@@ -234,7 +234,7 @@ Note that since UDP is connectionless, connection failure

 is defined by the

 .B \-\-ping

 and

-.B \-\-ping-restart

+.B \-\-ping\-restart

 options.

 Note the following corner case:  If you use multiple

@@ -273,7 +273,7 @@ chosen, providing a sort of basic load-balancing and

 failover capability.

 .\"*********************************************************

 .TP

-.B \-\-remote-random-hostname

+.B \-\-remote\-random\-hostname

 Prepend a random string (6 bytes, 12 hex characters) to hostname to prevent

 DNS caching.  For example, "foo.bar.gov" would be modified to

 "<random-chars>.foo.bar.gov".

@@ -292,7 +292,7 @@ and

 An OpenVPN client will try each connection profile sequentially

 until it achieves a successful connection.  

-.B \-\-remote-random

+.B \-\-remote\-random

 can be used to initially "scramble" the connection

 list.

@@ -314,20 +314,20 @@ remote 198.19.34.56 443 tcp

 <connection>

 remote 198.19.34.56 443 tcp

-http-proxy 192.168.0.8 8080

-http-proxy-retry

+http\-proxy 192.168.0.8 8080

+http\-proxy\-retry

 </connection>

 <connection>

 remote 198.19.36.99 443 tcp

-http-proxy 192.168.0.8 8080

-http-proxy-retry

+http\-proxy 192.168.0.8 8080

+http\-proxy\-retry

 </connection>

-persist-key

-persist-tun

+persist\-key

+persist\-tun

 pkcs12 client.p12

-ns-cert-type server

+ns\-cert\-type server

 verb 3

 .in -4

 .ft

@@ -346,30 +346,30 @@ a

 block:

 .B bind,

-.B connect-retry,

-.B connect-retry-max,

-.B connect-timeout,

-.B explicit-exit-notify,

+.B connect\-retry,

+.B connect\-retry\-max,

+.B connect\-timeout,

+.B explicit\-exit\-notify,

 .B float,

 .B fragment,

-.B http-proxy,

-.B http-proxy-option,

-.B http-proxy-retry,

-.B http-proxy-timeout,

-.B link-mtu,

+.B http\-proxy,

+.B http\-proxy\-option,

+.B http\-proxy\-retry,

+.B http\-proxy\-timeout,

+.B link\-mtu,

 .B local,

 .B lport,

 .B mssfix,

-.B mtu-disc,

+.B mtu\-disc,

 .B nobind,

 .B port,

 .B proto,

 .B remote,

 .B rport,

-.B socks-proxy,

-.B socks-proxy-retry,

-.B tun-mtu and

-.B tun-mtu-extra.

+.B socks\-proxy,

+.B socks\-proxy\-retry,

+.B tun\-mtu and

+.B tun\-mtu\-extra.

 A defaulting mechanism exists for specifying options to apply to

 all

@@ -396,14 +396,14 @@ were declared in all

 blocks below it.

 .\"*********************************************************

 .TP

-.B \-\-proto-force p

+.B \-\-proto\-force p

 When iterating through connection profiles,

 only consider profiles using protocol

 .B p

 ('tcp'|'udp'). 

 .\"*********************************************************

 .TP

-.B \-\-remote-random

+.B \-\-remote\-random

 When multiple

 .B \-\-remote

 address/ports are specified, or if connection profiles are being

@@ -418,9 +418,9 @@ for communicating with remote host.

 .B p

 can be

 .B udp,

-.B tcp-client,

+.B tcp\-client,

 or

-.B tcp-server.

+.B tcp\-server.

 The default protocol is

 .B udp

@@ -433,19 +433,19 @@ For UDP operation,

 should be specified on both peers.

 For TCP operation, one peer must use

-.B \-\-proto tcp-server

+.B \-\-proto tcp\-server

 and the other must use

-.B \-\-proto tcp-client.

+.B \-\-proto tcp\-client.

