Abracadabra

On Linux, a component called WPA Supplicant [1], which has been around since 2003, plays an important role in wireless connections (see the box entitled "Why the Name?"). As the name suggests, WPA Supplicant is a wireless supplicant that supports the WiFi Protected Access Standard (WPA) for secure wireless communication [2]. WPA has been around for over 20 years, and the industry is now on the third major version, which is known as WPA3. WPA Supplicant toils in the background on most modern Linux distros, where users tend to interact with the system through a GUI interface, but if you're using a wireless configuration tool like NetworkManager, Wicd, or ConnMan, WPA Supplicant is probably at work behind the scenes.

WPA Supplicant has seen many improvements through the years, and, in general, it is much easier to connect Linux to a wireless network than it used to be. However, many experts believe that Linux wireless support is due for some reinvention. The world got a scare a few years ago, when WPA Supplicant was shown to be susceptible to the KRACK attack on the WPA2 protocol [3]. Since then, KRACK vulnerabilities have been patched, and WPA3 has taken wireless security to a deeper level, but the complications in implementing a reliable solution underscored the inherent complexity and ungainliness of the WPA Supplicant codebase. That complexity, along with many dependencies, also means that WPA Supplicant is ill-suited for mobile devices and Internet of Things configurations. The need to simplify and provide a better solution for these new technologies explains why efforts have been underway for several years to create a lean alternative to WPA Supplicant.

One alternative that has already arrived, although it still is not installed by default on most Linux systems, is the iNet wireless daemon (iwd) [4]. Intel has been leading the development of iwd for the last four years. In October 2019, the stable 1.0 version was released, and today iwd's version count has reached 1.9. NetworkManager versions from 1.12.0 on can use iwd as their back end. Iwd also works with alternatives such as ConnMan and systemd-networkd. And recently, a small GUI was released for users who want to do without NetworkManager or ConnMan but still want to work through a graphical interface.

The description of the iwd project on www.kernel.org highlights simplicity as an important factor behind iwd's recent rise: "The core goal of the project is to optimize resource utilization: storage, runtime memory, and link-time costs. This is accomplished by not depending on any external libraries and utilizing features provided by the Linux Kernel to the maximum extent possible. The result is a self-contained environment that only depends on the Linux Kernel and the runtime C library." [5]

Arch Linux switched to iwd in a snapshot from July 2020. During the installation, you no longer call the wifi-menu command to set up WiFi, and the netctl network manager has been replaced by iwctl. Ubuntu has also been testing iwd and evaluating the possibility of making it the new standard. The developers now consider iwd to be functionally almost on a par with WPA Supplicant.

Iwd is likely on its way to your Linux version sometime in the future. In the meantime, we decided to install iwd and take a closer look.

iwd with Ubuntu

We chose a daily build of Ubuntu 20.10 as the test candidate, and we tried to recreate as many of Ubuntu's test requirements as possible. We first used iwd in the terminal, then tested it with the new GUI, and finally used it in combination with NetworkManager, replacing WPA Supplicant as the back end.

Iwd consists of the iwd daemon, the iwctl client, and the iwmon monitoring tool. The daemon and client were implemented with less than 50,000 lines of code. In comparison: WPA Supplicant weighs in at almost 500,000 lines of code. Iwd uses kernel functions wherever possible (e.g., for encryption). Other benefits include WiFi Protected Setup (WPS) support, simplified network management, fast roaming without unnecessary scanning, and support for multiple profiles per user. For enterprises, iwd also offers support for the following:

• Extensible Authentication Protocol (EAP): A general authentication protocol developed by the Internet Engineering Task Force (IETF) that supports authentication methods such as RADIUS, digital certificates, or SIM cards.
• Trusted Platform Module (TPM): A chip that adds basic security functions to a computer or similar device. In combination with a modified operating system and appropriate software, a Trusted Computing Platform is created.

Iwd basically gets along without configuration because it mainly relies on kernel functions. Only advanced functions like WPA Enterprise require configuration files. Iwd supports WPA3 and Opportunistic Wireless Encryption (OWE). OWE is a standardized procedure for securely encrypting data exchanged on public WiFi networks without a password.

Since version 1.8, iwd has supported peer-to-peer functions via its own API. Bluetooth-style WiFi Direct (WiFi P2P) lets users connect supported devices directly without an intermediate access point.

Getting Started

Before you can get started with iwd, you'll need to take some preliminary steps (Listing 1). First, check if iwd is already installed (line 1). We did not find iwd on the Ubuntu image we tested, which dated from September 12, 2020. We proceeded to install iwd and remove NetworkManager (lines 3 and 4). We then disabled WPA and stopped it permanently by masking (lines 5 to 7). Finally, we enabled iwd (lines 8 and 9) and checked if everything was working (line 10).

01 $ systemctl status iwd.service
02 Unit iwd.service could not be found.
03 $ sudo apt install iwd
04 $ sudo apt purge network-manager
05 $ sudo systemctl stop wpa_supplicant.service
06 $ sudo systemctl disable wpa_supplicant.service
07 $ sudo systemctl mask wpa_supplicant
08 $ sudo systemctl enable iwd.service
09 $ sudo systemctl start iwd.service
10 $ systemctl status iwd.service

It is a bad idea to remove the wpasupplicant package after the preliminary work is complete, instead of just disabling it. On Ubuntu, removing wpasupplicant would also remove the ubuntu-desktop metapackage due to many dependencies. On Debian, NetworkManager would be removed as well – which might be a benefit in some cases.

WLAN Setup

Once you have completed the necessary steps, and assuming the status query is positive, you can set up WiFi access. If you get a message about rfkill blocking (Figure 1), call the command:

sudo rfkill list wifi

Figure 1: Once WPA Supplicant is shut down, and if iwd always launches at boot time, the status query reports an active service. However, the last line indicates that the device interface cannot be enabled.

If Soft blocked shows up as yes, pressing Fn+F5 might help to switch off flight mode. If this does not help, use:

sudo rfkill unblock wifi

Check if this worked with rfkill or a new status request for iwd.service.

Now launch an interactive shell as a normal user with the iwctl command. Typing help lists all the available options. To exit the shell, press Ctrl+D. Iwd can also be used without an interactive shell; you just have to prefix each command with iwctl.

Find devices and their names with the adapter list command. Use device list to discover the name the system is using for the interface (Figure 2). On the test device, the interface goes by the name of wlan0. The command

device wlan0 show

Figure 2: The adapter list command displays the available network interface cards with their names and manufacturer IDs.

delivers more details about the network interface card (Figure 3). Now scan by typing station wlan0 scan before using station wlan0 get-networks to display the available networks (Figure 4).

Figure 3: Use the device list command to determine the name and state of the interface.

Figure 4: After a scan, station wlan0 get-networks displays the available networks.

The station WiFi0 connect your_SSID command (you need to replace the placeholder with the correct SSID), enables the connection. The requested password is stored in /var/lib/iwd when input with the .psk suffix.

If needed, check the functionality again by typing:

status wlan0 get-networks

A check mark, hardly visible against the dark color scheme of the Ubuntu terminal, indicates that the connection was successfully opened. Then use ping to check the status of the Internet connection or browse to a website. After rebooting the computer, iwd automatically re-establishes the wireless connection.