-networks # list networks iwctl station <dev> connect <ssid> # connect to network # access point connection configuration is store /var/lib/iwd/*.{open,psk,8021x} # network configuration files ``` Configure the **DNS resolution** ```sh [Network] NameResolvingService=resolvconf # systemd is used by default ``` the PreSharedKey can be calculated with `wpa_passphrase` ...included with `wpa_supplicant` ...from the SSID and the WIFI passphrase ```sh >>> wpa_passphrase <ssid> # reading passphrase from stdin ************ network={ ssid="<ssid>" #psk="***********" psk=9d1c20628cabdb224a1a420723478f585f4579efd4b206301b8c0d6e5ddc8296 } ``` ```sh cat > /var/lib/iwd/<ssid>.psk <<EOF [Security] PreSharedKey=9d1c20628cabdb224a1a420723478f585f4579efd4b206301b8c0d6e5ddc8296 EOF ``` (Not working!) connect to [eduroam](https://www.eduroam.org/) ```sh ca=https://www.pki.dfn.de/fileadmin/PKI/zertifikate/T-TeleSec_GlobalRoot_Class_2.crt sudo wget -q $ca -O /var/lib/iwd/eduroam.cer openssl x509 -inform DER \ -in /var/lib/iwd/eduroam.cer \ -out /var/lib/iwd/eduroam.crt # create a configuration to access Eduroam domain=devops.test user=devops password=12345678 cat << EOF | sudo tee /var/lib/iwd/eduroam.8021x [Settings] AutoConnect=true [Security] EAP-Method=PEAP EAP-Identity=anonymous@${domain} EAP-PEAP-CACert=/var/lib/iwd/eduroam.crt EAP-PEAP-ServerDomainMask=radius.${domain} EAP-PEAP-Phase2-Method=MSCHAPV2 EAP-PEAP-Phase2-Identity=${user}@${domain} EAP-PEAP-Phase2-Password=${password} EOF ``` ## Signal Strength Measured in dBm (decibel milliwatts) ...absolute number representing power level in mW ...expressed in negative values ...logarithmic scale, the closer to 0 dBm, the better the signal is. dBm | Quality -|---- -30 | Maximum, close to access point -50 | Excellent -60 | Good -67 | Reliable (enough for VoIP, non HD video) -70 | Week (enough for HTTP, mail) -80 | Unreliable -90 | Unusable `wavemon`, TUI to monitor signal strength ...**RSSI** (Received Signal Strength Indicator), relative quality of a received signal to a client. Main factors that can weaken your Wi-Fi quality ...physical obstruction, competing WiFi networks and/or interfering electronics. ```sh # monitor link quality watch -n 1 cat /proc/net/wireless ``` ## Security Cf. [Wireless Security Measures](https://en.wikipedia.org/wiki/Wireless_security#Security_measures) Component | Description -|------ WEP | Original encryption protocol superseded by WPA WPA | (Wi-Fi Protected Access) ...introduced as an interim security enhancement over WEP ...designed to be deployed on existing devices as firmware upgrade ..."WPA Personal" use a **PSK** (preshared key) for authentication ..."WPA Enterprise" uses an authentication server to generate keys/certificates ...uses TKIP for encryption WPA2 | Based on final 802.11i amendment (2004) ...uses a 256bit AES key for encryption ...supports PSK, and EAP authentication methods using RADIUS servers EAP | (Extensible Authentication Protocol) ...further improves WPA over the IEEE 802.1X standard ...authentication framework based on RFC standards ...WPA[2,3] uses EAP as authentication mechanism ...types: EAP-TLS, EAP-TTLS (supports other auth. protocols in a TLS tunnel) PEAP | (encapsulates EAP in a TLS tunnel) ...PKI base server certificate ..EAP-MSCHAPv2 (authenticate to a Microsoft MS_CHAPv2 database) ## `connman` ```sh /etc/connman/main.conf # configuration file systemctl ... connman # service managment /var/lib/connman/ # profile settings connmanctl enable wifi # power Wi-Fi on disable wifi scan wifi # scan for WLAN networks ``` Establish your first connection with an interactive session: ```sh connmanctl connmanctl> agent on # scan for access points (AP) connmanctl> scan wifi # show available APs connmanctl> services *A ..