Provided by: iwd_1.26-3_amd64 
NAME
iwd.config - Configuration file for wireless daemon
SYNOPSIS
Configuration file main.conf
DESCRIPTION
The main.conf configuration file configures the system-wide settings for iwd. This file lives in the
configuration directory specified by the environment variable $CONFIGURATION_DIRECTORY, which is normally
provided by systemd. In the absence of such an environment variable it defaults to /etc/iwd. If no
main.conf is present, then default values are chosen. The presence of main.conf is not required.
FILE FORMAT
See iwd.network for details on the file format.
SETTINGS
The settings are split into several categories. Each category has a group associated with it and
described in separate tables below.
General Settings
The group [General] contains general settings.
─────────────────────────────────────────────────────────────────────────────────
EnableNetworkConfiguration Values: true, false
Enable network configuration.
Setting this option to true enables
iwd to configure the network
interfaces with the IP addresses.
There are two types IP addressing
supported by iwd: static and dynamic.
The static IP addresses are
configured through the network
configuration files. If no static IP
configuration has been provided for a
network, iwd will attempt to obtain
the dynamic addresses from the
network through the built-in DHCP
client.
This also enables network
configuration and the DHCP server
when in AP mode and the AP profile
being activated does not override it.
The network configuration feature is
disabled by default. See [Network]
settings for additional settings
related to network configuration.
─────────────────────────────────────────────────────────────────────────────────
APRanges Values: <IP in prefix notation>
Sets the range of IP's used for DHCP
server (AP mode). The IP should be in
prefix notation e.g. 192.168.1.0/24.
AP's which are started in a
profile-less configuration will use
this pool of IP's to set the AP's
interface address as well as default
DHCP server options. Each AP will get
a new subnet from the range and
clients will be addressed in that
subnet to avoid IP conflicts if
multiple AP's are started.
─────────────────────────────────────────────────────────────────────────────────
UseDefaultInterface Values: true, false
Do not allow iwd to destroy /
recreate wireless interfaces at
startup, including default
interfaces. Enable this behavior if
your wireless card driver is buggy or
does not allow such an operation, or
if you do not want iwd to manage
netdevs for another reason. For most
users with an upstream driver it
should be safe to omit/disable this
setting.
─────────────────────────────────────────────────────────────────────────────────
AddressRandomization Values: disabled, once, network
If AddressRandomization is set to
disabled, the default kernel behavior
is used. This means the kernel will
assign a mac address from the
permanent mac address range provided
by the hardware / driver. Thus it is
possible for networks to track the
user by the mac address which is
permanent.
If AddressRandomization is set to
once, MAC address is randomized a
single time when iwd starts or when
the hardware is detected for the
first time (due to hotplug, etc.)
If AddressRandomization is set to
network, the MAC address is
randomized on each connection to a
network. The MAC is generated based
on the SSID and permanent address of
the adapter. This allows the same MAC
to be generated each time connecting
to a given SSID while still hiding
the permanent address.
─────────────────────────────────────────────────────────────────────────────────
AddressRandomizationRange Values: full, nic
One can control which part of the
address is randomized using this
setting.
When using AddressRandomizationRange
set to nic, only the NIC specific
octets (last 3 octets) are
randomized. Note that the
randomization range is limited to
00:00:01 to 00:00:FE. The permanent
mac address of the card is used for
the initial 3 octets.
When using AddressRandomizationRange
set to full, all 6 octets of the
address are randomized. The
locally-administered bit will be set.
─────────────────────────────────────────────────────────────────────────────────
RoamThreshold Value: rssi dBm value, from -100 to
1, default: -70
This value can be used to control how
aggressively iwd roams when connected
to a 2.4Ghz access point.
─────────────────────────────────────────────────────────────────────────────────
RoamThreshold5G Value: rssi dBm value, from -100 to
1, default: -76
This value can be used to control how
aggressively iwd roams when connected
to a 5GHz access point.
─────────────────────────────────────────────────────────────────────────────────
RoamRetryInterval Value: unsigned int value in seconds
(default: 60)
Specifies how long iwd will wait
before attempting to roam again if
the last roam attempt failed, or if
the signal of the newly connected BSS
is still considered weak.
─────────────────────────────────────────────────────────────────────────────────
ManagementFrameProtection Values: 0, 1 or 2
When ManagementFrameProtection is 0,
MFP is completely turned off, even if
the hardware is capable. This
setting is not recommended.
When ManagementFrameProtection is 1,
MFP is enabled if the local hardware
and remote AP both support it.
When ManagementFrameProtection is 2,
MFP is always required. This can
prevent successful connection
establishment on some hardware or to
some networks.
─────────────────────────────────────────────────────────────────────────────────
ControlPortOverNL80211 Values: false, true
Enable/Disable sending EAPoL packets
over NL80211. Enabled by default if
kernel support is available. Doing
so sends all EAPoL traffic over
directly to the supplicant process
(iwd) instead of putting these on the
Ethernet device. Since only the
supplicant can usually make sense /
decrypt these packets, enabling this
option can save some CPU cycles on
your system and avoids certain
long-standing race conditions.
─────────────────────────────────────────────────────────────────────────────────
DisableANQP Values: false, true
Enable/disable ANQP queries. The way
IWD does ANQP queries is dependent on
a recent kernel patch (available in
Kernel 5.3). If your kernel does not
have this functionality this should
be disabled (default). Some drivers
also do a terrible job of sending
public action frames (freezing or
crashes) which is another reason why
this has been turned off by default.
If you want to easily utilize Hotspot
2.0 networks, then setting
DisableANQP to false is recommended.
─────────────────────────────────────────────────────────────────────────────────
DisableOCV Value: false, true
Disable Operating Channel Validation.
Support for this is not advertised by
the kernel so if kernels/drivers
exist which don't support OCV it can
be disabled here.
─────────────────────────────────────────────────────────────────────────────────
SystemdEncrypt Value: Systemd key ID
Warning: This is a highly Enables network profile encryption
experimental feature using a systemd provided secret key.
Once enabled all PSK/8021x network
profiles will be encrypted
automatically. Once the profile is
encrypted there is no way of going
back using IWD alone. A tool,
iwd-decrypt-profile, is provided
assuming the secret is known which
will decrypt a profile. This
decrypted profile could manually be
set to /var/lib/iwd to 'undo' any
profile encryption, but its going to
be a manual process.
Setting up systemd to provide the
secret is left up to the user as IWD
has no way of performing this
automatically. The systemd options
required are LoadCredentialEncrypted
or SetCredentialEncrypted, and the
secret identifier should be named
whatever SystemdEncrypt is set to.
┌───────────────────────────────────────┬───────────────────────────────────────┐
│ │ │
Network │ │ │
--
SEE ALSO │ │ │
iwd(8), iwd.network(5) │ │ │
│ │ │
AUTHOR │ │ │
--
COPYRIGHT │ │ │