[device-mac-randomization]
# Randomize the MAC address used during WiFi scanning.
#
# When the system scans for nearby Wi-Fi networks it normally sends probe
# frames containing its MAC address. Without randomization, nearby networks
# could track the device even when it is not connected.
#
# This is already the default on most systems, but we set it explicitly.
wifi.scan-rand-mac-address=yes

[connection-mac-randomization]
# Default MAC address behavior for new connections.
#
# NetworkManager can replace the hardware MAC address with a randomized
# one when activating connections. This helps prevent networks from
# identifying and tracking the device.
#
# Possible values:
#   permanent : use the hardware MAC
#   preserve  : keep whatever MAC the interface already has
#   stable    : randomize MAC once and associate it permanently with that network
#   random    : Randomize MAC for every connection
#
# We randomize the MAC address for every Wi-Fi and Ethernet connection by default,
# as it is the most privacy-respecting option and prevents the network from tracking
# the device across reconnects (assuming everything else was configured to support
# that protection too).
#
# If a specific network requires a stable MAC (for example when using
# DHCP reservations on a home router), override it per connection. Generally, you
# should prefer using stable for these purposes instead of permanent, as there's
# no real advantage in giving away the actual hardware MAC, even if it's your own
# network:
#   nmcli connection modify <wifi-connection> wifi.cloned-mac-address stable
#   nmcli connection modify <ethernet-connection> ethernet.cloned-mac-address stable
ethernet.cloned-mac-address=random
wifi.cloned-mac-address=random