 A peer started with

-.B tcp-server

+.B tcp\-server

 will wait indefinitely for an incoming connection.  A peer

 started with

-.B tcp-client

+.B tcp\-client

 will attempt to connect, and if that fails, will sleep for 5

 seconds (adjustable via the

-.B \-\-connect-retry

+.B \-\-connect\-retry

 option) and try again infinite or up to N retries (adjustable via the

-.B \-\-connect-retry-max

+.B \-\-connect\-retry\-max

 option).  Both TCP client and server will simulate

 a SIGUSR1 restart signal if either side resets the connection.

@@ -465,21 +465,21 @@ application-level UDP protocols, or tunneling protocols which don't

 possess a built-in reliability layer.

 .\"*********************************************************

 .TP

-.B \-\-connect-retry n

+.B \-\-connect\-retry n

 Wait

 .B n

 seconds  between connection attempts (default=5).

 .\"*********************************************************

 .TP

-.B \-\-connect-timeout n

+.B \-\-connect\-timeout n

 For

-.B \-\-proto tcp-client,

+.B \-\-proto tcp\-client,

 set connection timeout to

 .B n

 seconds (default=10).

 .\"*********************************************************

 .TP

-.B \-\-connect-retry-max n

+.B \-\-connect\-retry\-max n

 .B n

 specifies the number of times all

 .B \-\-remote

@@ -491,12 +491,12 @@ as one would try each entry exactly once. A sucessful connection

 resets the counter. (default=umlimited).

 .\"*********************************************************

 .TP

-.B \-\-show-proxy-settings

+.B \-\-show\-proxy\-settings

 Show sensed HTTP or SOCKS proxy settings. Currently, only Windows clients

 support this option.

 .\"*********************************************************

 .TP

-.B \-\-http-proxy server port [authfile|'auto'|'auto-nct'] [auth-method]

+.B \-\-http\-proxy server port [authfile|'auto'|'auto\-nct'] [auth-method]

 Connect to remote host through an HTTP proxy at address

 .B server

 and port

@@ -506,56 +506,56 @@ If HTTP Proxy-Authenticate is required,

 is a file containing a username and password on 2 lines, or

 "stdin" to prompt from console.

-.B auth-method

+.B auth\-method

 should be one of "none", "basic", or "ntlm".

 HTTP Digest authentication is supported as well, but only via

 the

 .B auto

 or

-.B auto-nct

+.B auto\-nct

 flags (below).

 The

 .B auto

 flag causes OpenVPN to automatically determine the

-.B auth-method

+.B auth\-method

 and query stdin or the management interface for

 username/password credentials, if required.  This flag

 exists on OpenVPN 2.1 or higher.

 The

-.B auto-nct

+.B auto\-nct

 flag (no clear-text auth) instructs OpenVPN to automatically

 determine the authentication method, but to reject weak

 authentication protocols such as HTTP Basic Authentication.

 .\"*********************************************************

 .TP

-.B \-\-http-proxy-retry

+.B \-\-http\-proxy\-retry

 Retry indefinitely on HTTP proxy errors.  If an HTTP proxy error

 occurs, simulate a SIGUSR1 reset.

 .\"*********************************************************

 .TP

-.B \-\-http-proxy-timeout n

+.B \-\-http\-proxy\-timeout n

 Set proxy timeout to

 .B n

 seconds, default=5.

 .\"*********************************************************

 .TP

-.B \-\-http-proxy-option type [parm]

+.B \-\-http\-proxy\-option type [parm]

 Set extended HTTP proxy options.

 Repeat to set multiple options.

-.B VERSION version \-\-

+.B VERSION version --

 Set HTTP version number to

 .B version

 (default=1.0).

-.B AGENT user-agent \-\-

+.B AGENT user-agent --

 Set HTTP "User-Agent" string to

 .B user-agent.

-.B CUSTOM\-HEADER name content \-\-

+.B CUSTOM\-HEADER name content --

 Adds the custom Header with

 .B name

 as name and

@@ -563,7 +563,7 @@ as name and

 as the content of the custom HTTP header.

 .\"*********************************************************

 .TP

-.B \-\-socks-proxy server [port] [authfile]

+.B \-\-socks\-proxy server [port] [authfile]

 Connect to remote host through a Socks5 proxy at address

 .B server

 and port

@@ -574,12 +574,12 @@ and port

 "stdin" to prompt from console.

 .\"*********************************************************

 .TP

-.B \-\-socks-proxy-retry

+.B \-\-socks\-proxy\-retry

 Retry indefinitely on Socks proxy errors.  If a Socks proxy error

 occurs, simulate a SIGUSR1 reset.

 .\"*********************************************************

 .TP

-.B \-\-resolv-retry n

+.B \-\-resolv\-retry n

 If hostname resolve fails for

 .B \-\-remote,

 retry resolve for

@@ -591,7 +591,7 @@ Set

 to "infinite" to retry indefinitely.

 By default,

-.B \-\-resolv-retry infinite

+.B \-\-resolv\-retry infinite

 is enabled.  You can disable by setting n=0.

 .\"*********************************************************

 .TP

@@ -642,7 +642,7 @@ Don't use

 in

 .B \-\-mode server

 mode.  Use a

-.B \-\-client-connect

+.B \-\-client\-connect

 script instead.

 See the "Environmental Variables" section below for

@@ -686,11 +686,11 @@ TCP/UDP port number or name for remote.

 .TP

 .B \-\-bind [ipv6only]

 Bind to local address and port. This is the default unless any of 

-.B \-\-proto tcp-client

+.B \-\-proto tcp\-client

 ,

-.B \-\-http-proxy

+.B \-\-http\-proxy

 or

-.B \-\-socks-proxy

+.B \-\-socks\-proxy

 are used.

 If the

@@ -727,7 +727,7 @@ devices encapsulate IPv4 or IPv6 (OSI Layer 3) while

 devices encapsulate Ethernet 802.3 (OSI Layer 2).

 .\"*********************************************************

 .TP

-.B \-\-dev-type device-type

+.B \-\-dev\-type device-type

 Which device type are we using?

 .B device-type

 should be

@@ -756,7 +756,7 @@ topology.

 If you set this directive on the server, the

 .B \-\-server

 and

-.B \-\-server-bridge

+.B \-\-server\-bridge

 directives will automatically push your chosen topology setting to clients

 as well.  This directive can also be manually pushed to clients.  Like the

 .B \-\-dev

@@ -778,7 +778,7 @@ This mode allocates a single IP address per connecting client.

 Only use

 when none of the connecting clients are Windows systems.  This mode

 is functionally equivalent to the

-.B \-\-ifconfig-pool-linear

+.B \-\-ifconfig\-pool\-linear

 directive which is available in OpenVPN 2.0 and is now deprecated.

 .B subnet \-\-

@@ -806,7 +806,7 @@ changes the interpretation of the arguments of

 to mean "address netmask", no longer "local remote".

 .\"*********************************************************

 .TP

-.B \-\-tun-ipv6

+.B \-\-tun\-ipv6

 Build a tun link capable of forwarding IPv6 traffic.

 Should be used in conjunction with

 .B \-\-dev tun

@@ -818,16 +818,16 @@ if no specific IPv6 TUN support for your OS has been compiled into OpenVPN.

 See below for further IPv6-related configuration options.

 .\"*********************************************************

 .TP

-.B \-\-dev-node node

+.B \-\-dev\-node node

 Explicitly set the device node rather than using

 /dev/net/tun, /dev/tun, /dev/tap, etc.  If OpenVPN

 cannot figure out whether

 .B node

 is a TUN or TAP device based on the name, you should

 also specify

-.B \-\-dev-type tun

+.B \-\-dev\-type tun

 or

-.B \-\-dev-type tap.

+.B \-\-dev\-type tap.

 Under Mac OS X this option can be used to specify the default tun

 implementation. Using

@@ -846,7 +846,7 @@ is named

 in the Network Connections Control Panel or the

 raw GUID of the adapter enclosed by braces.

