diff --git a/llarp/vpn/common.hpp b/llarp/vpn/common.hpp
index 651b86951..8db945636 100644
--- a/llarp/vpn/common.hpp
+++ b/llarp/vpn/common.hpp
@@ -3,9 +3,16 @@
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <sys/socket.h>
+#include <cerrno>
 
 namespace llarp::vpn
 {
+  class permission_error : public std::runtime_error
+  {
+   public:
+    using std::runtime_error::runtime_error;
+  };
+
   struct IOCTL
   {
     const int _fd;
@@ -26,7 +33,14 @@ namespace llarp::vpn
     ioctl(Command cmd, Args&&... args)
     {
       if (::ioctl(_fd, cmd, std::forward<Args>(args)...) == -1)
-        throw std::runtime_error("ioctl failed: " + std::string{strerror(errno)});
+      {
+        if (errno == EACCES)
+        {
+          throw permission_error{"we are not allowed to call this ioctl"};
+        }
+        else
+          throw std::runtime_error("ioctl failed: " + std::string{strerror(errno)});
+      }
     }
   };
 }  // namespace llarp::vpn
diff --git a/llarp/vpn/linux.hpp b/llarp/vpn/linux.hpp
index 78255a21c..8d67a6256 100644
--- a/llarp/vpn/linux.hpp
+++ b/llarp/vpn/linux.hpp
@@ -66,7 +66,14 @@ namespace llarp::vpn
           ifr6.addr = net::HUIntToIn6(ifaddr.range.addr);
           ifr6.prefixlen = llarp::bits::count_bits(ifaddr.range.netmask_bits);
           ifr6.ifindex = ifindex;
-          control6.ioctl(SIOCSIFADDR, &ifr6);
+          try
+          {
+            control6.ioctl(SIOCSIFADDR, &ifr6);
+          }
+          catch (permission_error& ex)
+          {
+            LogError("we are not allowed to use IPv6 on this system: ", ex.what());
+          }
         }
       }
       ifr.ifr_flags = static_cast<short>(flags | IFF_UP | IFF_NO_PI);
@@ -75,8 +82,7 @@ namespace llarp::vpn
 
     virtual ~LinuxInterface()
     {
-      if (m_fd != -1)
-        ::close(m_fd);
+      ::close(m_fd);
     }
 
     int