diff --git a/extras/wg-netns@.service b/extras/wg-netns@.service
index 2f6262d..7aa5578 100644
--- a/extras/wg-netns@.service
+++ b/extras/wg-netns@.service
@@ -13,7 +13,35 @@ RemainAfterExit=yes
 
 WorkingDirectory=%E/wireguard
 ConfigurationDirectory=wireguard
-ConfigurationDirectoryMode=700
+ConfigurationDirectoryMode=0700
+ReadOnlyPaths=%E/wireguard
+ReadWritePaths=%E/netns
+
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_ADMIN
+LimitNOFILE=4096
+LimitNPROC=512
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=noaccess
+ProtectSystem=strict
+RemoveIPC=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=mnt net
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target