 The

-.B \-\-show-adapters

+.B \-\-show\-adapters

 option under Windows can also be used

 to enumerate all available TAP-Win32

 adapters and will show both the network

@@ -932,14 +932,14 @@ getting an IP address lease from a DHCP

 server.

 .\"*********************************************************

 .TP

-.B \-\-ifconfig-noexec

+.B \-\-ifconfig\-noexec

 Don't actually execute ifconfig/netsh commands, instead

 pass

 .B \-\-ifconfig

 parameters to scripts using environmental variables.

 .\"*********************************************************

 .TP

-.B \-\-ifconfig-nowarn

+.B \-\-ifconfig\-nowarn

 Don't output an options consistency check warning

 if the

 .B \-\-ifconfig

@@ -947,7 +947,7 @@ option on this side of the

 connection doesn't match the remote side.  This is useful

 when you want to retain the overall benefits of the

 options consistency check (also see

-.B \-\-disable-occ

+.B \-\-disable\-occ

 option) while only disabling the ifconfig component of

 the check.

@@ -955,7 +955,7 @@ For example,

 if you have a configuration where the local host uses

 .B \-\-ifconfig

 but the remote host does not, use

-.B \-\-ifconfig-nowarn

+.B \-\-ifconfig\-nowarn

 on the local host.

 This option will also silence warnings about potential

@@ -977,11 +977,11 @@ while at the same time providing portable semantics

 across OpenVPN's platform space.

 .B netmask

-default \-\- 255.255.255.255

+default -- 255.255.255.255

 .B gateway

-default \-\- taken from

-.B \-\-route-gateway

+default -- taken from

+.B \-\-route\-gateway

 or the second parameter to

 .B \-\-ifconfig

 when

@@ -989,8 +989,8 @@ when

 is specified.

 .B metric

-default \-\- taken from

-.B \-\-route-metric

+default -- taken from

+.B \-\-route\-metric

 otherwise 0.

 The default can be specified by leaving an option blank or setting

@@ -1005,9 +1005,9 @@ also be specified as a DNS or /etc/hosts

 file resolvable name, or as one of three special keywords:

 .B vpn_gateway

-\-\- The remote VPN endpoint address

+-- The remote VPN endpoint address

 (derived either from

-.B \-\-route-gateway

+.B \-\-route\-gateway

 or the second parameter to

 .B \-\-ifconfig

 when

@@ -1015,16 +1015,16 @@ when

 is specified).

 .B net_gateway

-\-\- The pre-existing IP default gateway, read from the routing

+-- The pre-existing IP default gateway, read from the routing

 table (not supported on all OSes).

 .B remote_host

-\-\- The

+-- The

 .B \-\-remote

 address if OpenVPN is being run in client mode, and is undefined in server mode.

 .\"*********************************************************

 .TP

-.B \-\-route-gateway gw|'dhcp'

+.B \-\-route\-gateway gw|'dhcp'

 Specify a default gateway

 .B gw

 for use with

@@ -1037,14 +1037,14 @@ the gateway address will be extracted from a DHCP

 negotiation with the OpenVPN server-side LAN.

 .\"*********************************************************

 .TP

-.B \-\-route-metric m

+.B \-\-route\-metric m

 Specify a default metric

 .B m

 for use with

 .B \-\-route.

 .\"*********************************************************

 .TP

-.B \-\-route-delay [n] [w]

+.B \-\-route\-delay [n] [w]

 Delay

 .B n

 seconds (default=0) after connection

@@ -1052,7 +1052,7 @@ establishment, before adding routes. If

 .B n

 is 0, routes will be added immediately upon connection

 establishment.  If

-.B \-\-route-delay

+.B \-\-route\-delay

 is omitted, routes will be added immediately after TUN/TAP device

 open and

 .B \-\-up

@@ -1070,18 +1070,18 @@ tap adapter addresses.  The delay will give the DHCP handshake

 time to complete before routes are added.

