Mac randomization not working

User Support
, ,
1

Hey,

I’m trying to do the mac randomization in sys-net for the wired connection. Unfortunately nothing seems to work. My sys-net is disposable and the template is Kicksecure-minimal. My wifi device isn’t connected in sys-net, only the ethernet adapter.

When I try to change the mac address manually via the gui it works perfectly.

The logs of sys-net show that the config files in /usr/lib/NetworkManager/conf.d/ , including 30-qubes.conf, 31-randomize-mac.conf, 80_ipv6-privacy.conf 80_randomize-mac.conf and no-mac-addr-change.conf are read but the file in /etc/NetworkManager/conf.d/ isn’t included.
The files in /usr/lib/NetworkManager/conf.d/ were left untouched except for 31-randomize.conf where I added the ethernet.cloned…=stable.

I’ve tried:

  • Adding /var/lib/NetworkManager/secret_key and /usr/lib/NetworkManager/conf.d/31-randomize-mac.conf to bind_dirs
  • Adding /etc/NetworkManager/conf.d/00-macrandomize.conf to bind_dirs
  • I added the things above to the template as well as dvm-template. Furthermore,

I’ve added /var/lib/NetworkManager/secret_key and /usr/lib/NetworkManager/conf.d/31-randomize-mac.conf to bind_dirs in sys-net.

My bind_dirs file /rw/config/qubes-bind-dirs.d/50_user.conf looks like this:

binds+=( '/var/lib/NetworkManager/secret_key' )
binds+=( '/usr/lib/NetworkManager/conf.d/31-randomize-mac.conf' )
binds+=( '/etc/NetworkManager/conf.d/00-macrandomize.conf' )

00-macrandomize.conf is somehow not in the sys-net qube even though it’s in both templates.

I used these for help:
cloned-mac-address-for-wired-connection
anonymizing-your-mac-address
anonymizing-mac-address-when-sys-net-is-disposable
randomize-mac-adress-globally-some-questions

2

Did you set the “Cloned MAC address” to “Stable” for your connection using the Network Manager applet or by editing connection config directly?

Check the current options of your connection using:

nmcli connection show YourConnectionUUID | grep mac
3

I used the Network Manager applet. If I use it then the mac address is changed, everything else does not work unfortunately.

The output of the command is neither stable or random, its empty. Using the applet its either random or stable, depending on what I selected

4

What do you mean by everything else?

5

using the config files like 00-macrandomize.conf or nm-connection-editor

6

When you edit connection through NM applet then it’ll use the same nm-connection-editor so I don’t understand what do you mean.
And what’s in 00-macrandomize.conf that is not working? Maybe the options there are overwritten by the options from the NM connection config that is created by nm-connection-editor?

7

Yeah I didn’t wait long enough, nm-connection-editor was not starting so I thought it didn’t work.

It could be overwritten but I don’t really know how to check that. Neither before I use the applet or after the 00-macrandom.conf is used.

The logs in journalctl for the NetworkManager.service show that 00-macrandom.conf isn’t even read at the beginning, instead 31-macrandomize.conf which has nearly the same values as 00-macrandom.conf, is being used.
00-macrandom is in the dvm-template as well as the normal template but in sys-net under /etc/NetworkManager/conf.d/ is shows no files.

00-macrandom.conf looks like this:

[device]
wifi.scan-rand-mac-address=yes

[connection]
wifi.cloned-mac-address=stable
ethernet.cloned-mac-address=stable
connection.stable-id=${CONNECTION}/${BOOT}
ipv6.dhcp-duid=stable-uuid

#the below settings is optional (see the explanations below)
ipv6.ip6-privacy=2

8

Your sys-net is a named disposable?
And you have the /etc/NetworkManager/conf.d/00-macrandom.conf file in the disposable template of sys-net but for some reason this file is missing in the sys-net itself?

9

Yes, its a named disposable.
Correct, its in the disposable template as well as the template of the disposable template.

10

I don’t know how is it possible for file to exist in disposable template but to be missing in the disposable qube based on this template.

11

I just checked it again and both the template of the disposable template and the disposable template itself have the 00-macrandomize.conf but the disposable sys-net doesnt have it.

I tried to see if its somehow hidden but when I type nano 00-macrandomize.conf in the cli it opens up and shows that it would be a new file. So maybe there is something wrong with the inheritance.

12

Check in disposable sys-net:

ls -la /rw/bind-dirs/etc/NetworkManager/conf.d/
ls -la /etc/NetworkManager/conf.d/
13

The first output was cannot access, no file or directory and the second is:
total 8
drwxr-xr-x 2 root root
drwxr-xr-x 6 root root

Here its written that qubes-bind-dirs.d has to be used and bind-dirs only when the template has no directory with the same name. Would my usage be wrong and bind-dirs instead of qubes-bind-dirs.d had to be used?

14

bind-dirs description seems to still be quite confusing.
You can check this discussion:

How to use bind-dirs is described here:

You need to create the directory for the file in your disposable template:

sudo mkdir -p /rw/bind-dirs/etc/NetworkManager/conf.d/

And then copy the 00-macrandomize.conf in this directory.

15

Unfortunately even with that neither nmcli connection show YourConnectionUUID | grep mac nor the NetworkManager.service logs show any changes in the mac address.

Now I’ve created in the disposable template the /rw/binds-dir/ directory, copied 00-macrandom.conf there, gave the rights to execute it, and added a /rw/binds-dir/50_user.conf there with binds+=( '/etc/NetworkManager/conf.d/00-macrandomize.conf' ) written there.
00-macrandom.conf is inside /rw/bind-dirs/etc/NetworkManager/conf.d/ the directory but not in /etc/NetworkManager/conf.d/ . I did the same to the template of the disp template.

Did I miss something?

16

Lets deal with bind-dirs first.
What’s the output of these commands in the disposable template used by sys-net?

cat  /rw/config/qubes-bind-dirs.d/50_user.conf
ls -la /rw/bind-dirs/etc/NetworkManager/conf.d/
ls -la /etc/NetworkManager/conf.d/

What’s the output of these commands in sys-net?

cat  /rw/config/qubes-bind-dirs.d/50_user.conf
ls -la /rw/bind-dirs/etc/NetworkManager/conf.d/
ls -la /etc/NetworkManager/conf.d/
17

Disp template output:

  1. binds+=( ‘/usr/lib/NetworkManager/conf.d/31-randomize-mac.conf’ )
    binds+=( ‘/var/lib/NetworkManager/secret_key’ )
    binds+=( ‘/etc/NetworkManager/conf.d/00-macrandomize.conf’ )
  2. drwxr-xr-x 2 root root
    drwxr-xr-x 3 root root
    -rwxr-xr-x 1 root root
  3. drwxr-xr-x 2 root root
    drwxr-xr-x 7 root root
    -rwxr-xr-x 1 root root

sys-net:

  1. binds+=( ‘/usr/lib/NetworkManager/conf.d/31-randomize-mac.conf’ )
    binds+=( ‘/var/lib/NetworkManager/secret_key’ )
    binds+=( ‘/etc/NetworkManager/conf.d/00-macrandomize.conf’ )
  2. drwxr-xr-x 2 root root
    drwxr-xr-x 3 root root
    -rwxr-xr-x 1 root root
  3. drwxr-xr-x 2 root root
    drwxr-xr-x 6 root root
18

Well, there is no 00-macrandomize.conf in disp template so obviously there wouldn’t be one in sys-net.
Create the file /rw/bind-dirs/etc/NetworkManager/conf.d/00-macrandomize.conf in your disp template.

19

But there is one actually. In the dvm template in /etc/NetworkManager/conf.d/ there is 00-macrandomize.conf as well as in /rw/bind-dirs/etc/NetworkManager/conf.d/

20

Can you post the full output of the commands?
I don’t see the files.
The output should look like this:

$ ls -la /rw/config/qubes-firewall-user-script 
-rwxr-xr-x 1 root root 485 Nov 11 10:35 /rw/config/qubes-firewall-user-script