-.TP
-\fBInterface\fR = <\fIdevice\fR> (optional)
-If you have more than one network interface in your computer, tinc will by
-default listen on all of them for incoming connections. It is possible to
-bind tinc to a single interface like eth0 or ppp0 with this variable.
-.TP
-\fBInterfaceIP\fR = <\fIlocal address\fR> (optional)
-If your computer has more than one IP address on a single interface (for example
-if you are running virtual hosts), tinc will by default listen on all of them for
-incoming connections. It is possible to bind tinc to a single IP address with
-this variable. It is still possible to listen on several interfaces at the same
-time though, if they share the same IP address.
-.TP
-\fBKeyExpire\fR = <\fIseconds\fR> (3600)
-This option controls the time the encryption keys used to encrypt the data
-are valid. It is common practice to change keys at regular intervals to
-make it even harder for crackers, even though it is thought to be nearly
-impossible to crack a single key.
-.TP
-\fBName\fR = <\fIname\fR> (required)
-This is the name which identifies this tinc daemon. It must be unique for
-the virtual private network this daemon will connect to.
-.TP
-\fBPingTimeout\fR = <\fIseconds\fR> (5)
-The number of seconds of inactivity that tinc will wait before sending a
-probe to the other end. If that other end doesn't answer within that
-same amount of seconds, the connection is terminated, and the others
-will be notified of this.
-.TP
-\fBPrivateKey\fR = <\fIkey\fR> (required)
-The private RSA key of this tinc daemon. It will allow this tinc daemon to
-authenticate itself to other daemons.
-.TP
-\fBTapDevice\fR = <\fIdevice\fR> (/dev/tap0)
-The ethertap or tun/tap device to use. tinc will automatically detect what
-kind of tapdevice it is.
-Note that you can only use one device per
-daemon. The info pages of the tinc package contain more information
-about configuring an ethertap device for Linux.
-.PP
-.SH "HOST CONFIGURATION FILES"
-The host configuration files contain all information needed to establish a
-connection to those hosts. A host configuration file is also required for the
-local tinc daemon, it will use it to read in it's listen port, public key and
-subnets.
-
-The idea is that these files are ``portable''. You can safely mail your own host
-configuration file to someone else. That other person can then copy it to his
-own hosts directory, and now his tinc daemon will be able to connect to your
-tinc daemon. Since host configuration files only contain public keys, no secrets
-are revealed by sending out this information.
-.PP
-.TP
-\fBAddress\fR = <\fIIP address\fR> (required)
-The real address or hostname of this tinc daemon.
-.TP
-\fBPort\fR = <\fIport number\fR> (655)
-The port on which this tinc daemon is listening for incoming connections.
-.TP
-\fBPublicKey\fR = <\fIkey\fR> (required)
-The public RSA key of this tinc daemon. It will be used to cryptographically
-verify it's identity and to set up a secure connection.
-.TP
-\fBSubnet\fR = <\fIaddress/masklength\fR> (optional)
-The subnet which this tinc daemon will serve. tinc tries to look up which other
-daemon it should send a packet to by searching the appropiate subnet. If the
-packet matches a subnet, it will be sent to the daemon who has this subnet in his
-host configuration file. Multiple subnet lines can be specified.
-
-At the moment, this directive is only used in the host configuration file of
-the local tinc daemon itself. In upcoming versions of tinc, it will be possible to
-restrict other hosts in which subnets they server.
-
-The subnets must be in a form like \fI192.168.1.0/24\fR, where 192.168.1.0 is the
-network address and 24 is the number of bits set in the netmask. Note that subnets
-like \fI192.168.1.1/24\fR are invalid! Read a networking howto/FAQ/guide if you
-don't understand this.
-.SH "FILES"
-.TP
-\fI/etc/tinc/\fR
+.It Va Interface Li = Ar interface
+Defines the name of the interface corresponding to the virtual network device.
+Depending on the operating system and the type of device this may or may not actually set the name.
+Currently this option only affects the Linux tun/tap device.
+.It Va KeyExpire Li = Ar period Pq 3600
+This option controls the period the encryption keys used to encrypt the data are valid.
+It is common practice to change keys at regular intervals to make it even harder for crackers,
+even though it is thought to be nearly impossible to crack a single key.
+.It Va MACExpire Li = Ar period Pq 600
+This option controls the amount of time MAC addresses are kept before they are removed.
+This only has effect when
+.Va Mode
+is set to
+.Qq switch .
+.It Va MaxTimeout Li = Ar period Pq 900
+This is the maximum delay before trying to reconnect to other tinc daemons.
+.It Va Mode Li = router | switch | hub Pq router
+This option selects the way packets are routed to other daemons.
+.Bl -tag -width indent
+.It router
+In this mode
+.Va Subnet
+variables in the host configuration files will be used to form a routing table.
+Only unicast packets of routable protocols (IPv4 and IPv6) are supported in this mode.
+.It switch
+In this mode the MAC addresses of the packets on the VPN will be used to
+dynamically create a routing table just like an Ethernet switch does.
+Unicast, multicast and broadcast packets of every protocol that runs over Ethernet are supported in this mode
+at the cost of frequent broadcast ARP requests and routing table updates.
+.It hub
+This mode is almost the same as the switch mode, but instead
+every packet will be broadcast to the other daemons
+while no routing table is managed.
+.El
+.It Va Name Li = Ar name Bq required
+This is the name which identifies this tinc daemon.
+It must be unique for the virtual private network this daemon will connect to.
+.It Va PingTimeout Li = Ar period Pq 60
+The number of seconds of inactivity that
+.Nm tinc
+will wait before sending a probe to the other end.
+If that other end doesn't answer within that same amount of time,
+the connection is terminated,
+and the others will be notified of this.
+.It Va PriorityInheritance Li = yes | no Po no Pc Bq experimental
+When this option is enabled the value of the TOS field of tunneled IPv4 packets
+will be inherited by the UDP packets that are sent out.
+.It Va PrivateKey Li = Ar key Bq obsolete
+The private RSA key of this tinc daemon.
+It will allow this tinc daemon to authenticate itself to other daemons.
+.It Va PrivateKeyFile Li = Ar filename Bq recommended
+The file in which the private RSA key of this tinc daemon resides.
+Note that there must be exactly one of
+.Va PrivateKey
+or
+.Va PrivateKeyFile
+specified in the configuration file.
+.El
+.Sh HOST CONFIGURATION FILES
+The host configuration files contain all information needed
+to establish a connection to those hosts.
+A host configuration file is also required for the local tinc daemon,
+it will use it to read in it's listen port, public key and subnets.
+.Pp
+The idea is that these files are portable.
+You can safely mail your own host configuration file to someone else.
+That other person can then copy it to his own hosts directory,
+and now his tinc daemon will be able to connect to your tinc daemon.
+Since host configuration files only contain public keys,
+no secrets are revealed by sending out this information.
+.Bl -tag -width indent
+.It Va Address Li = Ar address Bq recommended
+The IP address or hostname of this tinc daemon on the real network.
+This wil only be used when trying to make an outgoing connection to this tinc daemon.
+Multiple
+.Va Address
+variables can be specified, in which case each address will be tried until a working
+connection has been established.
+.It Va Cipher Li = Ar cipher Pq blowfish
+The symmetric cipher algorithm used to encrypt UDP packets.
+Any cipher supported by OpenSSL is recognised.
+Furthermore, specifying
+.Qq none
+will turn off packet encryption.
+.It Va Compression Li = Ar level Pq 0
+This option sets the level of compression used for UDP packets.
+Possible values are 0 (off), 1 (fast) and any integer up to 9 (best).
+.It Va Digest Li = Ar digest Pq sha1
+The digest algorithm used to authenticate UDP packets.
+Any digest supported by OpenSSL is recognised.
+Furthermore, specifying
+.Qq none
+will turn off packet authentication.
+.It Va IndirectData Li = yes | no Pq no
+This option specifies whether other tinc daemons besides the one you specified with
+.Va ConnectTo
+can make a direct connection to you.
+This is especially useful if you are behind a firewall
+and it is impossible to make a connection from the outside to your tinc daemon.
+Otherwise, it is best to leave this option out or set it to no.
+.It Va MACLength Li = Ar length Pq 4
+The length of the message authentication code used to authenticate UDP packets.
+Can be anything from
+.Qq 0
+up to the length of the digest produced by the digest algorithm.
+.It Va Port Li = Ar port Pq 655
+The port number on which this tinc daemon is listening for incoming connections.
+.It Va PublicKey Li = Ar key Bq obsolete
+The public RSA key of this tinc daemon.
+It will be used to cryptographically verify it's identity and to set up a secure connection.
+.It Va PublicKeyFile Li = Ar filename Bq obsolete
+The file in which the public RSA key of this tinc daemon resides.
+.Pp
+From version 1.0pre4 on
+.Nm tinc
+will store the public key directly into the host configuration file in PEM format,
+the above two options then are not necessary.
+Either the PEM format is used, or exactly one of the above two options must be specified
+in each host configuration file,
+if you want to be able to establish a connection with that host.
+.It Va Subnet Li = Ar address Ns Op Li / Ns Ar prefixlength
+The subnet which this tinc daemon will serve.
+.Nm tinc
+tries to look up which other daemon it should send a packet to by searching the appropriate subnet.
+If the packet matches a subnet,
+it will be sent to the daemon who has this subnet in his host configuration file.
+Multiple
+.Va Subnet
+variables can be specified.
+.Pp
+Subnets can either be single MAC, IPv4 or IPv6 addresses,
+in which case a subnet consisting of only that single address is assumed,
+or they can be a IPv4 or IPv6 network address with a prefixlength.
+Shorthand notations are not supported.
+For example, IPv4 subnets must be in a form like 192.168.1.0/24,
+where 192.168.1.0 is the network address and 24 is the number of bits set in the netmask.
+Note that subnets like 192.168.1.1/24 are invalid!
+Read a networking HOWTO/FAQ/guide if you don't understand this.
+IPv6 subnets are notated like fec0:0:0:1:0:0:0:0/64.
+MAC addresses are notated like 0:1a:2b:3c:4d:5e.
+.It Va TCPOnly Li = yes | no Pq no
+If this variable is set to yes,
+then the packets are tunnelled over the TCP connection instead of a UDP connection.
+This is especially useful for those who want to run a tinc daemon
+from behind a masquerading firewall,
+or if UDP packet routing is disabled somehow.
+Setting this options also implicitly sets IndirectData.
+.El
+.Sh FILES
+.Bl -tag -width indent
+.It Pa /etc/tinc/