Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upMAC address randomization failure (user error almost certain) #3905
Comments
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
AlmightyLaxz
May 17, 2018
Hi,
I'm guessing you are following the docs at https://www.qubes-os.org/doc/anonymizing-your-mac-address/ ?
I believe at the time that was written MAC randomization was only possible through those config options. But now MAC randomization is available in the NetworkManager GUI.
- Right click on network manager icon>Edit Connections..
- Select desired connection and click edit
- Select the Cloned MAC Address drop down and set to Random or Stable
- Close and reconnect connection (click on network adapter icon and click disconnect, it should automatically reconnect)
Those steps have worked for me using the default preinstalled sys-net.
As for the behavior, all external connections going out of sys-net would show the new random MAC address (PC to your router). Each VM however, will still show the same MAC address because these are internal virtual network adapters used for routing traffic within Qubes OS. Think of Qubes networking as a private LAN - each VM is an internal host which accesses the outside through a router, the NetVM.
I think you are expecting the outcome to be a random MAC address per VM, which I don't think is currently possible; but the MAC address of each physical network adapter can be randomized using the steps above. You could probably change the MAC address in each VM for that VM's virtual network adapter but this isn't very useful as those MAC addresses only have meaning inside the Qubes machine.
AlmightyLaxz
commented
May 17, 2018
•
|
Hi,
Those steps have worked for me using the default preinstalled sys-net. As for the behavior, all external connections going out of sys-net would show the new random MAC address (PC to your router). Each VM however, will still show the same MAC address because these are internal virtual network adapters used for routing traffic within Qubes OS. Think of Qubes networking as a private LAN - each VM is an internal host which accesses the outside through a router, the NetVM. I think you are expecting the outcome to be a random MAC address per VM, which I don't think is currently possible; but the MAC address of each physical network adapter can be randomized using the steps above. You could probably change the MAC address in each VM for that VM's virtual network adapter but this isn't very useful as those MAC addresses only have meaning inside the Qubes machine. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
Related to (perhaps even a duplicate of) #938. |
andrewdavidwong
added
help wanted
C: doc
task
labels
May 18, 2018
andrewdavidwong
added this to the
Documentation/website milestone
May 18, 2018
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
AlmightyLaxz
May 18, 2018
Related to (perhaps even a duplicate of) #938.
That issue was when NetworkManager had no MAC randomization functionality, now that it does it could probably be closed.
I have made a PR to the docs for randomizing MAC addresses through the GUI Network Manager which could make it easier for less experienced users.
QubesOS/qubes-doc#652
QubesOS/qubes-attachment#15
AlmightyLaxz
commented
May 18, 2018
That issue was when NetworkManager had no MAC randomization functionality, now that it does it could probably be closed. I have made a PR to the docs for randomizing MAC addresses through the GUI Network Manager which could make it easier for less experienced users. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
knifetheMAC
May 18, 2018
Thank you AlmightyLaxz
I'm guessing you are following the docs at https://www.qubes-os.org/doc/anonymizing-your-mac-address/ ?
Yes, this was the guide that I was following. I was unable to get this method to work on r4.0 --but this is most likely due to my inexperience.
1. Right click on network manager icon>Edit Connections..
2. Select desired connection and click edit
3. Select the Cloned MAC Address drop down and set to Random or Stable
4. Close and reconnect connection (click on network adapter icon and click disconnect, it should automatically reconnect)
Following the steps that you provided allowed me to randomize my MAC.
Each VM however, will still show the same MAC address because these are internal virtual network adapters used for routing traffic within Qubes OS. Think of Qubes networking as a private LAN - each VM is an internal host which accesses the outside through a router, the NetVM.
This was very helpful. I now understand that the MAC randomization will only be detectable once it leaves the LAN.
As for the behavior, all external connections going out of sys-net would show the new random MAC address (PC to your router).
I can now verify the MAC is changing by monitoring the outgoing traffic on my router.
Thanks again!
knifetheMAC
commented
May 18, 2018
|
Thank you AlmightyLaxz
Yes, this was the guide that I was following. I was unable to get this method to work on r4.0 --but this is most likely due to my inexperience.
Following the steps that you provided allowed me to randomize my MAC.
This was very helpful. I now understand that the MAC randomization will only be detectable once it leaves the LAN.
I can now verify the MAC is changing by monitoring the outgoing traffic on my router. Thanks again! |
This was referenced May 26, 2018
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
Done by QubesOS/qubes-doc#652. |
knifetheMAC commentedMay 17, 2018
•
edited
Edited 1 time
-
knifetheMAC
edited May 18, 2018 (most recent)
Qubes OS version:
Qubes Release 4.0 (R4.0)
Affected component(s):
Debian-9 Template
sys-firewall
Steps to reproduce the behavior:
Using debian-9 template
Create a file named mac.conf in
/etc/NetworkManager/conf.d/directory.File mac.conf contains:
Create new NetVM named sys-MAC from template containing mac.conf file.
Change virtualization mode to HVM using GUI
Go to qubes settings -> Advanced -> 'Include in memory balancing' and UNcheck box
Shutdown all VMs and assign ethernet device to new NetVM using:
Configure sys-firewall to run through new sys-MAC NetVM
Disable start-on-boot for sys-net VM
Reboot
Start sys-MAC machine
Connect to Ethernet Network Wired Connection 1 in dom0 using GUI.
Check sys-MAC mac address using:
sudo ip link showoutputs:
(last three octets of MAC and ip6 have been replaced with placeholders)
sys-firewall is downstream of sys-MAC and outputs:
(last three octets of MAC have been replaced with placeholders)
Expected behavior:
MAC address should be randomized for all downstream VMs.
VMs should not continue to display burned in addresses when prompted with
sudo ip link showActual behavior:
Neither of the MAC addresses for sys-MAC or sys-firewall have changed. All subsequent downstream VMs are displaying native hardware addresses.
General notes:
I am a novice linux user. I have been using Fedora for about a year and Qubes for 6 months. I was using r3.2 until I recently upgraded to r4.0. Thanks for all your hard work!
I have read the FAQ and searched this forum and the Arch Linux wiki along with performing basic google searches. I can not tell if I am missing something that should be obivous to a seasoned user (which I am not) or if this is a new bug. Any help would be appreciated and I am willing to post the output of any commands that could help diagnose the issue.
Related issues:
On a related note, I have had some (mixed) results using the iproute2 and macchanger packages. These will allow to change MAC locally on any 1 machine. However, the sys-net/sys-firewall/sys-VPN VMs do not pass these changes through to any downstream VMs. All uses of
sudo ip link showoutput only the burned in addresses, not the randomized ones.I have tried to permanently change the MAC address of dom0 and each subsequent (fedora-26) machine by altering the files:
ifcfg-eth0
ifcfg-ens5
but these files are missing from:
/etc/sysconfig/network-scripts