Qubes-Community-Content/docs/privacy/anonymizing-your-mac-address.md

4.9 KiB

Anonymizing your MAC address

Although the MAC address is not the only metadata broadcast by network hardware, changing your hardware's default MAC Address could be an important step in protecting privacy.

Qubes OS 4.1 and later already anonymize all Wi-Fi MAC addresses by default - they change during every Wifi session. So there is no need to apply any of the instructions below if you're only interested in Wi-Fi connections. Users requiring Ethernet MAC address anonymization may want to read on.

Randomize a single connection

Right click on the Network Manager icon of your NetVM in the tray and click 'Edit Connections...'.

Select the connection to randomize and click Edit.

Select the "Cloned MAC Address" drop-down list and pick either 'Random" or "Stable'. 'Stable' will generate a random address that persists until reboot, while 'Random' will generate an address each time a link goes up. Edit Connection

Save the change and reconnect the connection (click on Network Manager tray icon and click "Disconnect" under the connection, it should automatically reconnect).

Randomize all Ethernet and Wi-Fi connections

These steps should be done inside a template to be used to create a NetVM as it relies on creating a config file that would otherwise be deleted after a reboot due to the nature of AppVMs.

Write the settings to a new file in the /etc/NetworkManager/conf.d/ directory, such as 00-macrandomize.conf. The following example enables Wi-Fi and Ethernet MAC address randomization while scanning (not connected), and uses a randomly generated but persistent MAC address for each individual Wi-Fi and Ethernet connection profile. It was inspired by the official NetworkManager example.

[device]
wifi.scan-rand-mac-address=yes

[connection]
wifi.cloned-mac-address=stable
ethernet.cloned-mac-address=stable
connection.stable-id=${CONNECTION}/${BOOT}

#the below settings are optional (see the explanations below)
ipv6.ip6-privacy=2
ipv4.dhcp-client-id=stable
ipv6.dhcp-duid=stable-uuid
  • cloned-mac-address=stable in combination with connection.stable-id=${CONNECTION}/${BOOT} generates a random MAC address that persists until reboot. You could use connection.stable-id=random instead, which generates a random MAC address each time a link goes up.
  • ipv6.ip6-privacy=2 will cause multiple random IPv6 addresses to be used during every session (cf. RFC 4941). If you want to use a fixed IPv6 address based on the already random MAC address, choose ipv6.ip6-privacy=0. Leaving this setting at the default is not recommended as it is basically undefined.
  • ipv4.dhcp-client-id=stable and ipv6.dhcp-duid=stable-uuid instruct NetworkManager to use a DHCP client identifier based upon the random MAC address. According to the current NetworkManager documentation the default is undefined. So it makes sense to set one explicitly.

Also make sure that you have addr-gen-mode=stable-privacy in the [ipv6] section of your /rw/config/NM-system-connections/*.nmconnection files as this setting can only be set per connection.

To see all the available configuration options, refer to the man page: man nm-settings

Next, create a new NetVM using the edited template and assign network devices to it.

Finally, shutdown all VMs and change the settings of sys-firewall, etc. to use the new NetVM.

You can check the MAC address currently in use by looking at the status pages of your router device(s), or inside the NetVM with the command sudo ip link show.

Anonymize your hostname

DHCP requests may also leak your hostname to your LAN. Since your hostname is usually sys-net, other network users can easily spot that you're using Qubes OS.

Unfortunately NetworkManager currently doesn't provide an option to disable that leak globally (NetworkManager bug 584).

However the NetworkManager versions as of Qubes OS 4.1 were found to not leak the hostname as long as the file /etc/hostname does not exist. This behaviour may be subject to change in future NetworkManager versions though. So please always double check whether your hostname is leaked or not on e.g. your home router, via wireshark or tcpdump.

If you want to decide per connection, NetworkManager provides an option to not send the hostname:
Edit the saved connection files at /rw/config/NM-system-connections/*.nmconnection and add the dhcp-send-hostname=false line to both the [ipv4] and the [ipv6] section.