Heya
In case you didn’t know, you can achieve better privacy in your Linux machine when connecting to Wi-Fi networks by randomizing your MAC address. There are several ways of achieving this.
Note: I have tested the below on Fedora 43, KDE Plasma but the commands should work on any mainstream Linux distro. Use the commands below at your own risk and let me know if you manage to get your MAC randomization done or if you have any questions!
For context: Modern Linux desktops usually manage Wi-Fi through NetworkManager. KDE Plasma is the front end, but the real MAC-address behavior is controlled by NetworkManager profiles and config files.
There are two separate kinds of Wi-Fi MAC behavior:
- Connection MAC address: the MAC used after you connect to an SSID.
- Scan/probe MAC address: the MAC used while searching for nearby Wi-Fi networks.
NetworkManager treats these separately. wifi.cloned-mac-address controls the MAC used while connected, while wifi.scan-rand-mac-address controls randomization during scans. NetworkManager’s documentation says scan randomization defaults to yes, using a random locally administered MAC during scanning.
First: identify your Wi-Fi interface and active profile
Run:
nmcli device status
Look for the device with type wifi, for example:
wlp195s0 wifi connected MyNetwork
Set it as a variable:
IFACE=wlp195s0
Replace wlp195s0 with your own interface name.
Now find the active Wi-Fi connection profile:
nmcli -t -f NAME,DEVICE connection show --active
Or automatically save the active profile name:
CONN=$(nmcli -t -f NAME,DEVICE connection show --active | awk -F: -v d="$IFACE" '$2==d {print $1; exit}')
echo "$CONN"
There are two ways to do this: per Wi-Fi profile, or globally for all Wi-Fi connections.
Option A: disable connection randomization for one Wi-Fi network
This is the safest option if only one network requires your real hardware MAC, such as a university, workplace, hotel, or router with MAC allow-listing.
nmcli connection modify "$CONN" wifi.cloned-mac-address permanent
Reconnect:
nmcli connection down "$CONN"
nmcli connection up "$CONN"
This tells NetworkManager to use the permanent hardware MAC for that Wi-Fi profile. Fedora’s own compatibility guidance for the Fedora 40+ stable-SSID change gives this same wifi.cloned-mac-address permanent approach for networks that require a consistent hardware MAC.
Option B: disable connection randomization globally
Create a NetworkManager drop-in file:
sudo mkdir -p /etc/NetworkManager/conf.d
printf '%s\n' \
'[connection.90-wifi-mac-permanent]' \
'match-device=type:wifi' \
'wifi.cloned-mac-address=permanent' | sudo tee /etc/NetworkManager/conf.d/90-wifi-mac-permanent.conf
Restart NetworkManager:
sudo systemctl restart NetworkManager
This may briefly disconnect Wi-Fi.
Check the effective setting:
NetworkManager --print-config | grep -Ei 'cloned-mac|stable-ssid|randomization'
You want to see:
wifi.cloned-mac-address=permanent
NetworkManager config snippets are read in order, and later files can overwrite earlier settings, which is why a custom /etc/NetworkManager/conf.d/90-...conf file can override Fedora’s default /usr/lib/NetworkManager/conf.d/22-wifi-mac-addr.conf.
Optional: also disable scan MAC randomization
This is generally worse for privacy, but it is the full “do not randomize my Wi-Fi MAC at all” setting.
Create:
sudo mkdir -p /etc/NetworkManager/conf.d
printf '%s\n' \
'[device]' \
'wifi.scan-rand-mac-address=no' | sudo tee /etc/NetworkManager/conf.d/10-wifi-scan-rand.conf
Restart NetworkManager:
sudo systemctl restart NetworkManager
Check:
NetworkManager --print-config | grep -Ei 'scan-rand|cloned-mac'
Expected:
wifi.scan-rand-mac-address=no
wifi.cloned-mac-address=permanent
Now… to what you came here for…:
2. How to randomize the Wi-Fi MAC per SSID
This is the best privacy/usability balance for most people.
It means:
Same SSID -> same randomized MAC each time
Different SSID -> different randomized MAC
Hardware MAC -> hidden from normal Wi-Fi connections
Fedora 40 and later use this behavior by default through:
wifi.cloned-mac-address=stable-ssid
Fedora’s change added /usr/lib/NetworkManager/conf.d/22-wifi-mac-addr.conf, setting wifi.cloned-mac-address=stable-ssid for Wi-Fi profiles that do not override it. NetworkManager 1.46 added support for stable-ssid, which derives a stable MAC based on the Wi-Fi network.
Set per-SSID randomization globally
sudo mkdir -p /etc/NetworkManager/conf.d
printf '%s\n' \
'[connection.90-wifi-mac-stable-ssid]' \
'match-device=type:wifi' \
'wifi.cloned-mac-address=stable-ssid' | sudo tee /etc/NetworkManager/conf.d/90-wifi-mac-stable-ssid.conf
Restart NetworkManager:
sudo systemctl restart NetworkManager
Check:
NetworkManager --print-config | grep -Ei 'cloned-mac|stable-ssid'
Expected:
wifi.cloned-mac-address=stable-ssid
Set per-SSID randomization for one profile only
nmcli connection modify "$CONN" wifi.cloned-mac-address stable-ssid
nmcli connection down "$CONN"
nmcli connection up "$CONN"
This is useful if you want stable per-SSID randomization only on selected networks.
