Introduction
When you connect directly to the router that the ISP provides, the ISP can collect the metadata that you are using certain devices. This is an important piece of metadata that can be used to deanonymize you through correlation even if you’re using Tor, Whonix, etc. When you connect the sys‑net, the original MAC address of your physical network card remains unchanged, so the ISP will still see that MAC. They could then sell those data or give them to governments that request them!Therefore, you need to perform MAC‑spoofing with random or fabricated‑manufacturer MAC addresses so that they think you’re using, for example, an iOS device when you’re actually running Qubes. Preventing the ISP from knowing when you connect Qubes (the time and date) is essential for your anonymity because that metadata can also be used for correlation. If you have one computer and everything else is a phone, it’s obvious that you’ll be using Qubes when the MAC of your PC appears on the network, since you can’t run Qubes on a phone! Governments could investigate and learn the MACs of all your devices:
They request the data from the ISP
They use it for correlation to try to deanonymize you
It’s a seemingly simple piece of metadata, but it can help them
The sys‑net should have at least a random‑MAC‑spoofing option to eliminate this metadata!
So, for a sys‑net that I configured as disposable during installation and that uses the default-dvm as a disposable template, which in turn uses debian‑xfce‑13 as its base template, I did the following:
Requirements
During installation, select sys‑net as a disposable VM. This option is available in the installer.
If your sys‑net is currently an AppVM, follow these steps:
- Turn off sys‑net.
- Clone sys‑net and name the clone sys‑net‑bk.
- You need to remove sys‑net from the sys‑firewall settings under “Net Qube” options and set it to none.
- Delete the original sys‑net.
Now create a new disposableVM named sys‑net
- Select for the new sys‑net, the disposable template default‑dvm.
- Save the configuration.
- Go to the sys-firewall settings and add the sys‑net as Net Qube.
Test the setup. If everything works correctly, you can delete sys‑net‑bk and continue the setup!
Guide
Cloned debian‑xfce‑13 and called the clone debian‑xfce‑13‑macchanger.
Inside that clone I installed macchanger:
sudo apt update
sudo apt install macchanger
Cloned default-dvm and named the clone default-dvm‑macchanger, then set its template to the newly created debian‑xfce‑13‑macchanger.
Now default-dvm‑macchanger contains macchanger.
In the sys‑net VM I change the template to default-dvm‑macchanger; the sys‑net will now have macchanger available.
Before connecting Qubes, I open the sys‑net VM and run:
sudo macchanger -r <name_of_my_interface>
You can automate this with a script placed in /rw/config/rc.config.
Steps to automate mac spoofing in sys-net
Find the name of your network interface (e.g., ggdu4) using nmcli or ip a.
Edit /rw/config/rc.config (e.g., with nano) and add the line:
sudo macchanger -r ggdu4
After the MAC is spoofed, plug in the Ethernet cable (or, if you prefer, keep the cable unplugged until the sys‑net appears). The random MAC spoofing will have been executed automatically.
Or Open nm-connection-editor, select “Wired Connection 1”, go to General, and uncheck “Connect automatically with priority”. This prevents the connection from being made before the MAC spoofing runs.
In the Qubes top panel, right‑click the sys‑net icon and choose Enable networking. When you connect, the sys‑net will have a randomized MAC, preventing the ISP from collecting metadata that could be used against Qubes users.
You can also use manufacturer‑specific random MACs with the -a and -A options:
sudo macchanger -a ggdu4 # random MAC from a known vendor
sudo macchanger -A ggdu4 # random MAC from a random vendor
Or manually set a fake MAC from a specific vendor:
sudo macchanger --mac=XX:XX:XX:XX:XX:XX <interface_name>
Example of a Samsung‑style fake MAC generated by some programs: ad:b1:0d:0f:7c:73
sudo macchanger --mac=ad:b1:0d:0f:7c:73 ggdu
You can adapt any of these commands into a script!
The debian‑xfce‑13‑macchanger template is identical to the original debian‑xfce‑13; the only change is the installation of macchanger.
Alternative method (no need to clone a template)
If you don’t want to clone a template and install macchanger permanently, you can download the Debian 13 .deb package for macchanger once and reinstall it on each boot:
Download the macchanger .deb from Debian Bookworm:
I find it here: Debian -- Package Download Selection -- macchanger_1.7.0-5.4_amd64.deb
Verify the hashes, then copy the file to the default‑dvm home directory, e.g.:
/home/<your_user>/macchanger_1.7.0-5.4_amd64.deb
Add the following to /rw/config/rc.local so that it runs on every boot:
#Install macchanger on each boot
#Replace <sys‑net_interface> with the actual interface name (check with nmcli or ip a)
sudo dpkg -i /home/<your_user>/macchanger_1.7.0-5.4_amd64.deb
sudo macchanger -r <sys‑net_interface>
#end
Now, each time the sys‑net VM starts, it will install macchanger (if needed) and randomize the MAC address automatically, without having to modify a template.
Optional mode:
If you only want to spoof the MAC occasionally, you can comment out the lines in /rw/config/rc.local when you don’t need it, and uncomment/run them later (e.g., via sudo /rw/config/rc.local followed by a reboot).
Final notes
It’s best to keep the sys‑net VM disposable for maximum security; the installer already offers this option.
To developers and advanced Qubes users: Is this approach safe? I’ve provided the arguments showing why it’s essential to stop the ISP from collecting the original MAC metadata, which reveals which devices we use, the times we start and stop using them, etc.
Who this is for
This guide is intended for anyone who needs to connect a PC running Qubes OS directly to the modem or router supplied by their ISP.
It’s also useful for users who take Qubes OS outside of their home network, when traveling or working from another location and want to spoof the MAC address to prevent the ISP from gathering identifying metadata.