+.It Va ProcessPriority Li = low | normal | high
+When this option is used the priority of the
+.Nm tincd
+process will be adjusted.
+Increasing the priority may help to reduce latency and packet loss on the VPN.
+.It Va Proxy Li = socks4 | socks5 | http | exec Ar ... Bq experimental
+Use a proxy when making outgoing connections.
+The following proxy types are currently supported:
+.Bl -tag -width indent
+.It socks4 Ar address Ar port Op Ar username
+Connects to the proxy using the SOCKS version 4 protocol.
+Optionally, a
+.Ar username
+can be supplied which will be passed on to the proxy server.
+Only IPv4 connections can be proxied using SOCKS 4.
+.It socks5 Ar address Ar port Op Ar username Ar password
+Connect to the proxy using the SOCKS version 5 protocol.
+If a
+.Ar username
+and
+.Ar password
+are given, basic username/password authentication will be used,
+otherwise no authentication will be used.
+.It http Ar address Ar port
+Connects to the proxy and sends a HTTP CONNECT request.
+.It exec Ar command
+Executes the given
+.Ar command
+which should set up the outgoing connection.
+The environment variables
+.Ev NAME ,
+.Ev NODE ,
+.Ev REMOTEADDRES
+and
+.Ev REMOTEPORT
+are available.
+.El
+.It Va ReplayWindow Li = Ar bytes Pq 32
+This is the size of the replay tracking window for each remote node, in bytes.
+The window is a bitfield which tracks 1 packet per bit, so for example
+the default setting of 32 will track up to 256 packets in the window. In high
+bandwidth scenarios, setting this to a higher value can reduce packet loss from
+the interaction of replay tracking with underlying real packet loss and/or
+reordering. Setting this to zero will disable replay tracking completely and
+pass all traffic, but leaves tinc vulnerable to replay-based attacks on your
+traffic.
+.It Va StrictSubnets Li = yes | no Po no Pc Bq experimental
+When this option is enabled tinc will only use Subnet statements which are
+present in the host config files in the local
+.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
+directory. Subnets learned via connections to other nodes and which are not
+present in the local host config files are ignored.
+.It Va TunnelServer Li = yes | no Po no Pc Bq experimental
+When this option is enabled tinc will no longer forward information between other tinc daemons,
+and will only allow connections with nodes for which host config files are present in the local
+.Pa @sysconfdir@/tinc/ Ns Ar NETNAME Ns Pa /hosts/
+directory.
+Setting this options also implicitly sets StrictSubnets.
+.It Va UDPDiscovery Li = yes | no Po yes Pc
+When this option is enabled tinc will try to establish UDP connectivity to nodes,
+using TCP while it determines if a node is reachable over UDP. If it is disabled,
+tinc always assumes a node is reachable over UDP.
+Note that tinc will never use UDP with nodes that have
+.Va TCPOnly
+enabled.
+.It Va UDPDiscoveryKeepaliveInterval Li = Ar seconds Pq 9
+The minimum amount of time between sending UDP ping datagrams to check UDP connectivity once it has been established.
+Note that these pings are large, since they are used to verify link MTU as well.
+.It Va UDPDiscoveryInterval Li = Ar seconds Pq 2
+The minimum amount of time between sending UDP ping datagrams to try to establish UDP connectivity.
+.It Va UDPDiscoveryTimeout Li = Ar seconds Pq 30
+If tinc doesn't receive any UDP ping replies over the specified interval,
+it will assume UDP communication is broken and will fall back to TCP.
+.It Va UDPInfoInterval Li = Ar seconds Pq 5
+The minimum amount of time between sending periodic updates about UDP addresses, which are mostly useful for UDP hole punching.
+.It Va UDPRcvBuf Li = Ar bytes Pq 1048576
+Sets the socket receive buffer size for the UDP socket, in bytes.
+If set to zero, the default buffer size will be used by the operating system.
+Note: this setting can have a significant impact on performance, especially raw throughput.
+.It Va UDPSndBuf Li = Ar bytes Pq 1048576
+Sets the socket send buffer size for the UDP socket, in bytes.
+If set to zero, the default buffer size will be used by the operating system.
+Note: this setting can have a significant impact on performance, especially raw throughput.
+.It Va UPnP Li = yes | udponly | no Po no Pc
+If this option is enabled then tinc will search for UPnP-IGD devices on the local network.
+It will then create and maintain port mappings for tinc's listening TCP and UDP ports.
+If set to "udponly", tinc will only create a mapping for its UDP (data) port, not for its TCP (metaconnection) port.
+Note that tinc must have been built with miniupnpc support for this feature to be available.
+Furthermore, be advised that enabling this can have security implications, because the miniupnpc library that
+tinc uses might not be well-hardened with regard to malicious UPnP replies.
+.It Va UPnPDiscoverWait Li = Ar seconds Pq 5
+The amount of time to wait for replies when probing the local network for UPnP devices.
+.It Va UPnPRefreshPeriod Li = Ar seconds Pq 60
+How often tinc will re-add the port mapping, in case it gets reset on the UPnP device. This also controls the duration of the port mapping itself, which will be set to twice that duration.