Although the MAC address is not the only metadata broadcast by network hardware, changing your hardware's default [MAC Address](https://en.wikipedia.org/wiki/MAC_address) could be [an important step in protecting privacy](https://tails.boum.org/contribute/design/MAC_address/#index1h1).
Qubes OS 4.1 and later already anonymize all Wi-Fi MAC addresses [by default](https://github.com/QubesOS/qubes-core-agent-linux/blob/master/network/nm-31-randomize-mac.conf) - they change during every Wifi session.
So there is **no need** to apply any of the instructions below if you're only interested in Wi-Fi connections. Users requiring Ethernet MAC address anonymization may want to read on.
Save the change and reconnect the connection (click on Network Manager tray icon and click "Disconnect" under the connection, it should automatically reconnect).
These steps should be done inside a template to be used to create a NetVM as it relies on creating a config file that would otherwise be deleted after a reboot due to the nature of AppVMs.
Write the settings to a new file in the `/etc/NetworkManager/conf.d/` directory, such as `00-macrandomize.conf`.
The following example enables Wi-Fi and Ethernet MAC address randomization while scanning (not connected), and uses a randomly generated but persistent MAC address for each individual Wi-Fi and Ethernet connection profile.
It was inspired by the [official NetworkManager example](https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/main/examples/nm-conf.d/30-anon.conf).
*`cloned-mac-address=stable` in combination with `connection.stable-id=${CONNECTION}/${BOOT}` generates a random MAC address that persists until reboot. You could use `connection.stable-id=random` instead, which generates a random MAC address each time a link goes up.
*`ipv6.ip6-privacy=2` will cause a random IPv6 address to be used during every session. If you want to use an IPv6 address based on the already random MAC address, choose `ipv6.ip6-privacy=0`. Leaving this setting at the default is not recommended as it is basically undefined.
*`ipv6.addr-gen-mode=stable-privacy` is a default explicitly set by current versions of `NetworkManager` when creating new connection profiles. Setting it globally just makes sure that previously created connection profiles will use the same setting.
*`ipv4.dhcp-client-id=stable` and `ipv6.dhcp-duid=stable-uuid` instruct `NetworkManager` instruct `NetworkManager` to use a DHCP client identifier based upon the random MAC address. According to the current `NetworkManager` documentation the default is undefined. So it makes sense to set one explicitly.
To see all the available configuration options, refer to the man page: `man nm-settings`
Next, create a new NetVM using the edited template and assign network devices to it.
Finally, shutdown all VMs and change the settings of sys-firewall, etc. to use the new NetVM.
You can check the MAC address currently in use by looking at the status pages of your router device(s), or inside the NetVM with the command `sudo ip link show`.
DHCP requests _may_ also leak your hostname to your LAN. Since your hostname is usually `sys-net`, other network users can easily spot that you're using Qubes OS.
Unfortunately `NetworkManager` currently doesn't provide an option to disable that leak globally ([NetworkManager bug 584](https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/584)).
However the `NetworkManager` versions as of Qubes OS 4.1 were found to not leak the hostname as long as the file `/etc/hostname` does **not** exist. This behaviour may be subject to change in future `NetworkManager` versions though.
So please always double check whether your hostname is leaked or not on e.g. your home router, via `wireshark` or `tcpdump`.
Edit the saved connection files at `/rw/config/NM-system-connections/*.nmconnection` and add the `dhcp-send-hostname=false` line to both the `[ipv4]` and the `[ipv6]` section.