3. How to randomize the Wi-Fi MAC per connection
This is more aggressive.
It means:
Connect to SSID today -> randomized MAC A
Disconnect and reconnect -> randomized MAC B
Reconnect to same SSID -> randomized MAC C
NetworkManager’s random mode generates a randomized value upon each connection activation, while stable generates a repeatable hashed MAC.
Important caveat: this does not usually rotate the MAC while you remain connected. It changes when the connection is activated again.
Set per-connection randomization for one Wi-Fi profile
nmcli connection modify "$CONN" wifi.cloned-mac-address random
Reconnect:
nmcli connection down "$CONN"
nmcli connection up "$CONN"
Check the current active MAC:
cat /sys/class/net/$IFACE/address
Reconnect again and check it again. It should change.
Set per-connection randomization globally
sudo mkdir -p /etc/NetworkManager/conf.d
printf '%s\n' \
'[connection.90-wifi-mac-random]' \
'match-device=type:wifi' \
'wifi.cloned-mac-address=random' | sudo tee /etc/NetworkManager/conf.d/90-wifi-mac-random.conf
Restart NetworkManager:
sudo systemctl restart NetworkManager
Check:
NetworkManager --print-config | grep -Ei 'cloned-mac|randomization'
Expected:
wifi.cloned-mac-address=random
This can be annoying on captive portals, enterprise networks, university Wi-Fi, and routers that assign static DHCP leases by MAC address. Each reconnect may look like a new device.
4. How to check the status of scan MAC randomization
Scan randomization is separate from the connected MAC.
Check the effective NetworkManager config:
NetworkManager --print-config | grep -Ei 'scan-rand|cloned-mac|stable-ssid|randomization'
Example good output:
wifi.scan-rand-mac-address=yes
wifi.cloned-mac-address=stable-ssid
Also check whether any config file explicitly sets scan randomization:
grep -R "scan-rand-mac-address" /etc/NetworkManager/conf.d /usr/lib/NetworkManager/conf.d /run/NetworkManager/conf.d 2>/dev/null
Interpretation:
wifi.scan-rand-mac-address=yes
Scan MAC randomization is explicitly enabled.
wifi.scan-rand-mac-address=no
Scan MAC randomization is explicitly disabled.
No output means no config file explicitly sets it. That usually means NetworkManager is using its default, which is normally yes. NetworkManager’s documentation says this setting controls MAC randomization during Wi-Fi scans and defaults to yes.
For the strongest proof, you need another Wi-Fi adapter or another computer in monitor mode to capture probe requests over the air. But for normal desktop use, NetworkManager --print-config is the practical check.
5. How to explicitly enable scan MAC randomization
This is what we did.
Create the config file:
sudo mkdir -p /etc/NetworkManager/conf.d
printf '%s\n' \
'[device]' \
'wifi.scan-rand-mac-address=yes' | sudo tee /etc/NetworkManager/conf.d/10-wifi-scan-rand.conf
Restart NetworkManager:
sudo systemctl restart NetworkManager
Check:
NetworkManager --print-config | grep -Ei 'scan-rand|cloned-mac|stable-ssid|randomization'
A good result looks like:
wifi.scan-rand-mac-address=yes
wifi.cloned-mac-address=stable-ssid
That means:
Scan/probe MACs: randomized
Connection MACs: stable randomized per SSID
This is a strong privacy-friendly setup for everyday use.
Verifying the active connected MAC
To compare the current active MAC with the hardware MAC:
echo "Current active MAC:"
cat /sys/class/net/$IFACE/address
echo
echo "Permanent hardware MAC:"
ethtool -P "$IFACE"
If the two differ, your current connection is using a cloned/randomized MAC.
You can also check whether the current MAC is locally administered:
MAC=$(cat /sys/class/net/$IFACE/address)
FIRST=${MAC%%:*}
echo "Current MAC: $MAC"
if (( 0x$FIRST & 2 )); then
echo "Locally administered MAC: consistent with randomization/spoofing."
else
echo "Globally administered MAC: likely the vendor/hardware MAC."
fi
NetworkManager’s generated random and stable MACs are normally locally administered unicast addresses.
Cleaning up conflicting custom files
Only keep one connection-MAC policy active at a time. For example, avoid having all of these simultaneously:
90-wifi-mac-permanent.conf
90-wifi-mac-stable-ssid.conf
90-wifi-mac-random.conf
To list your custom files:
ls -l /etc/NetworkManager/conf.d/
To remove a custom setting:
sudo rm /etc/NetworkManager/conf.d/90-wifi-mac-random.conf
sudo systemctl restart NetworkManager
Then re-check:
NetworkManager --print-config | grep -Ei 'scan-rand|cloned-mac|stable-ssid|randomization'
Recommended setup
For most Fedora KDE users, the best setup is:
wifi.scan-rand-mac-address=yes
wifi.cloned-mac-address=stable-ssid
That gives you scan privacy and hides your hardware MAC during connections, while avoiding the constant captive-portal and DHCP problems caused by changing the MAC every time you reconnect.