diff --git a/init/README.md b/init/README.md
index 1c843d0..d26328b 100644
--- a/init/README.md
+++ b/init/README.md
@@ -65,4 +65,4 @@ To keep our unit files tidy, we haven't littered them with comments. So here we
 - **`LimitNPROC=512`** raises the number of threads caddy is allowed to have (`ulimit -u`). Obviously, setting this too low for a highly concurrent server is a bad idea.
 - **`PrivateTmp=true`** keeps /tmp and /var/tmp private, which are discarded after caddy stops.
 - **`ProtectSystem=full`** allows writing to /var, which is crucial so that it can store certificates and other data for your site.
-- **`AmbientCapabilities=CAP_NET_BIND_SERVICE`** allows caddy to bind to low ports (< 1024) without running as root.
+- **`AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE`** allows caddy to modify socket options and bind to low ports (< 1024) without running as root.
diff --git a/init/caddy-api.service b/init/caddy-api.service
index 2510106..89dc043 100644
--- a/init/caddy-api.service
+++ b/init/caddy-api.service
@@ -23,7 +23,7 @@ LimitNOFILE=1048576
 LimitNPROC=512
 PrivateTmp=true
 ProtectSystem=full
-AmbientCapabilities=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 
 [Install]
 WantedBy=multi-user.target
diff --git a/init/caddy.service b/init/caddy.service
index db0710e..541d65e 100644
--- a/init/caddy.service
+++ b/init/caddy.service
@@ -30,7 +30,7 @@ LimitNOFILE=1048576
 LimitNPROC=512
 PrivateTmp=true
 ProtectSystem=full
-AmbientCapabilities=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 
 [Install]
 WantedBy=multi-user.target