-If you make it shorter, a lot of time and bandwidth is spent
-negotiating over the new keys. If you make it longer, you make
-yourself more vulnerable to crackers, because they have more data to
-work with. The best value depends on the speed of the link, and the
-amount of data that goes over it.
-.TP
-\fBListenPort = \fIport\fR
-Listen on local port \fIport\fR. The computer connecting to this
-daemon should use this number as the argument for his
-\fBConnectPort\fR. Again, the default is 655.
-.TP
-\fBMyOwnVPNIP = \fInetwork address\fR[\fB/\fImaskbits\fR]
-The \fInetwork address\fR is the number that the daemon will propagate
-to other daemons on the network when it is identifying itself. Hence
-this will be the file name of the passphrase file that the other end
-expects to find the passphrase in.
+This does not affect resolving hostnames to IP addresses from the configuration
+file.
+.TP
+\fBIndirectData\fR = <\fIyes|no\fR> (no)
+This option specifies whether other tinc daemons besides the one you
+specified with \fBConnectTo\fR can make a direct connection to you. This is
+especially useful if you are behind a firewall and it is impossible
+to make a connection from the outside to your tinc daemon. Otherwise,
+it is best to leave this option out or set it to no.
+.TP
+\fBInterface\fR = <\fIdevice\fR> (optional)
+If you have more than one network interface in your computer, tinc will by
+default listen on all of them for incoming connections. It is possible to
+bind tinc to a single interface like eth0 or ppp0 with this variable.
+.TP
+\fBInterfaceIP\fR = <\fIlocal address\fR> (optional)
+If your computer has more than one IP address on a single interface (for example
+if you are running virtual hosts), tinc will by default listen on all of them for
+incoming connections. It is possible to bind tinc to a single IP address with
+this variable. It is still possible to listen on several interfaces at the same
+time though, if they share the same IP address.
+.TP
+\fBKeyExpire\fR = <\fIseconds\fR> (3600)
+This option controls the time the encryption keys used to encrypt the data
+are valid. It is common practice to change keys at regular intervals to
+make it even harder for crackers, even though it is thought to be nearly
+impossible to crack a single key.
+.TP
+\fBListenPort\fR = <\fIport\fR> (655)
+Listen on local port \fIport\fR. The computer connecting to this daemon should
+use this number as the argument for his \fBConnectPort\fR.
+.TP
+\fBMyOwnVPNIP\fR = <\fIlocal address[/maskbits]\fR> (required)
+The \fIlocal address\fR is the number that the daemon will propagate to
+other daemons on the network when it is identifying itself. Hence this
+will be the file name of the passphrase file that the other end expects
+to find the passphrase in.
+
+The local address is the IP address of the tap device, not the real IP
+address of the host running tincd. Due to changes in recent kernels, it
+is also necessary that you make the ethernet (also known as MAC) address
+equal to the IP address (see the example).