+@node Main configuration variables, Host configuration variables, Configuration files, Configuration files
+@subsection Main configuration variables
+
+@table @asis
+@item @strong{ConnectTo = <name>}
+@cindex ConnectTo
+Specifies which host to connect to on startup. Multiple ConnectTo
+variables may be specified, if connecting to the first one fails then
+tinc will try the next one, and so on. It is possible to specify
+hostnames for dynamic IP addresses (like those given on dyndns.org),
+tinc will not cache the resolved IP address.
+
+If you don't specify a host with ConnectTo, regardless of whether a
+value for ConnectPort is given, tinc won't connect at all, and will
+instead just listen for incoming connections.
+
+@item Hostnames = <yes|no> (no)
+@cindex Hostnames
+This option selects whether IP addresses (both real and on the VPN)
+should be resolved. Since DNS lookups are blocking, it might affect
+tinc's efficiency, even stopping the daemon for a few seconds everytime
+it does a lookup if your DNS server is not responding.
+
+This does not affect resolving hostnames to IP addresses from the
+configuration file.
+
+@item Interface = <device>
+@cindex Interface
+If you have more than one network interface in your computer, tinc will
+by default listen on all of them for incoming connections. It is
+possible to bind tinc to a single interface like eth0 or ppp0 with this
+variable.
+
+@item InterfaceIP = <local address>
+@cindex InterfaceIP
+If your computer has more than one IP address on a single interface (for
+example if you are running virtual hosts), tinc will by default listen
+on all of them for incoming connections. It is possible to bind tinc to
+a single IP address with this variable. It is still possible to listen
+on several interfaces at the same time though, if they share the same IP
+address.
+
+@item KeyExpire = <seconds> (3600)
+@cindex KeyExpire
+This option controls the time the encryption keys used to encrypt the data
+are valid. It is common practice to change keys at regular intervals to
+make it even harder for crackers, even though it is thought to be nearly
+impossible to crack a single key.
+
+@item @strong{Name = <name>}
+@cindex Name
+This is a symbolic name for this connection. It can be anything
+
+@item PingTimeout = <seconds> (60)
+@cindex PingTimeout
+The number of seconds of inactivity that tinc will wait before sending a
+probe to the other end. If that other end doesn't answer within that
+same amount of seconds, the connection is terminated, and the others
+will be notified of this.
+
+@item PrivateKey = <key> [obsolete]
+@cindex PrivateKey
+This is the RSA private key for tinc. However, for safety reasons it is
+advised to store private keys of any kind in separate files. This prevents
+accidental eavesdropping if you are editting the configuration file.
+
+@item @strong{PrivateKeyFile = <path>} [recommended]
+@cindex PrivateKeyFile
+This is the full path name of the RSA private key file that was
+generated by ``tincd --generate-keys''. It must be a full path, not a
+relative directory.
+
+@item @strong{TapDevice = <device>} (/dev/tap0 or /dev/net/tun)
+@cindex TapDevice
+The ethertap device to use. Note that you can only use one device per
+daemon. The info pages of the tinc package contain more information
+about configuring an ethertap device for Linux.
+
+@end table