mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-10-01 01:25:40 -04:00
Merge branch 'tasket-patch-6'
This commit is contained in:
commit
5743ca1bfa
@ -9,26 +9,58 @@ redirect_from:
|
|||||||
Anonymizing your MAC Address
|
Anonymizing your MAC Address
|
||||||
============================
|
============================
|
||||||
|
|
||||||
Changing the default [MAC Address](https://en.wikipedia.org/wiki/MAC_address) of your hardware is [crucial in protecting
|
Although it is not the only metadata broadcast by network hardware, changing the default [MAC Address](https://en.wikipedia.org/wiki/MAC_address) of your hardware could be [an important step in protecting
|
||||||
privacy](https://tails.boum.org/contribute/design/MAC_address/#index1h1). Currently, Qubes OS *does not* "anonymize" or spoof the MAC Address, so until this is implemented by default you can randomize your MAC Address with the following guide.
|
privacy](https://tails.boum.org/contribute/design/MAC_address/#index1h1). Currently, Qubes OS *does not* automatically "anonymize" or spoof the MAC Address, so until this is implemented by default you can randomize your MAC Address with one of the following guides using either Network Manager or macchanger...
|
||||||
|
|
||||||
## Configuring Qubes
|
## Upgrading and configuring Network Manager in Qubes
|
||||||
|
|
||||||
|
Newer versions of Network Manager have a robust set of options for randomizing MAC addresses, and can handle the entire process across reboots, sleep/wake cycles and different connection states. In particular, versions 1.4.2 and later should be well suited for Qubes.
|
||||||
|
|
||||||
|
NM 1.4.2 is currently available from the Debian 9 (testing) repository, and has been tested in Qubes using a Debian template [upgraded to version 9.](https://www.qubes-os.org/doc/debian-template-upgrade-8/)
|
||||||
|
|
||||||
|
In the Debian 9 template you intend to use as a NetVM, check that Network Manager version is now at least 1.4.2:
|
||||||
|
|
||||||
|
~~~
|
||||||
|
$ sudo Network-Manager -V
|
||||||
|
1.4.2
|
||||||
|
~~~
|
||||||
|
|
||||||
|
Add the settings in `/etc/NetworkManager/NetworkManager.conf`. The following example enables Wifi MAC address randomization both while scanning (not connected) and while connected.
|
||||||
|
|
||||||
|
~~~
|
||||||
|
[device-scan]
|
||||||
|
wifi.scan-rand-mac-address=yes
|
||||||
|
|
||||||
|
[connection]
|
||||||
|
wifi.cloned-mac-address=stable
|
||||||
|
~~~
|
||||||
|
|
||||||
|
To see the available configuration options, refer to the man page: `man nm-settings`
|
||||||
|
|
||||||
|
Next, create a new NetVM using the new template and assign network devices to it.
|
||||||
|
|
||||||
|
Finally, shutdown all VMs and change the settings of sys-firewall, etc. to use the new NetVM.
|
||||||
|
|
||||||
|
You can check the MAC address currently in use by looking at the status pages of your router device(s), or in the NetVM with the command `sudo ip link show`.
|
||||||
|
|
||||||
|
|
||||||
|
## Configuring Qubes with macchanger and scripts
|
||||||
|
|
||||||
First thing you need to do is install **macchanger** package by opening your `fedora-23` TemplateVM and typing
|
First thing you need to do is install **macchanger** package by opening your `fedora-23` TemplateVM and typing
|
||||||
|
|
||||||
```
|
~~~
|
||||||
sudo dnf install macchanger
|
sudo dnf install macchanger
|
||||||
```
|
~~~
|
||||||
|
|
||||||
Then create the file `macspoof@.service` in `fedora-23` located at `/etc/systemd/system/` directory using a text editor such as `vim`, `emacs`, or `gedit`
|
Then create the file `macspoof@.service` in `fedora-23` located at `/etc/systemd/system/` directory using a text editor such as `vim`, `emacs`, or `gedit`
|
||||||
|
|
||||||
```
|
~~~
|
||||||
sudo gedit /etc/systemd/system/macspoof@.service
|
