How to Randomize your MAC Address with NetworkManager

2021 October 5

What?

Computers with networking (Ethernet, Wi-Fi, Bluetooth) capabilities are uniquely identified by MAC (media access control) addresses. Normally, these addresses are static, meaning that your computer will always identify itself as the same computer when it uses Ethernet, Wi-Fi, etc. In this tutorial, you will change your Ethernet and Wi-Fi MAC addresses so that when your computer uses the internet, it will report itself as a different device each time.

Why?

If your computer reports itself as the same device (with the same MAC address) all the time, its location can be tracked over time.

For example, suppose you take your laptop to the public library and connect to the Wi-Fi. The next day, you go back to the same library and connect the same laptop to the same Wi-Fi. The library can identify that it's the same laptop connecting both times.

If you connect to many different networks^[1], those networks can collude to determine that the same device connected to each.

As well, it seems that when iPhones use Wi-Fi, they tell Apple which other devices are on the same Wi-Fi network, along with location information (if location is enabled on the iPhone). By randomizing your MAC address, you can limit Apple's ability to identify you and track you from place to place where you might connect to Wi-Fi networks that are also used by people with iPhones.

Requirements

I assume here that you're running Linux on a networked (Ethernet and/or Wi-Fi) device using NetworkManager.

(I also assume the computer supports both Ethernet and Wi-Fi, but if it doesn't, that's fine.)

How-To

Create the file /etc/NetworkManager/conf.d/00-macrandomize.conf. (To make and edit the file, you can use the command sudo nano /etc/NetworkManager/conf.d/00-macrandomize.conf.)

Here are two options for what to put in it...

Random MAC address on each connection

If you want to use a new random MAC address every single time you connect to a network (including if you disconnect then reconnect to the same network), then use this config:

[device]
wifi.scan-rand-mac-address=yes

[connection]
wifi.cloned-mac-address=random
ethernet.cloned-mac-address=random

Stable MAC address for each network, randomized on reboot

With this configuration, you'll get a different MAC address for each network, but your MAC address will stay the same for a given network until you reboot.

This is useful, for example, if you need to use a captive portal to get internet access. If your internet connection drops, and you have to reconnect, using a random MAC address will likely require you to re-authenticate yourself through the captive portal. A stable address shouldn't require re-authenticating unless you actually reboot your computer.

[device]
wifi.scan-rand-mac-address=yes

[connection]
wifi.cloned-mac-address=stable
ethernet.cloned-mac-address=stable
connection.stable-id=${CONNECTION}/${BOOT}

(The line connection.stable-id=${CONNECTION}/${BOOT} makes "stable" MAC addresses change after a reboot.)

Apply your new settings

Restart NetworkManager after changing these settings. With systemd, this can be done with

sudo systemctl restart NetworkManager

Change Mode Per-Connection

Sometimes you need to use different rules for different networks. For example, you might want to use your real hardware MAC address or a stable address on your home network, and random addresses everywhere else.

You can change this behavior in the graphical NetworkManager settings (see "Randomize a single connection" in this guide for an example), which is probably the easiest way if you use a graphical interface, or you can use nmcli. If you use a random MAC address everywhere but want a stable (but still spoofed) address on your home network, for instance, you might

nmcli connection modify "My Home Network" 802-11-wireless.cloned-mac-address stable

(replacing "My Home Network" with the name of your network).

Then reconnect.

negative zero