diff --git a/src/system.c b/src/system.c
index 0d12b2e4..bf9c800c 100644
--- a/src/system.c
+++ b/src/system.c
@@ -38,6 +38,16 @@ void kill_on_parent_kill(int sig)
 #endif
 }
 
+void pr_set_undumpable(const char *mod)
+{
+#ifdef __linux__
+	if (prctl(PR_SET_DUMPABLE, 0) == -1) {
+		int e = errno;
+		syslog(LOG_ERR, "%s: prctl(PR_SET_DUMPABLE) failed %s",
+			mod, strerror(e));
+	}
+#endif
+}
 
 SIGHANDLER_T ocsignal(int signum, SIGHANDLER_T handler)
 {
diff --git a/src/system.h b/src/system.h
index 9e3bf64c..dbe532e0 100644
--- a/src/system.h
+++ b/src/system.h
@@ -36,6 +36,7 @@ typedef void (*sighandler_t)(int);
 # define SIGHANDLER_T sighandler_t
 #endif
 
+void pr_set_undumpable(const char* mod);
 void kill_on_parent_kill(int sig);
 
 SIGHANDLER_T ocsignal(int signum, SIGHANDLER_T handler);
diff --git a/src/worker-vpn.c b/src/worker-vpn.c
index 83ecf5ec..a5301af8 100644
--- a/src/worker-vpn.c
+++ b/src/worker-vpn.c
@@ -779,6 +779,9 @@ void vpn_server(struct worker_st *ws)
 	if (ws->config->auth_timeout)
 		alarm(ws->config->auth_timeout);
 
+	/* do not allow this process to be traced. That
+	 * prevents worker processes tracing each other. */
+	pr_set_undumpable("worker");
 	if (ws->config->seccomp != 0) {
 		ret = disable_system_calls(ws);
 		if (ret < 0) {