 On Windows,

-.B \-\-route-delay

+.B \-\-route\-delay

 tries to be more intelligent by waiting

 .B w

 seconds (w=30 by default)

 for the TAP-Win32 adapter to come up before adding routes.

 .\"*********************************************************

 .TP

-.B \-\-route-up cmd

+.B \-\-route\-up cmd

 Run command

 .B cmd

 after routes are added, subject to

-.B \-\-route-delay.

+.B \-\-route\-delay.

 .B cmd

 consists of a path to script (or executable program), optionally

@@ -1092,7 +1092,7 @@ See the "Environmental Variables" section below for

 additional parameters passed as environmental variables.

 .\"*********************************************************

 .TP

-.B \-\-route-pre-down cmd

+.B \-\-route\-pre\-down cmd

 Run command

 .B cmd

 before routes are removed upon disconnection.

@@ -1106,13 +1106,13 @@ See the "Environmental Variables" section below for

 additional parameters passed as environmental variables.

 .\"*********************************************************

 .TP

-.B \-\-route-noexec

+.B \-\-route\-noexec

 Don't add or remove routes automatically.  Instead pass routes to

-.B \-\-route-up

+.B \-\-route\-up

 script using environmental variables.

 .\"*********************************************************

 .TP

-.B \-\-route-nopull

+.B \-\-route\-nopull

 When used with

 .B \-\-client

 or

@@ -1126,16 +1126,16 @@ however note that this option still allows the server

 to set the TCP/IP properties of the client's TUN/TAP interface.

 .\"*********************************************************

 .TP

-.B \-\-allow-pull-fqdn

+.B \-\-allow\-pull\-fqdn

 Allow client to pull DNS names from server (rather than being limited

 to IP address) for

 .B \-\-ifconfig,

 .B \-\-route,

 and

-.B \-\-route-gateway.

+.B \-\-route\-gateway.

 .\"*********************************************************

 .TP

-.B \-\-client-nat snat|dnat network netmask alias

+.B \-\-client\-nat snat|dnat network netmask alias

 This pushable client option sets up a stateless one-to-one NAT

 rule on packet addresses (not ports), and is useful in cases

 where routes or ifconfig settings pushed to the client would

@@ -1160,7 +1160,7 @@ for debugging info showing the transformation of src/dest

 addresses in packets.

 .\"*********************************************************

 .TP

-.B \-\-redirect-gateway flags...

+.B \-\-redirect\-gateway flags...

 Automatically execute routing commands to cause all outgoing IP traffic

 to be redirected over the VPN.  This is a client-side option.

@@ -1179,7 +1179,7 @@ Delete the default gateway route.

 .B (3)

 Set the new default gateway to be the VPN endpoint address (derived either from

-.B \-\-route-gateway

+.B \-\-route\-gateway

 or the second parameter to

 .B \-\-ifconfig

 when

@@ -1206,43 +1206,43 @@ Try to automatically determine whether to enable

 .B local

 flag above.

-.B def1 \-\-

+.B def1 --

 Use this flag to override

 the default gateway by using 0.0.0.0/1 and 128.0.0.0/1

 rather than 0.0.0.0/0.  This has the benefit of overriding

 but not wiping out the original default gateway. 

-.B bypass-dhcp \-\-

+.B bypass-dhcp --

 Add a direct route to the DHCP server (if it is non-local) which

 bypasses the tunnel

 (Available on Windows clients, may not be available

 on non-Windows clients).

-.B bypass-dns \-\-

+.B bypass-dns --

 Add a direct route to the DNS server(s) (if they are non-local) which

 bypasses the tunnel

 (Available on Windows clients, may not be available

 on non-Windows clients).

-.B block-local \-\-

+.B block-local --

 Block access to local LAN when the tunnel is active, except for

 the LAN gateway itself.  This is accomplished by routing the local

 LAN (except for the LAN gateway address) into the tunnel.

 .\"*********************************************************

 .TP

-.B \-\-link-mtu n

+.B \-\-link\-mtu n

 Sets an upper bound on the size of UDP packets which are sent

 between OpenVPN peers.  It's best not to set this parameter unless

 you know what you're doing.

