Added hardening to confine its system capability to what SoftEther requires

systemd/softether-vpnbridge.service

@@ -10,6 +10,15 @@ ExecStop=/opt/vpnbridge/vpnbridge stop
 KillMode=process
 Restart=on-failure
 
+# Hardening
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=-/opt/vpnbridge
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE
+
+
 [Install]
 WantedBy=multi-user.target
 

systemd/softether-vpnclient.service

@@ -11,6 +11,14 @@ ExecStop=/opt/vpnclient/vpnclient stop
 KillMode=process
 Restart=on-failure
 
+# Hardening
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=-/opt/vpnclient
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE
+
 [Install]
 WantedBy=multi-user.target
 

systemd/softether-vpnserver.service

@@ -11,6 +11,15 @@ ExecStop=/opt/vpnserver/vpnserver stop
 KillMode=process
 Restart=on-failure
 
+# Hardening
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=-/opt/vpnserver
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE 
+
+
 [Install]
 WantedBy=multi-user.target