--WAVENET--.. wifi_185e0f65e843_2e2e2d2d574156454e45542d2d2e2e_managed_psk # leading asterisk indicates a previously used AP # connect to an AP connmanctl> connect wifi_185e0f65e843_2e2e2d2d574156454e45542d2d2e2e_managed_psk # disconnect connmanctl> quit ``` After authorisation with the AP has been established: ```sh connmanctl services connmanctl connect ... ``` ## `hostapd` `hostapd` daemon to act as WiFi access point ...hardware needs to support the access point operation ```sh >>> iw list ... Supported interface modes: * IBSS * managed * AP ... ``` Configuration in `/etc/hostapd/hostapd.conf` ```sh apt install -y hostapd cat > /etc/hostapd/hostapd.conf <<EOF interface=wlan0 driver=nl80211 ssid=..--2--.. country_code=DE ieee80211d=1 hw_mode=g channel=1 macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 wpa=2 wpa_passphrase=test1234 wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP wpa_group_rekey=86400 EOF ``` ```sh # run in foreground hostapd /etc/hostapd/hostapd.conf # start the service systemctl unmask hostapd systemctl enable --now hostapd ``` Static IP address assigned to the wireless port ```sh cat <<EOF | tee -a /etc/dhcpcd.conf interface wlan0 static ip_address=192.168.4.1/24 nohook wpa_supplicant EOF systemctl restart dhcpcd ``` DHCP Server with `dnsmasq` ```sh # install a DHCP server apt install -y dnsmasq # enable DHCP on the WiFi interface cat > /etc/dnsmasq.conf <<EOF interface=wlan0 dhcp-range=192.168.4.2,192.168.4.20,255.255.255.0,24h EOF # restart the DHCP server systemctl restart dnsmasq ``` Routing and Masquerade ```sh cat > /etc/sysctl.d/05-ip-forward.conf <<EOF net.ipv4.ip_forward=1 EOF sysctl --system # masquerade for outbound traffic on eth iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables-save > /etc/iptables.ipv4.nat ``` Edit `/etc/rc.local` and add this just above `exit 0` ```sh iptables-restore < /etc/iptables.ipv4.nat ``` # Bluetooth [^bluez] BlueZ Bluetooth protocol stack for Linux <http://www.bluez.org> ```sh /etc/bluetooth/{input,main,network}.conf # bluethoothd configuration systemctl enable --now bluetooth # start bluethoothd journalctl -u bluetooth # bluethoothd logs bluetoothctl # command line interface sudo dmesg | grep Bluetooth # check kernel messages ``` Turn the physical Bluetooth device on/off with `rfkill`: ```sh rfkill unblock bluetooth rfkill block bluetooth ``` ## A2DP `bluetoothd` emits an error like to following if support for audio streaming is not installed: ```sh a2dp-sink profile connect failed for ... Protocol not available ``` > A2DP is the "Advanced Audio Distribution Profile" which describes how > Bluetooth devices can stream stereo-quality audio to remote devices. Install the additional `pulseaudio-bluetooth` package: ```sh sudo apt install -y pulseaudio pulseaudio-module-bluetooth bluez-firmware sudo systemctl restart bluetooth pulseaudio --kill && pulseaudio --start ``` ## Usage **Pairing** is the process of making two devices know about each other - Exchange link-keys to secure the communication - Can be initiated from both endpoints - Includes an authentication that requires confirmation by the user Outbound pairing & connection: ```sh bluetoothctl scan on # wait until devices are discovered bluetoothctl devices # list found device MAC address and name bluetoothctl agent on # start an authentication agend bluetoothctl pair $mac # pair with a device # after paring connect to the device ``` Inbound pairing: ```sh # make the device discoverable and pairable bluetoothctl discoverable on bluetoothctl pairable on ``` An agent may be used to guide interactive device paring. Register an agent BlueZ service with: ```sh bluetoothctl agent KeyboardOnly ``` If no agent is registered paring will be attempted without user interaction

WiFi

Physical Layer

rfkill

iw & iwlist

wpa_cli

iwd & iwctl