# Example configuration snippet for NetworkManager to
# overwrite some default value for more privacy.
# Drop this file for example to /etc/NetworkManager/conf.d/30-anon.conf
#
# See man NetworkManager.conf(5) for how default values
# work. See man nm-settings(5) for the connection properties.
#
#
# This enables some privacy setting by default. The defaults
# apply only to settings that do not explicitly configure
# a per-connection override.
# That means, if the connection profile has
#
#   $ nmcli connection show "$CON_NAME" |
#       grep '^\(connection.stable-id\|ipv6.addr-gen-mode\|ipv6.ip6-privacy\|802-11-wireless.cloned-mac-address\|802-11-wireless.mac-address-randomization\|802-3-ethernet.cloned-mac-address\|ipv4.dhcp-client-id\|ipv6.dhcp-duid\)'
#   connection.stable-id:                   --
#   802-3-ethernet.cloned-mac-address:      --
#   802-11-wireless.cloned-mac-address:     --
#   802-11-wireless.mac-address-randomization:default
#   ipv4.dhcp-client-id:                    --
#   ipv6.ip6-privacy:                       -1 (unknown)
#   ipv6.addr-gen-mode:                     stable-privacy
#   ipv6.dhcp-duid:                         --
#
# then the default values are inherited and thus both the MAC
# address, IPv6 host identifier, and DHCP identifiers are randomized.
# Also, ipv6 private addresses (RFC4941) are used in
# addition.
#
#
# The connection's stable-id is really a token associated with the identity
# of the connection. It means, by setting it to different values, different
# addresses and DHCP options are generated.
# For some profiles it can make sense to reuse the same stable-id
# (and thus share MAC address and IPv6 host identifier) for the duration
# of the current boot, but still exclusive to the connection profile.
# Thus, explicitly set the stable-id like:
#
#   $ nmcli connection modify "$CON_NAME" connection.stable-id '${CONNECTION}/${BOOT}'
#
# ... or keep it stable across reboots, but still distinct per profile:
#
#   $ nmcli connection modify "$CON_NAME" connection.stable-id '${CONNECTION}'
#
# ... or use the same stable IDs for a bunch of profiles
#
#   $ nmcli connection modify "$CON_NAME" connection.stable-id 'my-home-wifi yada yada'
#
# ... or use the same IDs for a bunch of profiles, but only for the current boot
#
#   $ nmcli connection modify "$CON_NAME" connection.stable-id 'my-home-wifi yada yada/${BOOT}'

[device-anon]
wifi.scan-rand-mac-address=yes

[connection-anon]
connection.stable-id=${RANDOM}
ethernet.cloned-mac-address=stable
wifi.cloned-mac-address=stable
ipv6.ip6-privacy=2

# RFC 7844 "DHCP Anonymity Profiles" mandates in combination with
# MAC address randomization:
#   connection.stable-id=${RANDOM}
#   ethernet.cloned-mac-address=stable
#   wifi.cloned-mac-address=stable
#   ipv4.dhcp-client-id=mac
#   ipv6.dhcp-duid=ll
# In case, the interface cannot use MAC address randomization,
# RFC 7844 recomments
#   connection.stable-id=${RANDOM}
#   ipv4.dhcp-client-id=stable
#   ipv6.dhcp-duid=stable-llt
# See https://tools.ietf.org/html/rfc7844#section-3.5
#     https://tools.ietf.org/html/rfc7844#section-4.3
#
# In this example however, the defaults are set to a stable identifier
# depending on the connection.stable-id.
ipv4.dhcp-client-id=stable
ipv6.dhcp-duid=stable-uuid