Skip to content

PPP device access returns EPERM in Linux machine after upgrading to 2.2.1 #2524

Open
Open
PPP device access returns EPERM in Linux machine after upgrading to 2.2.1#2524
@Mckennasora

Description

@Mckennasora
Mckennasora
opened on Jun 9, 2026

Title: PPP device access returns EPERM in Linux machine after upgrading to 2.2.1

Summary

After upgrading OrbStack from 2.0.5 to 2.2.1, an existing Ubuntu Linux machine used for L2TP/IPsec can no longer open /dev/ppp. pppd fails with Operation not permitted, so L2TP sessions cannot create ppp0/ppp1.

Rolling back OrbStack to 2.0.5 restores the same machine and configuration: ppp0/ppp1 are created successfully and the SOCKS services bound to those interfaces start normally.

Environment

  • macOS: current local system
  • OrbStack broken version: 2.2.1
    • App bundle version: CFBundleShortVersionString = 2.2.1
    • App bundle build: CFBundleVersion = 20628
    • CLI reported earlier: Version: 2.2.1 (2020100)
  • OrbStack working version after rollback: 2.0.5
    • Version: 2.0.5 (2000500)
    • Commit: cfe47627f138ffd822c958553b0a93eaf2692c71 (v2.0.5)
  • Linux machine:
    • Name: l2tp-box
    • Distro: Ubuntu questing
    • Architecture: arm64
  • Network details/IP addresses below are redacted.

What works

IPsec/IKE succeeds in the Linux machine. The failure happens later when xl2tpd starts pppd and pppd tries to open /dev/ppp.

Error on OrbStack 2.2.1

Inside the Linux machine, xl2tpd logs:

pppd[430]: Couldn't open the /dev/ppp device: Operation not permitted
pppd[430]: Sorry - this system lacks PPP kernel support
xl2tpd[400]: child_handler : pppd exited for call 18126 with code 4
xl2tpd[400]: call_close: Call 14407 to <redacted-vpn-endpoint> disconnected

Manual checks showed /dev/ppp existed, but opening it failed:

# ls -l /dev/ppp
crw------- 1 root root 108, 0 Jun  9 16:47 /dev/ppp

# cat /dev/ppp
cat: /dev/ppp: Operation not permitted (os error 1)

Capabilities appeared broad inside the machine:

CapEff: 000001ffffffffff
NoNewPrivs: 0
Seccomp: 0

Because ppp0 and ppp1 were never created, services configured with external: ppp0 and external: ppp1 failed too:

danted[549]: error: /etc/danted.conf: problem on line 3 near token "ppp0": could not resolve hostname "ppp0"
danted[568]: error: /etc/danted2.conf: problem on line 3 near token "ppp1": could not resolve hostname "ppp1"

Expected behavior

pppd should be able to open /dev/ppp in the Linux machine, as it did on OrbStack 2.0.5, and L2TP should create ppp0/ppp1.

Actual behavior

On OrbStack 2.2.1, /dev/ppp exists but cannot be opened even as root, returning EPERM. L2TP/IPsec is unusable because PPP interfaces are not created.

Rollback result

After rolling back to OrbStack 2.0.5 with the same machine/configuration, PPP works again:

ppp0 UNKNOWN <redacted-local-ppp-ip-1> peer <redacted-peer-ppp-ip-1>/32
ppp1 UNKNOWN <redacted-local-ppp-ip-2> peer <redacted-peer-ppp-ip-2>/32

Routes and services are restored:

<redacted-private-subnet-1> dev ppp0 scope link
<redacted-private-subnet-2> dev ppp1 scope link
<redacted-private-subnet-3> dev ppp1 scope link

danted.service  active (running)
danted2.service active (running)

Question

Was there a change in 2.2.x around Linux machine device access or /dev/ppp/PPP permissions? If so, is there a supported way to allow PPP/L2TP inside an OrbStack Linux machine?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions