+@c ==================================================================
+@node Host configuration variables, How to configure, Main configuration variables, Configuration files
+@subsection Host configuration variables
+
+@table @asis
+@cindex Address
+@item @strong{Address = <IP address|hostname>} [recommended]
+This variable is only required if you want to connect to this host. It
+must resolve to the external IP address where the host can be reached,
+not the one that is internal to the VPN.
+
+@cindex Cipher
+@item Cipher = <cipher> (blowfish)
+The symmetric cipher algorithm used to encrypt UDP packets.
+Any cipher supported by OpenSSL is recognized.
+
+@cindex Compression
+@item Compression = <level> (0)
+This option sets the level of compression used for UDP packets.
+Possible values are 0 (off), 1 (fast) and any integer up to 9 (best).
+
+@cindex Digest
+@item Digest = <digest> (sha1)
+The digest algorithm used to authenticate UDP packets.
+Any digest supported by OpenSSL is recognized.
+Furthermore, specifying "none" will turn off packet authentication.
+
+@cindex IndirectData
+@item IndirectData = <yes|no> (no) [experimental]
+This option specifies whether other tinc daemons besides the one you
+specified with ConnectTo can make a direct connection to you. This is
+especially useful if you are behind a firewall and it is impossible to
+make a connection from the outside to your tinc daemon. Otherwise, it
+is best to leave this option out or set it to no.
+
+@cindex MACLength
+@item MACLength = <length> (4)
+The length of the message authentication code used to authenticate UDP packets.
+Can be anything from 0
+up to the length of the digest produced by the digest algorithm.
+
+@cindex Port
+@item Port = <port> (655)
+Connect to the upstream host (given with the ConnectTo directive) on
+port port. port may be given in decimal (default), octal (when preceded
+by a single zero) o hexadecimal (prefixed with 0x). port is the port
+number for both the UDP and the TCP (meta) connections.
+
+@cindex PublicKey
+@item PublicKey = <key> [obsolete]
+This is the RSA public key for this host.
+
+@cindex PublicKeyFile
+@item PublicKeyFile = <path> [obsolete]
+This is the full path name of the RSA public key file that was generated
+by ``tincd --generate-keys''. It must be a full path, not a relative
+directory.
+
+@cindex PEM format
+From version 1.0pre4 on tinc will store the public key directly into the
+host configuration file in PEM format, the above two options then are not
+necessary. Either the PEM format is used, or exactly
+@strong{one of the above two options} must be specified
+in each host configuration file, if you want to be able to establish a
+connection with that host.
+
+@cindex Subnet
+@item Subnet = <address[/masklength]>
+The subnet which this tinc daemon will serve.
+tinc tries to look up which other daemon it should send a packet to by searching the appropiate subnet.
+If the packet matches a subnet,
+it will be sent to the daemon who has this subnet in his host configuration file.
+Multiple subnet lines can be specified for each daemon.
+
+Subnets can either be single MAC, IPv4 or IPv6 addresses,
+in which case a subnet consisting of only that single address is assumed,
+or they can be a IPv4 or IPv6 network address with a masklength.
+For example, IPv4 subnets must be in a form like 192.168.1.0/24,
+where 192.168.1.0 is the network address and 24 is the number of bits set in the netmask.
+Note that subnets like 192.168.1.1/24 are invalid!
+
+@cindex CIDR notation
+masklength is the number of bits set to 1 in the netmask part; for
+example: netmask 255.255.255.0 would become /24, 255.255.252.0 becomes
+/22. This conforms to standard CIDR notation as described in
+@uref{ftp://ftp.isi.edu/in-notes/rfc1519.txt, RFC1519}
+
+@cindex TCPonly
+@item TCPonly = <yes|no> (no) [experimental]
+If this variable is set to yes, then the packets are tunnelled over a
+TCP connection instead of a UDP connection. This is especially useful
+for those who want to run a tinc daemon from behind a masquerading
+firewall, or if UDP packet routing is disabled somehow. This is
+experimental code, try this at your own risk. It may not work at all.
+Setting this options also implicitly sets IndirectData.
+@end table
+
+
+@c ==================================================================
+@node How to configure, , Host configuration variables, Configuration files
+@subsection How to configure
+
+@subsubheading Step 1. Creating the main configuration file
+
+The main configuration file will be called @file{/etc/tinc/netname/tinc.conf}.
+Adapt the following example to create a basic configuration file:
+
+@example
+Name = @emph{yourname}
+Device = @emph{/dev/tap0}
+PrivateKeyFile = /etc/tinc/@emph{netname}/rsa_key.priv
+@end example
+
+Then, if you know to which other tinc daemon(s) yours is going to connect,
+add `ConnectTo' values.
+
+@subsubheading Step 2. Creating your host configuration file
+
+If you added a line containing `Name = yourname' in the main configuarion file,
+you will need to create a host configuration file @file{/etc/tinc/netname/hosts/yourname}.
+Adapt the following example to create a host configuration file:
+
+@example
+Address = @emph{your.real.hostname.org}
+Subnet = @emph{192.168.1.0/24}
+@end example
+
+You can also use an IP address instead of a hostname.
+The `Subnet' specifies the address range that is local for @emph{your part of the VPN only}.
+If you have multiple address ranges you can specify more than one `Subnet'.
+You might also need to add a `Port' if you want your tinc daemon to run on a different port number than the default (655).
+