diff --git a/binaries/aarch64/tpws b/binaries/aarch64/tpws
index a4b10c4..e4190a7 100755
Binary files a/binaries/aarch64/tpws and b/binaries/aarch64/tpws differ
diff --git a/binaries/armhf/tpws b/binaries/armhf/tpws
index 42b80b9..995daf3 100755
Binary files a/binaries/armhf/tpws and b/binaries/armhf/tpws differ
diff --git a/binaries/mips32r1-lsb/tpws b/binaries/mips32r1-lsb/tpws
index c8c035e..1945c0e 100755
Binary files a/binaries/mips32r1-lsb/tpws and b/binaries/mips32r1-lsb/tpws differ
diff --git a/binaries/mips32r1-msb/tpws b/binaries/mips32r1-msb/tpws
index a1259a1..8890585 100755
Binary files a/binaries/mips32r1-msb/tpws and b/binaries/mips32r1-msb/tpws differ
diff --git a/binaries/mips64r2-msb/tpws b/binaries/mips64r2-msb/tpws
index 04d1949..c319d97 100755
Binary files a/binaries/mips64r2-msb/tpws and b/binaries/mips64r2-msb/tpws differ
diff --git a/binaries/ppc/tpws b/binaries/ppc/tpws
index aada087..f088d87 100755
Binary files a/binaries/ppc/tpws and b/binaries/ppc/tpws differ
diff --git a/binaries/x86/tpws b/binaries/x86/tpws
index 2346f50..3e1c1b5 100755
Binary files a/binaries/x86/tpws and b/binaries/x86/tpws differ
diff --git a/binaries/x86_64/tpws b/binaries/x86_64/tpws
index b5c284e..3783c81 100755
Binary files a/binaries/x86_64/tpws and b/binaries/x86_64/tpws differ
diff --git a/docs/compile/openwrt/package/zapret/tpws/Makefile b/docs/compile/openwrt/package/zapret/tpws/Makefile
index f8dc5cf..3f8dfc7 100644
--- a/docs/compile/openwrt/package/zapret/tpws/Makefile
+++ b/docs/compile/openwrt/package/zapret/tpws/Makefile
@@ -12,7 +12,7 @@ define Package/tpws
 	CATEGORY:=Network
 	TITLE:=tpws
 	SUBMENU:=Zapret
- 	DEPENDS:=+zlib
+ 	DEPENDS:=+zlib +libcap
 endef
 
 define Build/Prepare
diff --git a/tpws/tpws.c b/tpws/tpws.c
index 8614374..72c146d 100644
--- a/tpws/tpws.c
+++ b/tpws/tpws.c
@@ -23,6 +23,7 @@
 #include <getopt.h>
 #include <pwd.h>
 #include <signal.h>
+#include <sys/capability.h>
 
 #include "tpws.h"
 #include "tpws_conn.h"
@@ -789,6 +790,26 @@ void daemonize()
 	/* stderror */
 }
 
+bool dropcaps()
+{
+	cap_t capabilities;
+
+	capabilities = cap_init();
+	if (cap_clear(capabilities))
+	{
+		perror("cap_init");
+		return false;
+	}
+	if (cap_set_proc(capabilities))
+	{
+		perror("cap_set_proc");
+		cap_free(capabilities);
+		return false;
+	}
+	cap_free(capabilities);
+	return true;
+}
+
 bool droproot()
 {
 	if (params.uid || params.gid)
@@ -804,9 +825,10 @@ bool droproot()
 			return false;
 		}
 	}
-	return true;
+	return dropcaps();
 }
 
+
 bool writepid(const char *filename)
 {
 	FILE *F;
@@ -1002,7 +1024,7 @@ int main(int argc, char *argv[]) {
 		perror("setsockopt (SO_KEEPALIVE): ");
 		goto exiterr;
 	}
-
+	
 	//Mark that this socket can be used for transparent proxying
 	//This allows the socket to accept connections for non-local IPs
 	if (setsockopt(listen_fd, SOL_IP, IP_TRANSPARENT, &yes, sizeof(yes)) == -1)
@@ -1027,7 +1049,7 @@ int main(int argc, char *argv[]) {
 		perror("listen: ");
 		goto exiterr;
 	}
-
+	
 	//splice() causes the process to receive the SIGPIPE-signal if one part (for
 	//example a socket) is closed during splice(). I would rather have splice()
 	//fail and return -1, so blocking SIGPIPE.