diff --git a/Conectividad/Hysteria2/FixHysteriaCaddy.sh b/Conectividad/Hysteria2/FixHysteriaCaddy.sh
new file mode 100644
index 0000000..161e07f
--- /dev/null
+++ b/Conectividad/Hysteria2/FixHysteriaCaddy.sh
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+# Estado actual: grupo tlsreaders, membresías, ACLs de Caddy y drop-in de systemd con SupplementaryGroups.
+
+set -euo pipefail
+
+BASE="/var/lib/caddy/.local/share/caddy"
+CERT_DIR="$BASE/certificates"
+TLS_GROUP="tlsreaders"
+HY_USER="hysteria"
+CADDY_USER="caddy"
+SERVICE="hysteria-server.service"
+DROPIN_DIR="/etc/systemd/system/${SERVICE}.d"
+DROPIN_FILE="${DROPIN_DIR}/acl.conf"
+
+# 1) Grupo y membresías (solo lo existente)
+if ! getent group "$TLS_GROUP" >/dev/null; then
+  sudo groupadd -r "$TLS_GROUP"
+fi
+id "$HY_USER" >/dev/null 2>&1 && sudo usermod -aG "$TLS_GROUP" "$HY_USER" || true
+id "$CADDY_USER" >/dev/null 2>&1 && sudo usermod -aG "$TLS_GROUP" "$CADDY_USER" || true
+
+# 2) ACLs de traversal en cadena de directorios hasta certificados
+PARENTS=(/var /var/lib /var/lib/caddy /var/lib/caddy/.local /var/lib/caddy/.local/share /var/lib/caddy/.local/share/caddy "$CERT_DIR")
+for p in "${PARENTS[@]}"; do
+  [ -d "$p" ] && sudo setfacl -m g:${TLS_GROUP}:rx "$p" || true
+done
+
+# 3) ACLs en árbol de Caddy: dirs rx + default rx; ficheros .key/.crt/.pem r
+if [ -d "$BASE" ]; then
+  sudo find "$BASE" -type d -exec setfacl -m g:${TLS_GROUP}:rx {} \; -exec setfacl -d -m g:${TLS_GROUP}:rx {} \;
+  sudo find "$BASE" -type f \( -name "*.key" -o -name "*.crt" -o -name "*.pem" \) -exec setfacl -m g:${TLS_GROUP}:r {} \;
+fi
+
+# 4) Drop-in de systemd
+sudo install -d -m 0755 "$DROPIN_DIR"
+sudo tee "$DROPIN_FILE" >/dev/null <<'EOF'
+[Service]
+SupplementaryGroups=tlsreaders
+# Opcional: si activas ProtectSystem/ProtectHome en el futuro:
+# ReadOnlyPaths=/var/lib/caddy/.local/share/caddy
+EOF
+
+# 5) Recargar y reiniciar servicio
+sudo systemctl daemon-reload
+sudo systemctl restart "$SERVICE"
+
+echo "Estado reproducido sin extras."