 .\"*********************************************************

 .\"*********************************************************

 .TP

-.B \-\-redirect-private [flags]

-Like \-\-redirect-gateway, but omit actually changing the default

+.B \-\-redirect\-private [flags]

+Like \-\-redirect\-gateway, but omit actually changing the default

 gateway.  Useful when pushing private subnets.

 .\"*********************************************************

 .TP

-.B \-\-tun-mtu n

+.B \-\-tun\-mtu n

 Take the TUN device MTU to be

 .B n

 and derive the link MTU

@@ -1264,11 +1264,11 @@ and/or

 options to deal with MTU sizing issues.

 .\"*********************************************************

 .TP

-.B \-\-tun-mtu-extra n

+.B \-\-tun\-mtu\-extra n

 Assume that the TUN/TAP device might return as many as

 .B n

 bytes more than the

-.B \-\-tun-mtu

+.B \-\-tun\-mtu

 size on read.  This parameter defaults to 0, which is sufficient for

 most TUN devices.  TAP devices may introduce additional overhead in excess

 of the MTU size, and a setting of 32 is the default when TAP devices are used.

@@ -1276,30 +1276,30 @@ This parameter only controls internal OpenVPN buffer sizing,

 so there is no transmission overhead associated with using a larger value.

 .\"*********************************************************

 .TP

-.B \-\-mtu-disc type

+.B \-\-mtu\-disc type

 Should we do Path MTU discovery on TCP/UDP channel?  Only supported on OSes such

 as Linux that supports the necessary system call to set.

 .B 'no'

-\-\- Never send DF (Don't Fragment) frames

+-- Never send DF (Don't Fragment) frames

 .br

 .B 'maybe'

-\-\- Use per-route hints

+-- Use per-route hints

 .br

 .B 'yes'

-\-\- Always DF (Don't Fragment)

+-- Always DF (Don't Fragment)

 .br

 .\"*********************************************************

 .TP

-.B \-\-mtu-test

+.B \-\-mtu\-test

 To empirically measure MTU on connection startup,

 add the

-.B \-\-mtu-test

+.B \-\-mtu\-test

 option to your configuration.

 OpenVPN will send ping packets of various sizes

 to the remote peer and measure the largest packets

 which were successfully received.  The

-.B \-\-mtu-test

+.B \-\-mtu\-test

 process normally takes about 3 minutes to complete.

 .\"*********************************************************

 .TP

@@ -1313,7 +1313,7 @@ bytes.

 The

 .B max

 parameter is interpreted in the same way as the

-.B \-\-link-mtu

+.B \-\-link\-mtu

 parameter, i.e. the UDP packet size after encapsulation

 overhead has been added in, but not including

 the UDP header itself.

@@ -1355,7 +1355,7 @@ bytes. The default value is

 The

 .B max

 parameter is interpreted in the same way as the

-.B \-\-link-mtu

+.B \-\-link\-mtu

 parameter, i.e. the UDP packet size after encapsulation

 overhead has been added in, but not including

 the UDP header itself.

@@ -1405,7 +1405,7 @@ Therefore, one could lower the maximum UDP packet size

 to 1300 (a good first try for solving MTU-related

 connection problems) with the following options:

-.B \-\-tun-mtu 1500 \-\-fragment 1300 \-\-mssfix

+.B \-\-tun\-mtu 1500 \-\-fragment 1300 \-\-mssfix

 .\"*********************************************************

 .TP

 .B \-\-sndbuf size

@@ -1424,7 +1424,7 @@ matched in policy routing and packetfilter rules. This option is

 only supported in Linux and does nothing on other operating systems.

 .\"*********************************************************

 .TP

-.B \-\-socket-flags flags...

+.B \-\-socket\-flags flags...

 Apply the given flags to the OpenVPN transport socket.

 Currently, only

 .B TCP_NODELAY

@@ -1516,9 +1516,9 @@ seconds (specify

 on both peers to cause ping packets to be sent in both directions since

 OpenVPN ping packets are not echoed like IP ping packets).

