From 5ee66a0415e88f4fa78986c823dd1ad709524e70 Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Fri, 29 May 2026 11:18:14 +0100 Subject: fix(iwd): revert MAC randomization — broke DHCP MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `AddressRandomization=network` made iwd present a per-SSID random MAC to every Wi-Fi network. On networks that pin DHCP leases or 802.1X access to a specific hardware MAC (corporate Wi-Fi, routers with DHCP reservations, MAC-filtered networks) this means iwd associates fine but DHCP never completes — the new MAC is unknown to the upstream. The privacy gain is marginal when the user only connects to a small set of known APs anyway, and the cost (no IP on a familiar network) is much worse than the threat model justified. Drop the override entirely; iwd's defaults (permanent MAC, no IP config — systemd-networkd remains the IP-layer authority via etc/systemd/network/30-wifi-bond0.network) match what we actually want. If we want privacy MAC again later, the right place is a systemd .link file with MACAddressPolicy=random, applied per-interface, not iwd-wide. --- etc/iwd/main.conf | 23 ----------------------- 1 file changed, 23 deletions(-) delete mode 100644 etc/iwd/main.conf diff --git a/etc/iwd/main.conf b/etc/iwd/main.conf deleted file mode 100644 index cfeed7e..0000000 --- a/etc/iwd/main.conf +++ /dev/null @@ -1,23 +0,0 @@ -# iwd is started as the Wi-Fi backend; systemd-networkd remains the -# authoritative IP-layer manager (see etc/systemd/network/30-wifi-bond0.network -# which enslaves the wlan interface into bond0). -# -# AddressRandomization=network — iwd picks a deterministic random MAC -# per SSID. Same network always reconnects with the same MAC (so DHCP -# leases, WPA-EAP creds, and captive-portal sessions stay stable across -# reconnects), but a hostile AP on a different SSID never sees the -# hardware MAC. Better than per-association random which trips captive -# portals on every reconnect. - -[General] -EnableNetworkConfiguration=false -UseDefaultInterface=false -AddressRandomization=network - -[Network] -EnableIPv6=true -NameResolvingService=systemd -RoutePriorityOffset=200 - -[Scan] -DisablePeriodicScan=false -- cgit v1.3.1