diff --git a/release/config/sing-box.service b/release/config/sing-box.service
index 41ce3eb4..c3e502f9 100644
--- a/release/config/sing-box.service
+++ b/release/config/sing-box.service
@@ -19,14 +19,15 @@ StateDirectory=sing-box
 Environment=XDG_DATA_HOME=/var/lib/sing-box
 
 # Hardening options
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
 DevicePolicy=closed
 LockPersonality=true
 MemoryAccounting=true
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
-PrivateDevices=true
+DeviceAllow=/dev/net/tun
+PrivateDevices=false
 PrivateTmp=true
 ProcSubset=pid
 ProtectClock=true
diff --git a/release/config/sing-box@.service b/release/config/sing-box@.service
index 44af4597..f3155837 100644
--- a/release/config/sing-box@.service
+++ b/release/config/sing-box@.service
@@ -19,14 +19,15 @@ StateDirectory=sing-box
 Environment=XDG_DATA_HOME=/var/lib/sing-box
 
 # Hardening options
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
 DevicePolicy=closed
 LockPersonality=true
 MemoryAccounting=true
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
-PrivateDevices=true
+DeviceAllow=/dev/net/tun
+PrivateDevices=false
 PrivateTmp=true
 ProcSubset=pid
 ProtectClock=true