diff --git a/Dockerfile b/Dockerfile
index c7aa9043..d7c0a77e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,7 +13,7 @@ LABEL org.label-schema.schema-version="1.0.0-rc1" \
       org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \
       org.label-schema.docker.cmd="docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
       org.label-schema.docker.cmd.devel="docker run -it --rm --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
-      org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall" \
+      org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall,NONROOT=yes/no" \
       org.label-schema.version="" \
       image-size="17.1MB" \
       ram-usage="13MB to 80MB" \
@@ -24,7 +24,8 @@ ENV USER= \
     PROTOCOL=udp \
     REGION="CA Montreal" \
     BLOCK_MALICIOUS=off \
-    EXTRA_SUBNETS=
+    EXTRA_SUBNETS= \
+    NONROOT=
 ENTRYPOINT /entrypoint.sh
 HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh
 RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \
diff --git a/Dockerfile.arm32v6 b/Dockerfile.arm32v6
index 8afd8518..241d66a2 100644
--- a/Dockerfile.arm32v6
+++ b/Dockerfile.arm32v6
@@ -1,4 +1,4 @@
-ARG ALPINE_VERSION=3.8
+ARG ALPINE_VERSION=3.9
 
 FROM arm32v6/alpine:${ALPINE_VERSION}
 ARG BUILD_DATE
@@ -13,7 +13,7 @@ LABEL org.label-schema.schema-version="1.0.0-rc1" \
       org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \
       org.label-schema.docker.cmd="docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
       org.label-schema.docker.cmd.devel="docker run -it --rm --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
-      org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall" \
+      org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall,NONROOT=yes/no" \
       org.label-schema.version="" \
       image-size="15.6MB" \
       ram-usage="13MB to 80MB" \
@@ -24,7 +24,8 @@ ENV USER= \
     PROTOCOL=udp \
     REGION="CA Montreal" \
     BLOCK_MALICIOUS=off \
-    EXTRA_SUBNETS=
+    EXTRA_SUBNETS= \
+    NONROOT=
 ENTRYPOINT /entrypoint.sh
 HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh
 RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \
diff --git a/Dockerfile.arm64v8 b/Dockerfile.arm64v8
index ef4cbbe7..ba5161a7 100644
--- a/Dockerfile.arm64v8
+++ b/Dockerfile.arm64v8
@@ -1,4 +1,4 @@
-ARG ALPINE_VERSION=3.8
+ARG ALPINE_VERSION=3.9
 
 FROM arm64v8/alpine:${ALPINE_VERSION}
 ARG BUILD_DATE
@@ -13,7 +13,7 @@ LABEL org.label-schema.schema-version="1.0.0-rc1" \
       org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \
       org.label-schema.docker.cmd="docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
       org.label-schema.docker.cmd.devel="docker run -it --rm --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
-      org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall" \
+      org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall,NONROOT=yes/no" \
       org.label-schema.version="" \
       image-size="16.7MB" \
       ram-usage="13MB to 80MB" \
@@ -24,7 +24,8 @@ ENV USER= \
     PROTOCOL=udp \
     REGION="CA Montreal" \
     BLOCK_MALICIOUS=off \
-    EXTRA_SUBNETS=
+    EXTRA_SUBNETS= \
+    NONROOT=
 ENTRYPOINT /entrypoint.sh
 HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh
 RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \
diff --git a/README.md b/README.md
index d00f7d37..1248faf3 100644
--- a/README.md
+++ b/README.md
@@ -52,6 +52,7 @@
   - Username and password
   - Malicious DNS blocking
   - Extra subnets allowed by firewall
+  - Run openvpn without root (but will give reconnect problems)
 - Connect other containers to it
 - The *iptables* firewall allows traffic only with needed PIA servers (IP addresses, port, protocol) combination
 - OpenVPN restarts on failure using another PIA IP address for the same region
@@ -136,6 +137,7 @@ You can simply use the Docker healthcheck. The container will mark itself as **u
 | `BLOCK_MALICIOUS` | `off` | `on` or `off` |
 | `USER` | | Your PIA username |
 | `PASSWORD` | | Your PIA password |
+| `NONROOT` | | Run OpenVPN without root, `yes` or other |
 | `EXTRA_SUBNETS` | | Comma separated subnets allowed in the container firewall |
 
 `EXTRA_SUBNETS` can be in example: `192.168.1.0/24,192.168.10.121,10.0.0.5/28`
@@ -220,6 +222,7 @@ services:
       - ENCRYPTION=strong
       - REGION=CA Montreal
       - EXTRA_SUBNETS=
+      - NONROOT=
     restart: always
   nginx:
     image: nginx:alpine
diff --git a/entrypoint.sh b/entrypoint.sh
index d20c7f85..484ec266 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -179,9 +179,11 @@ exitOnError $? "Cannot add 'auth-retry nointeract' to $TARGET_PATH/config.ovpn"
 # Prevents auth_failed infinite loops - make it interact? Remove persist-tun? nobind?
 echo "pull-filter ignore \"auth-token\"" >> "$TARGET_PATH/config.ovpn"
 exitOnError $? "Cannot add 'pull-filter ignore \"auth-token\"' to $TARGET_PATH/config.ovpn"
-# Runs openvpn without root, as nonrootuser
-echo "user nonrootuser" >> "$TARGET_PATH/config.ovpn"
-exitOnError $? "Cannot add 'user nonrootuser' to $TARGET_PATH/config.ovpn"
+# Runs openvpn without root, as nonrootuser if specified
+if [ "$NONROOT" = "yes" ]; then
+  echo "user nonrootuser" >> "$TARGET_PATH/config.ovpn"
+  exitOnError $? "Cannot add 'user nonrootuser' to $TARGET_PATH/config.ovpn"
+fi
 # Note: TUN device re-opening will restart the container due to permissions
 printf "DONE\n"