.Pp
This option may not work on all platforms.
-.It Va Broadcast Li = yes | no Po yes Pc Bq experimental
-When disabled, tinc will drop all broadcast and multicast packets, in both router and switch mode.
+.It Va Broadcast Li = no | mst | direct Po mst Pc Bq experimental
+This option selects the way broadcast packets are sent to other daemons.
+NOTE: all nodes in a VPN must use the same
+.Va Broadcast
+mode, otherwise routing loops can form.
+
+.Bl -tag -width indent
+.It no
+Broadcast packets are never sent to other nodes.
+
+.It mst
+Broadcast packets are sent and forwarded via the VPN's Minimum Spanning Tree.
+This ensures broadcast packets reach all nodes.
+
+.It direct
+Broadcast packets are sent directly to all nodes that can be reached directly.
+Broadcast packets received from other nodes are never forwarded.
+If the IndirectData option is also set, broadcast packets will only be sent to nodes which we have a meta connection to.
+.El
.It Va ConnectTo Li = Ar name
Specifies which other tinc daemon to connect to on startup.
When combined with the IndirectData option,
packets for nodes for which we do not have a meta connection with are also dropped.
+.It Va ECDSAPrivateKeyFile Li = Ar filename Po Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /ecdsa_key.priv Pc
+The file in which the private ECDSA key of this tinc daemon resides.
+This is only used if
+.Va ExperimentalProtocol
+is enabled.
+
+.It Va ExperimentalProtocol Li = yes | no Po no Pc Bq experimental
+When this option is enabled, experimental protocol enhancements will be used.
+Ephemeral ECDH will be used for key exchanges,
+and ECDSA will be used instead of RSA for authentication.
+When enabled, an ECDSA key must have been generated before with
+.Nm tincctl generate-ecdsa-keys .
+The experimental protocol may change at any time,
+and there is no guarantee that tinc will run stable when it is used.
+
.It Va Forwarding Li = off | internal | kernel Po internal Pc Bq experimental
This option selects the way indirect packets are forwarded.
.Bl -tag -width indent
.Pp
This does not affect resolving hostnames to IP addresses from the
-host configuration files.
+host configuration files, but whether hostnames should be resolved while logging.
.It Va IffOneQueue Li = yes | no Po no Pc Bq experimental
(Linux only) Set IFF_ONE_QUEUE flag on TUN/TAP devices.
When this option is used the priority of the tincd process will be adjusted.
Increasing the priority may help to reduce latency and packet loss on the VPN.
+.It Va Proxy Li = socks4 | socks5 | http | exec Ar ... Bq experimental
+Use a proxy when making outgoing connections.
+The following proxy types are currently supported:
+.Bl -tag -width indent
+.It socks4 Ar address Ar port Op Ar username
+Connects to the proxy using the SOCKS version 4 protocol.
+Optionally, a
+.Ar username
+can be supplied which will be passed on to the proxy server.
+Only IPv4 connections can be proxied using SOCKS 4.
+.It socks5 Ar address Ar port Op Ar username Ar password
+Connect to the proxy using the SOCKS version 5 protocol.
+If a
+.Ar username
+and
+.Ar password
+are given, basic username/password authentication will be used,
+otherwise no authentication will be used.
+.It http Ar address Ar port
+Connects to the proxy and sends a HTTP CONNECT request.
+.It exec Ar command
+Executes the given
+.Ar command
+which should set up the outgoing connection.
+The environment variables
+.Ev NAME ,
+.Ev NODE ,
+.Ev REMOTEADDRES
+and
+.Ev REMOTEPORT
+are available.
+.El
+
.It Va ReplayWindow Li = Ar bytes Pq 16
-This is the size of the replay tracking window for each remote node, in bytes.
+vhis is the size of the replay tracking window for each remote node, in bytes.
The window is a bitfield which tracks 1 packet per bit, so for example
the default setting of 16 will track up to 128 packets in the window. In high
bandwidth scenarios, setting this to a higher value can reduce packet loss from