+.It Va ProcessPriority Li = low | normal | high
+When this option is used the priority of the
+.Nm tincd
+process will be adjusted.
+Increasing the priority may help to reduce latency and packet loss on the VPN.
+.It Va Proxy Li = socks4 | socks5 | http | exec Ar ... Bq experimental
+Use a proxy when making outgoing connections.
+The following proxy types are currently supported:
+.Bl -tag -width indent
+.It socks4 Ar address Ar port Op Ar username
+Connects to the proxy using the SOCKS version 4 protocol.
+Optionally, a
+.Ar username
+can be supplied which will be passed on to the proxy server.
+Only IPv4 connections can be proxied using SOCKS 4.
+.It socks5 Ar address Ar port Op Ar username Ar password
+Connect to the proxy using the SOCKS version 5 protocol.
+If a
+.Ar username
+and
+.Ar password
+are given, basic username/password authentication will be used,
+otherwise no authentication will be used.
+.It http Ar address Ar port
+Connects to the proxy and sends a HTTP CONNECT request.
+.It exec Ar command
+Executes the given
+.Ar command
+which should set up the outgoing connection.
+The environment variables
+.Ev NAME ,
+.Ev NODE ,
+.Ev REMOTEADDRES
+and
+.Ev REMOTEPORT
+are available.
+.El
+.It Va ReplayWindow Li = Ar bytes Pq 32
+This is the size of the replay tracking window for each remote node, in bytes.
+The window is a bitfield which tracks 1 packet per bit, so for example
+the default setting of 32 will track up to 256 packets in the window. In high
+bandwidth scenarios, setting this to a higher value can reduce packet loss from
+the interaction of replay tracking with underlying real packet loss and/or
+reordering. Setting this to zero will disable replay tracking completely and
+pass all traffic, but leaves tinc vulnerable to replay-based attacks on your
+traffic.
+.It Va Sandbox Li = off | normal | high Po normal Pc
+Use process sandbox on some operating systems where it is supported (currently that's OpenBSD).
+Using this directive on other operating systems with levels higher than
+.Ar off
+will cause
+.Nm tincd
+to exit with an error.
+The goal is to limit the impact of possible remote attacks against the
+.Nm tincd
+daemon by running it with lowest privileges necessary for the required features to work.
+The following levels are provided:
+.Bl -tag -width indent
+.It off
+Disable sandbox.
+No restrictions are put on
+.Nm tincd ,
+all functionality works as if this feature did not exist.
+.It normal
+The default level which aims to be safe for most users.
+Adds some level of protection with only minor reductions in functionality.
+For example, executables located in non-standard paths may not be available as
+.Nm tincd
+scripts or
+.Ar exec
+proxies, and configuration reloading may not work for some variables, forcing you to restart
+.Nm tincd
+to apply new settings.
+.It high
+Fully disables
+.Ar exec
+proxies and
+.Nm tincd
+scripts, with the exception of initial
+.Nm tinc-up
+and
+.Nm subnet-up .
+This allows
+.Nm tincd
+to block large parts of operating system interface that may be useful to attackers.
+Strongly consider using this level if you need neither of these features.
+.El
+.It Va StrictSubnets Li = yes | no Po no Pc Bq experimental
+When this option is enabled tinc will only use Subnet statements which are
+present in the host config files in the local
+.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
+directory. Subnets learned via connections to other nodes and which are not
+present in the local host config files are ignored.