diff --git a/CMakeLists.txt b/CMakeLists.txt
index a6edcc0f..9ced8d4a 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -95,6 +95,9 @@ if(UNIX)
         COMMAND tr \n \;
         OUTPUT_VARIABLE CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION
         ERROR_QUIET)
+    list(APPEND CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION "/lib")
+    list(APPEND CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION "/lib/systemd")
+    list(APPEND CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION "/lib/systemd/system")
   endif()
 
   include(CPack)
diff --git a/systemd/softether-vpnserver.service b/systemd/softether-vpnserver.service
index 15427ad6..37adff98 100644
--- a/systemd/softether-vpnserver.service
+++ b/systemd/softether-vpnserver.service
@@ -16,8 +16,11 @@ Restart=on-failure
 PrivateTmp=yes
 ProtectHome=yes
 ProtectSystem=full
-ReadOnlyDirectories=/
-ReadWriteDirectories=-@DIR@/softether/vpnserver
+ReadOnlyPaths=/
+ReadWritePaths=-@DIR@/softether/vpnserver
+ReadWritePaths=@CPACK_PACKAGING_INSTALL_PREFIX@/run/softether
+ReadWritePaths=@CPACK_PACKAGING_INSTALL_PREFIX@/var/log/softether
+ReadWritePaths=@CPACK_PACKAGING_INSTALL_PREFIX@/var/lib/softether
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYSLOG CAP_SETUID
 
 [Install]