sudo gedit /etc/systemd/system/macspoof@.service
|
||||||
```
|
~~~
|
||||||
|
|
||||||
Paste the following inside of that newly created file
|
Paste the following inside of that newly created file
|
||||||
|
|
||||||
```
|
~~~
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=macchanger on %I
|
Description=macchanger on %I
|
||||||
# Hack since macspoof@%i contains @ which is not allowed yet
|
# Hack since macspoof@%i contains @ which is not allowed yet
|
||||||
@ -44,15 +76,15 @@ Type=oneshot
|
|||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
```
|
~~~
|
||||||
|
|
||||||
**How random do you want your MAC address?**
|
**How random do you want your MAC address?**
|
||||||
|
|
||||||
Note in the above line `ExecStart=/usr/bin/macchanger -e %I` we recommend the use of `macchanger` with the `-e` flag which randomizes the MAC address to an address by the same device vendor/manufacturer. There a [number of other flags](http://manpages.ubuntu.com/manpages/xenial/en/man1/macchanger.1.html) you could use instead, such as `-r` which makes a totally random MAC address, which may map to a non-existent device vendor/manufacturer and make it obvious you are spoofing your MAC address. Some reasons why we have recommended `-e` rather than `-r` are in these resources:
|
Note in the above line `ExecStart=/usr/bin/macchanger -e %I` we recommend the use of `macchanger` with the `-e` flag which randomizes the MAC address to an address by the same device vendor/manufacturer. There a [number of other flags](http://manpages.ubuntu.com/manpages/xenial/en/man1/macchanger.1.html) you could use instead, such as `-r` which makes a totally random MAC address, which may map to a non-existent device vendor/manufacturer and make it obvious you are spoofing your MAC address. Some reasons why we have recommended `-e` rather than `-r` are in these resources:
|
||||||
|
|
||||||
* https://tails.boum.org/contribute/design/MAC_address/#index5h2
|
* <https://tails.boum.org/contribute/design/MAC_address/#index5h2>
|
||||||
* https://tails.boum.org/contribute/design/MAC_address/#limitation-only-spoof-nic-part
|
* <https://tails.boum.org/contribute/design/MAC_address/#limitation-only-spoof-nic-part>
|
||||||
* https://help.ubuntu.com/community/AnonymizingNetworkMACAddresses#Fully_Random
|
* <https://help.ubuntu.com/community/AnonymizingNetworkMACAddresses#Fully_Random>
|
||||||
|
|
||||||
**Get the right iface names**
|
**Get the right iface names**
|
||||||
|
|
||||||
@ -60,7 +92,7 @@ It's crucial to get the correct **iface name** for the devices (ethernet and wif
|
|||||||
open your `sys-net` (or wherever your device drivers are) and type in `terminal` the command `ifconfig` the printout
|
open your `sys-net` (or wherever your device drivers are) and type in `terminal` the command `ifconfig` the printout
|
||||||
will look like:
|
will look like:
|
||||||
|
|
||||||
```
|
~~~
|
||||||
enp0s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
|
enp0s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
|
||||||
ether 9e:d6:53:02:4b:b6 txqueuelen 1000 (Ethernet)
|
ether 9e:d6:53:02:4b:b6 txqueuelen 1000 (Ethernet)
|
||||||
RX packets 0 bytes 0 (0.0 B)
|
RX packets 0 bytes 0 (0.0 B)
|
||||||
@ -86,7 +118,7 @@ wlp0s1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
|
|||||||
RX errors 0 dropped 0 overruns 0 frame 0
|
RX errors 0 dropped 0 overruns 0 frame 0
|
||||||
TX packets 32 bytes 3712 (3.6 KiB)
|
TX packets 32 bytes 3712 (3.6 KiB)
|
||||||
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
||||||
```
|
~~~
|
||||||
|
|
||||||
The **iface name** values you're interested in are `enp0s0` and `wlp0s1` as those represent your ethernet and wifi
|
The **iface name** values you're interested in are `enp0s0` and `wlp0s1` as those represent your ethernet and wifi
|
||||||
devices, respectively.
|
devices, respectively.
|
||||||
@ -98,29 +130,29 @@ respectively. *Copy these MAC addresses down somewhere for later.*
|
|||||||
Now, go back to your `fedora-23` TemplateVM and use the `touch` command to create service files in the appropriate
|
Now, go back to your `fedora-23` TemplateVM and use the `touch` command to create service files in the appropriate
|
||||||
place, note that the `iface name` values at the end:
|
place, note that the `iface name` values at the end:
|
||||||
|
|
||||||
```
|
~~~
|
||||||
cd /var/run/qubes-service/
|
cd /var/run/qubes-service/
|
||||||
sudo touch macspoof-enp0s0
|
sudo touch macspoof-enp0s0
|
||||||
sudo touch macspoof-wlp0s1
|
sudo touch macspoof-wlp0s1
|
||||||
```
|
~~~
|
||||||
|
|
||||||
Verify the correct files exist in the directory
|
Verify the correct files exist in the directory
|
||||||
|
|
||||||
```
|
~~~
|
||||||
[user@fedora-23 qubes-service]$ ls
|
[user@fedora-23 qubes-service]$ ls
|
||||||
cups macspoof-wlp0s1 qubes-update-check
|
cups macspoof-wlp0s1 qubes-update-check
|
||||||
macspoof-enp0s0 meminfo-writer updates-proxy-setup
|
macspoof-enp0s0 meminfo-writer updates-proxy-setup
|
||||||
```
|
~~~
|
||||||
|
|
||||||
Now, also within the TemplateVM, type the following commands for each hardware device that you want to randomize a MAC
|
Now, also within the TemplateVM, type the following commands for each hardware device that you want to randomize a MAC
|
||||||
addresses for
|
addresses for
|
||||||
|
|
||||||
```
|
~~~
|
||||||
sudo systemctl enable macspoof@wlp0s1
|
sudo systemctl enable macspoof@wlp0s1
|
||||||
Created symlink from /etc/systemd/system/multi-user.target.wants/macspoof@wlp0s1.service to /etc/systemd/system/macspoof@.service.
|
Created symlink from /etc/systemd/system/multi-user.target.wants/macspoof@wlp0s1.service to /etc/systemd/system/macspoof@.service.
|
||||||
sudo systemctl enable macspoof@enp0s0
|
sudo systemctl enable macspoof@enp0s0
|
||||||
Created symlink from /etc/systemd/system/multi-user.target.wants/macspoof@enp0s0.service to /etc/systemd/system/macspoof@.service.
|
Created symlink from /etc/systemd/system/multi-user.target.wants/macspoof@enp0s0.service to /etc/systemd/system/macspoof@.service.
|
||||||
```
|
~~~
|
||||||
|
|
||||||
Now you can do the following:
|
Now you can do the following:
|
||||||
- Stop your `fedora-23` VM
|
- Stop your `fedora-23` VM
|
||||||
@ -132,10 +164,10 @@ Open your VM settings for `sys-net`, navigate to Services, and add the new servi
|
|||||||
|
|
||||||
Alternatively, you can enable these services for `sys-net` from the command line by opening up Terminal in `dom0` and running the following:
|
Alternatively, you can enable these services for `sys-net` from the command line by opening up Terminal in `dom0` and running the following:
|
||||||
|
|
||||||
```
|
~~~
|
||||||
qvm-service -e sys-net macspoof-wlp0s1
|
qvm-service -e sys-net macspoof-wlp0s1
|
||||||
qvm-service -e sys-net macspoof-enp0s0
|
qvm-service -e sys-net macspoof-enp0s0
|
||||||
```
|
~~~
|
||||||
|
|
||||||
Now restart `sys-net`.
|
Now restart `sys-net`.
|
||||||
|
|
||||||
@ -147,14 +179,14 @@ Your MAC address should now randomize each time you restart your computer or res
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## Usage Notes
|
## Usage Notes - Macchanger
|
||||||
|
|
||||||
This approach to MAC Randomizing has been tested and used by some users as well as some of the Qubes team. Observations that are to be expected are:
|
This approach to MAC Randomizing has been tested and used by some users as well as some of the Qubes team. Observations that are to be expected are:
|
||||||
|
|
||||||
- This does not randomize your MAC Address on sleep and wake state (only on restarting the `sys-net` VM)
|
- This does not randomize your MAC Address on sleep and wake state (only on restarting the `sys-net` VM)
|
||||||
- The `sys-net` networking VM takes longer for device drivers to start up than usual, this delayed startup may cause the first attempt of `sys-whonix` to connect to Tor to fail
|
- The `sys-net` networking VM takes longer for device drivers to start up than usual, this delayed startup may cause the first attempt of `sys-whonix` to connect to Tor to fail
|
||||||
|
|
||||||
## Disabling / Uninstalling
|
## Disabling / Uninstalling Macchanger
|
||||||
|
|
||||||
To disable MAC Randomizing if you find that a network connecting to does not like changing MAC Addresses, you can disable temporarily or if you want to permanently remove this solution, do the following:
|
To disable MAC Randomizing if you find that a network connecting to does not like changing MAC Addresses, you can disable temporarily or if you want to permanently remove this solution, do the following:
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user