diff --git a/Cargo.lock b/Cargo.lock
index 6a55993..66ffb3f 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -230,6 +230,18 @@ dependencies = [
  "void 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
+[[package]]
+name = "nix"
+version = "0.15.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "bitflags 1.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
+ "cc 1.0.47 (registry+https://github.com/rust-lang/crates.io-index)",
+ "cfg-if 0.1.10 (registry+https://github.com/rust-lang/crates.io-index)",
+ "libc 0.2.66 (registry+https://github.com/rust-lang/crates.io-index)",
+ "void 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "nom"
 version = "4.2.3"
@@ -254,6 +266,15 @@ name = "ppv-lite86"
 version = "0.2.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 
+[[package]]
+name = "privdrop"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "libc 0.2.66 (registry+https://github.com/rust-lang/crates.io-index)",
+ "nix 0.15.0 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
 [[package]]
 name = "proc-macro2"
 version = "1.0.6"
@@ -551,6 +572,7 @@ dependencies = [
  "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)",
  "net2 0.2.33 (registry+https://github.com/rust-lang/crates.io-index)",
  "pkg-config 0.3.17 (registry+https://github.com/rust-lang/crates.io-index)",
+ "privdrop 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)",
  "rand 0.7.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "ring 0.16.9 (registry+https://github.com/rust-lang/crates.io-index)",
  "serde 1.0.103 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -728,10 +750,12 @@ dependencies = [
 "checksum memchr 2.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "88579771288728879b57485cc7d6b07d648c9f0141eb955f8ab7f9d45394468e"
 "checksum net2 0.2.33 (registry+https://github.com/rust-lang/crates.io-index)" = "42550d9fb7b6684a6d404d9fa7250c2eb2646df731d1c06afc06dcee9e1bcf88"
 "checksum nix 0.14.1 (registry+https://github.com/rust-lang/crates.io-index)" = "6c722bee1037d430d0f8e687bbdbf222f27cc6e4e68d5caf630857bb2b6dbdce"
+"checksum nix 0.15.0 (registry+https://github.com/rust-lang/crates.io-index)" = "3b2e0b4f3320ed72aaedb9a5ac838690a8047c7b275da22711fddff4f8a14229"
 "checksum nom 4.2.3 (registry+https://github.com/rust-lang/crates.io-index)" = "2ad2a91a8e869eeb30b9cb3119ae87773a8f4ae617f41b1eb9c154b2905f7bd6"
 "checksum percent-encoding 1.0.1 (registry+https://github.com/rust-lang/crates.io-index)" = "31010dd2e1ac33d5b46a5b413495239882813e0369f8ed8a5e266f173602f831"
 "checksum pkg-config 0.3.17 (registry+https://github.com/rust-lang/crates.io-index)" = "05da548ad6865900e60eaba7f589cc0783590a92e940c26953ff81ddbab2d677"
 "checksum ppv-lite86 0.2.6 (registry+https://github.com/rust-lang/crates.io-index)" = "74490b50b9fbe561ac330df47c08f3f33073d2d00c150f719147d7c54522fa1b"
+"checksum privdrop 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)" = "432c2e1a6d9d56e3c14710a9b807ade349c48ccd5647bcda9a175f40f81ca5a9"
 "checksum proc-macro2 1.0.6 (registry+https://github.com/rust-lang/crates.io-index)" = "9c9e470a8dc4aeae2dee2f335e8f533e2d4b347e1434e5671afc49b054592f27"
 "checksum quote 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)" = "053a8c8bcc71fcce321828dc897a98ab9760bef03a4fc36693c231e5b3216cfe"
 "checksum rand 0.4.6 (registry+https://github.com/rust-lang/crates.io-index)" = "552840b97013b1a26992c11eac34bdd778e464601a4c2054b5f0bff7c6761293"
diff --git a/Cargo.toml b/Cargo.toml
index 339ba33..9d00d05 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -28,6 +28,7 @@ igd = "0.9"
 siphasher = "0.3"
 daemonize = "0.4"
 ring = "0.16"
+privdrop = "0.3"
 
 [build-dependencies]
 cc = "^1"
diff --git a/src/main.rs b/src/main.rs
index 267a58d..fb1b77a 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -277,6 +277,16 @@ fn run<P: Protocol>(config: Config) {
             daemonize = daemonize.pid_file(pid_file).chown_pid_file(true);
         }
         try_fail!(daemonize.start(), "Failed to daemonize: {}");
+    } else if config.user.is_some() || config.group.is_some() {
+        info!("Dropping privileges");
+        let mut pd = privdrop::PrivDrop::default();
+        if let Some(user) = config.user {
+            pd = pd.user(user);
+        }
+        if let Some(group) = config.group {
+            pd = pd.group(group);
+        }
+        try_fail!(pd.apply(), "Failed to drop privileges: {}");
     }
     cloud.run();
     if let Some(script) = config.ifdown {
diff --git a/src/usage.txt b/src/usage.txt
index 0a7a9ce..93e6a96 100644
--- a/src/usage.txt
+++ b/src/usage.txt
@@ -31,8 +31,8 @@ Options:
                                     interface.
     --pid-file <file>               Store the process id in this file when
                                     daemonizing.
-    --user <user>                   Run as other user when daemonizing.
-    --group <group>                 Run as other group when daemonizing.
+    --user <user>                   Run as other user.
+    --group <group>                 Run as other group.
     --log-file <file>               Print logs also to this file.
     --stats-file <file>             Print statistics to this file.
     --no-port-forwarding            Disable automatic port forward.
diff --git a/vpncloud.md b/vpncloud.md
index c5f39ee..93630e5 100644
--- a/vpncloud.md
+++ b/vpncloud.md
@@ -146,8 +146,7 @@ vpncloud(1) -- Peer-to-peer VPN
   * `--group <group>`:
 
     Change the user and/or group of the process once all the setup has been
-    done and before spawning the background process. This option is only used
-    when running in background.
+    done.
 
   * `--log-file <file>`: