+@item VpnMask = <mask>
+The mask that defines the scope of the entire VPN. This option is not
+used by the tinc daemon itself, but can be used by startup scripts to
+configure the ethertap devices correctly.
+@end table
+
+
+@c ==================================================================
+@node Host configuration variables, How to configure, Main configuration variables, Configuration file
+@subsection Host configuration variables
+
+@table @asis
+@item @strong{Address = <IP address|hostname>}
+This variable is only required if you want to connect to this host. It
+must resolve to the external IP address where the host can be reached,
+not the one that is internal to the VPN.
+
+@item IndirectData = <yes|no> (no)
+This option specifies whether other tinc daemons besides the one you
+specified with ConnectTo can make a direct connection to you. This is
+especially useful if you are behind a firewall and it is impossible to
+make a connection from the outside to your tinc daemon. Otherwise, it
+is best to leave this option out or set it to no.
+
+@item Port = <port> (655)
+Connect to the upstream host (given with the ConnectTo directive) on
+port port. port may be given in decimal (default), octal (when preceded
+by a single zero) o hexadecimal (prefixed with 0x). port is the port
+number for both the UDP and the TCP (meta) connections.
+
+@item PublicKey = <path>
+This is the full path name of the RSA public key file that was generated
+by ``tincd --generate-keys''. It must be a full path, not a relative
+directory. (NOTE: In version 1.0pre3, this variable was used to give
+the key inline. This is no longer supported.)
+
+@item Subnet = <IP address/maskbits>
+This is the subnet range of all IP addresses that will be accepted by
+the host that defines it. Please be careful that no two subnets
+overlap. Every host @strong{must} have a different range of IP
+addresses that it can handle, otherwise you will see messages like
+`packet comes back to us'.
+
+The range must contain the IP address of the tap device, not the real IP
+address of the host running tincd.
+
+maskbits is the number of bits set to 1 in the netmask part; for
+example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes
+/22.
+
+@item TCPonly = <yes|no> (no)
+If this variable is set to yes, then the packets are tunnelled over a
+TCP connection instead of a UDP connection. This is especially useful
+for those who want to run a tinc daemon from behind a masquerading
+firewall, or if UDP packet routing is disabled somehow. @emph{This is
+experimental code, try this at your own risk.}
+@end table
+
+
+@c ==================================================================
+@node How to configure, , Host configuration variables, Configuration file
+@subsection How to configure
+
+@subsubheading Step 1. Creating the key files
+
+For each host, you have to create a pair of RSA keys. One key is your
+private key, which is only known to you. The other one is the public
+key, which you should copy to all hosts wanting to authenticate to you.
+
+
+@subsubheading Step 2. Configuring each host
+
+For every host in the VPN, you have to create two files. First there is
+the main configuration file, @file{/etc/tinc/vpn-name/tinc.conf}. In
+this file there should at least be three directives:
+
+@table @samp
+@item Name
+You should fill in the name of this host (or rather, the name of this
+leaf of the VPN). It can be called after the hostname, the physical
+location, the department, or the name of one of your boss' pets. It can
+be anything, as long as all these names are unique across the entire
+VPN.
+
+@item PrivateKey
+Fill in the full pathname to the file that contains the private RSA key.
+
+@item ConnectTo
+This is the name of the host that you want to connect to (not a DNS
+name, rather the name that is given with the Name parameter in that
+hosts tinc.conf). This is the upstream connection. If your computer is
+a central node, you might want to leave this out to make it stay idle
+until someone connects to it.
+@end table
+
+@cindex host configuration file
+Then you should create a file with the name you gave yourself in
+tinc.conf (the `Name' parameter), located in
+@file{/etc/tinc/vpn-name/hosts/}. In this file, which we call the
+`@emph{host configuration file}', only one variable is required:
+
+@table @samp
+@item Subnet
+The IP range that this host accepts as being `local'. All packets with
+a destination address that is within this subnet will be sent to us.