From b9d279ca06ac49a8c471c462ebf1a8666c3c43c4 Mon Sep 17 00:00:00 2001 From: Peter Vacho Date: Wed, 11 Mar 2026 15:00:19 +0100 Subject: [PATCH] Fix NetworkManager privacy settings --- .../NetworkManager/conf.d/dhcp-hostname.conf | 7 +- .../conf.d/ignore-auto-dns.conf | 8 +-- .../NetworkManager/conf.d/ipv6-privacy.conf | 72 +++++++++++-------- .../etc/NetworkManager/conf.d/llmnr-mdns.conf | 4 +- 4 files changed, 50 insertions(+), 41 deletions(-) diff --git a/root/etc/NetworkManager/conf.d/dhcp-hostname.conf b/root/etc/NetworkManager/conf.d/dhcp-hostname.conf index d4bba83..fe4b50e 100644 --- a/root/etc/NetworkManager/conf.d/dhcp-hostname.conf +++ b/root/etc/NetworkManager/conf.d/dhcp-hostname.conf @@ -12,10 +12,9 @@ # nmcli connection modify ipv4.dhcp-send-hostname yes # nmcli connection modify ipv6.dhcp-send-hostname yes -[ipv4] -dhcp-send-hostname=false +[connection] +ipv4.dhcp-send-hostname=false -[ipv6] # Only applies on networks using DHCPv6. Most IPv6 networks use SLAAC # instead, in which case this setting has no effect. -dhcp-send-hostname=false +ipv6.dhcp-send-hostname=false diff --git a/root/etc/NetworkManager/conf.d/ignore-auto-dns.conf b/root/etc/NetworkManager/conf.d/ignore-auto-dns.conf index dbb259a..3cc3913 100644 --- a/root/etc/NetworkManager/conf.d/ignore-auto-dns.conf +++ b/root/etc/NetworkManager/conf.d/ignore-auto-dns.conf @@ -19,8 +19,6 @@ # nmcli connection modify ipv4.ignore-auto-dns no # nmcli connection modify ipv6.ignore-auto-dns no -[ipv4] -ignore-auto-dns=true - -[ipv6] -ignore-auto-dns=true +[connection] +ipv4.ignore-auto-dns=true +ipv6.ignore-auto-dns=true diff --git a/root/etc/NetworkManager/conf.d/ipv6-privacy.conf b/root/etc/NetworkManager/conf.d/ipv6-privacy.conf index ce2c51c..ac1ead4 100644 --- a/root/etc/NetworkManager/conf.d/ipv6-privacy.conf +++ b/root/etc/NetworkManager/conf.d/ipv6-privacy.conf @@ -1,39 +1,51 @@ -# IPv6 address generation and privacy defaults. +[connection] + +# Generate the stable SLAAC IPv6 address using RFC7217 ("stable privacy"). # -# Most IPv6 networks use SLAAC (Stateless Address Autoconfiguration), -# where the host generates its own IPv6 addresses based on the network -# prefix advertised by the router. +# Normally IPv6 SLAAC can derive the interface identifier directly from +# the device MAC address using the legacy EUI-64 scheme. This exposes the +# hardware MAC inside the IPv6 address and allows long-term tracking. # -# Two mechanisms influence how these addresses appear: +# The "stable-privacy" mode instead derives the address from a secret +# kernel seed and the network prefix. This produces a deterministic +# address that stays stable within the same network but does not reveal +# the device MAC address. +ipv6.addr-gen-mode=stable-privacy + + +# Enable RFC4941 temporary IPv6 addresses and prefer them for outbound +# connections. # -# ipv6.addr-gen-mode -# Controls how the *stable* SLAAC address is generated. +# These temporary addresses rotate periodically and are used for outgoing +# traffic to reduce the ability of remote servers to track the device +# across connections. # -# stable-privacy: -# Generate a deterministic pseudorandom address derived from -# a kernel secret and the network prefix. This prevents the -# legacy EUI-64 mechanism from exposing the device's MAC -# address in the IPv6 address. +# The interface will still retain a stable address (generated above) for +# inbound connections, but outgoing traffic will prefer the temporary +# ones. # -# ipv6.ip6-privacy -# Enables RFC 4941 temporary IPv6 addresses. These are additional -# short-lived addresses that rotate periodically and are preferred -# for outbound connections to prevent remote tracking. -# -# With these settings a network interface will typically have: -# -# - one stable pseudorandom IPv6 address -# - one or more temporary rotating addresses used for outbound traffic -# -# Note that temporary addresses do NOT replace the stable address. The -# interface will still have one stable address used for inbound connections, -# it will just use the temporary ones for outbound ones. -# -# Values for ipv6.ip6-privacy: +# Values: # 0 = disable temporary addresses # 1 = enable but prefer the stable address # 2 = enable and prefer temporary addresses - -[connection] -ipv6.addr-gen-mode=stable-privacy ipv6.ip6-privacy=2 + + +# Use a per-connection DHCPv6 client identifier. +# +# When a network uses DHCPv6, the client must identify itself with a +# DHCP Unique Identifier (DUID). By default NetworkManager generates a +# single identifier derived from the system machine-id, meaning every +# network sees the same persistent identifier. +# +# The "stable-uuid" mode instead generates a different identifier per +# connection using the connection's stable-id and a host-specific secret. +# Each network therefore sees a different DHCPv6 identity while still +# receiving a stable identifier across reconnects. +# +# This prevents cross-network tracking while maintaining normal DHCPv6 +# lease behavior. +# +# Note: many IPv6 networks rely only on SLAAC and do not use DHCPv6, in +# which case this setting has no effect. +ipv6.dhcp-duid=stable-uuid diff --git a/root/etc/NetworkManager/conf.d/llmnr-mdns.conf b/root/etc/NetworkManager/conf.d/llmnr-mdns.conf index b3e4426..605342b 100644 --- a/root/etc/NetworkManager/conf.d/llmnr-mdns.conf +++ b/root/etc/NetworkManager/conf.d/llmnr-mdns.conf @@ -35,5 +35,5 @@ # nmcli connection modify connection.mdns resolve [connection] -llmnr=1 -mdns=1 +connection.llmnr=1 +connection.mdns=1