diff --git a/Dockerfile b/Dockerfile
index 2d56d58b..7ef0c597 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,7 +13,7 @@ LABEL org.label-schema.schema-version="1.0.0-rc1" \
       org.label-schema.vcs-usage="https://github.com/qdm12/private-internet-access-docker/blob/master/README.md#setup" \
       org.label-schema.docker.cmd="docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
       org.label-schema.docker.cmd.devel="docker run -it --rm --cap-add=NET_ADMIN --device=/dev/net/tun -e USER=js89ds7 -e PASSWORD=8fd9s239G qmcgaw/private-internet-access" \
-      org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall,NONROOT=yes/no" \
+      org.label-schema.docker.params="REGION=PIA region,PROTOCOL=udp/tcp,ENCRYPTION=strong/normal,BLOCK_MALICIOUS=on/off,BLOCK_NSA=on/off,UNBLOCK=allowed hostnames,USER=PIA user,PASSWORD=PIA password,EXTRA_SUBNETS=extra subnets to allow on the firewall,NONROOT=yes/no" \
       org.label-schema.version="" \
       image-size="17.1MB" \
       ram-usage="13MB to 80MB" \
@@ -27,7 +27,7 @@ ENV USER= \
     BLOCK_NSA=off \
     UNBLOCK= \
     EXTRA_SUBNETS= \
-    NONROOT=
+    NONROOT=no
 ENTRYPOINT /entrypoint.sh
 HEALTHCHECK --interval=3m --timeout=3s --start-period=20s --retries=1 CMD /healthcheck.sh
 RUN apk add -q --progress --no-cache --update openvpn wget ca-certificates iptables unbound unzip && \
diff --git a/README.md b/README.md
index 84f81bc1..a4f84c02 100644
--- a/README.md
+++ b/README.md
@@ -75,7 +75,7 @@
     modprobe tun
     ```
 
-1. **ONLY IF YOU AN ARM DEVICE, depending on your cpu architecture:**
+1. **ONLY IF YOU HAVE AN ARM DEVICE, depending on your cpu architecture:**
 
     ```sh
     # ARM 32 bit V6
@@ -138,8 +138,8 @@ You can simply use the Docker healthcheck. The container will mark itself as **u
 | `ENCRYPTION` | `strong` | `normal` or `strong` |
 | `USER` | | Your PIA username |
 | `PASSWORD` | | Your PIA password |
-| `NONROOT` | | Run OpenVPN without root, `yes` or other |
-| `EXTRA_SUBNETS` | | Comma separated subnets allowed in the container firewall |
+| `NONROOT` | `no` | Run OpenVPN without root, `yes` or other |
+| `EXTRA_SUBNETS` | | comma separated subnets allowed in the container firewall (i.e. `192.168.1.0/24,192.168.10.121,10.0.0.5/28`) |
 | `BLOCK_MALICIOUS` | `off` | `on` or `off`, blocks malicious hostnames and IPs |
 | `BLOCK_NSA` | `off` | `on` or `off`, blocks NSA hostnames |
 | `UNBLOCK` | | comma separated string (i.e. `web.com,web2.ca`) to unblock hostnames |
diff --git a/docker-compose.yml b/docker-compose.yml
index cf6d02bb..50f7c9b2 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -16,6 +16,7 @@ services:
       - ENCRYPTION=strong
       - REGION=CA Montreal
       - EXTRA_SUBNETS=
+      - NONROOT=no
       - BLOCK_MALICIOUS=off
       - BLOCK_NSA=off
       - UNBLOCK=
diff --git a/entrypoint.sh b/entrypoint.sh
index 8f47167b..1b2d861b 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -59,6 +59,7 @@ exitIfNotIn ENCRYPTION "normal,strong"
 exitIfNotIn PROTOCOL "tcp,udp"
 exitIfNotIn BLOCK_MALICIOUS "on,off"
 exitIfNotIn BLOCK_NSA "on,off"
+exitIfNotIn NONROOT "yes,no"
 cat "/openvpn/$PROTOCOL-$ENCRYPTION/$REGION.ovpn" &> /dev/null
 exitOnError $? "/openvpn/$PROTOCOL-$ENCRYPTION/$REGION.ovpn is not accessible"
 for SUBNET in ${EXTRA_SUBNETS//,/ }; do