+If you don't specify a host with ConnectTo, regardless of whether a
+value for ConnectPort is given, tinc won't connect at all, and will
+instead just listen for incoming connections.
+
+@item Hostnames = <yes|no> (no)
+@cindex Hostnames
+This option selects whether IP addresses (both real and on the VPN)
+should be resolved. Since DNS lookups are blocking, it might affect
+tinc's efficiency, even stopping the daemon for a few seconds everytime
+it does a lookup if your DNS server is not responding.
+
+This does not affect resolving hostnames to IP addresses from the
+configuration file.
+
+@item Interface = <device>
+@cindex Interface
+If you have more than one network interface in your computer, tinc will
+by default listen on all of them for incoming connections. It is
+possible to bind tinc to a single interface like eth0 or ppp0 with this
+variable.
+
+@item InterfaceIP = <local address>
+@cindex InterfaceIP
+If your computer has more than one IP address on a single interface (for
+example if you are running virtual hosts), tinc will by default listen
+on all of them for incoming connections. It is possible to bind tinc to
+a single IP address with this variable. It is still possible to listen
+on several interfaces at the same time though, if they share the same IP
+address.
+
+@item KeyExpire = <seconds> (3600)
+@cindex KeyExpire
+This option controls the time the encryption keys used to encrypt the data
+are valid. It is common practice to change keys at regular intervals to
+make it even harder for crackers, even though it is thought to be nearly
+impossible to crack a single key.
+
+@item @strong{Name = <name>}
+@cindex Name
+This is a symbolic name for this connection. It can be anything
+
+@item PingTimeout = <seconds> (60)
+@cindex PingTimeout
+The number of seconds of inactivity that tinc will wait before sending a
+probe to the other end. If that other end doesn't answer within that
+same amount of seconds, the connection is terminated, and the others
+will be notified of this.
+
+@item PrivateKey = <key> [obsolete]
+@cindex PrivateKey
+This is the RSA private key for tinc. However, for safety reasons it is
+advised to store private keys of any kind in separate files. This prevents
+accidental eavesdropping if you are editting the configuration file.
+
+@item @strong{PrivateKeyFile = <path>} [recommended]
+@cindex PrivateKeyFile
+This is the full path name of the RSA private key file that was
+generated by ``tincd --generate-keys''. It must be a full path, not a
+relative directory.
+
+@item @strong{TapDevice = <device>} (/dev/tap0 or /dev/net/tun)
+@cindex TapDevice
+The ethertap device to use. Note that you can only use one device per
+daemon. The info pages of the tinc package contain more information
+about configuring an ethertap device for Linux.
+
+@end table
+
+
+@c ==================================================================
+@node Host configuration variables, How to configure, Main configuration variables, Configuration files
+@subsection Host configuration variables
+
+@table @asis
+@item @strong{Address = <IP address|hostname>} [recommended]
+@cindex Address
+This variable is only required if you want to connect to this host. It
+must resolve to the external IP address where the host can be reached,
+not the one that is internal to the VPN.
+
+@item IndirectData = <yes|no> (no) [experimental]
+@cindex IndirectData
+This option specifies whether other tinc daemons besides the one you
+specified with ConnectTo can make a direct connection to you. This is
+especially useful if you are behind a firewall and it is impossible to
+make a connection from the outside to your tinc daemon. Otherwise, it
+is best to leave this option out or set it to no.
+
+@item Port = <port> (655)
+@cindex Port