 When used in one of OpenVPN's secure modes (where

-.B \-\-secret, \-\-tls-server,

+.B \-\-secret, \-\-tls\-server,

 or

-.B \-\-tls-client

+.B \-\-tls\-client

 is specified), the ping packet

 will be cryptographically secure.

@@ -1531,11 +1531,11 @@ pass will not time out.

 (2) To provide a basis for the remote to test the existence

 of its peer using the

-.B \-\-ping-exit

+.B \-\-ping\-exit

 option.

 .\"*********************************************************

 .TP

-.B \-\-ping-exit n

+.B \-\-ping\-exit n

 Causes OpenVPN to exit after

 .B n

 seconds pass without reception of a ping

@@ -1543,21 +1543,21 @@ or other packet from remote.

 This option can be combined with

 .B \-\-inactive, \-\-ping,

 and

-.B \-\-ping-exit

+.B \-\-ping\-exit

 to create a two-tiered inactivity disconnect.

 For example,

-.B openvpn [options...] \-\-inactive 3600 \-\-ping 10 \-\-ping-exit 60

+.B openvpn [options...] \-\-inactive 3600 \-\-ping 10 \-\-ping\-exit 60

 when used on both peers will cause OpenVPN to exit within 60

 seconds if its peer disconnects, but will exit after one

 hour if no actual tunnel data is exchanged.

 .\"*********************************************************

 .TP

-.B \-\-ping-restart n

+.B \-\-ping\-restart n

 Similar to

-.B \-\-ping-exit,

+.B \-\-ping\-exit,

 but trigger a

 .B SIGUSR1

 restart after

@@ -1578,11 +1578,11 @@ If the peer cannot be reached, a restart will be triggered, causing

 the hostname used with

 .B \-\-remote

 to be re-resolved (if

-.B \-\-resolv-retry

+.B \-\-resolv\-retry

 is also specified).

 In server mode,

-.B \-\-ping-restart, \-\-inactive,

+.B \-\-ping\-restart, \-\-inactive,

 or any other type of internally generated signal will always be

 applied to

 individual client instance objects, never to whole server itself.

@@ -1591,14 +1591,14 @@ which would normally cause a restart, will cause the deletion

 of the client instance object instead.

 In client mode, the

-.B \-\-ping-restart

+.B \-\-ping\-restart

 parameter is set to 120 seconds by default.  This default will

 hold until the client pulls a replacement value from the server, based on

 the

 .B \-\-keepalive

 setting in the server configuration.

 To disable the 120 second default, set

-.B \-\-ping-restart 0

+.B \-\-ping\-restart 0

 on the client.

 See the signals section below for more information

@@ -1608,15 +1608,15 @@ on

 Note that the behavior of

 .B SIGUSR1

 can be modified by the

-.B \-\-persist-tun, \-\-persist-key, \-\-persist-local-ip,

+.B \-\-persist\-tun, \-\-persist\-key, \-\-persist\-local\-ip,

 and

-.B \-\-persist-remote-ip

+.B \-\-persist\-remote\-ip

 options.

 Also note that

-.B \-\-ping-exit

+.B \-\-ping\-exit

 and

-.B \-\-ping-restart

+.B \-\-ping\-restart

 are mutually exclusive and cannot be used together.

 .\"*********************************************************

 .TP

@@ -1624,7 +1624,7 @@ are mutually exclusive and cannot be used together.

 A helper directive designed to simplify the expression of

 .B \-\-ping

 and

-.B \-\-ping-restart

+.B \-\-ping\-restart

 in server mode configurations.

 The server timeout is set twice the value of the second argument.

@@ -1640,22 +1640,22 @@ expands as follows:

 .in +4

  if mode server:

    ping 10

-   ping-restart 120

+   ping\-restart 120

    push "ping 10"

-   push "ping-restart 60"

+   push "ping\-restart 60"

  else

    ping 10

-   ping-restart 60

+   ping\-restart 60

 .in -4

 .ft

 .fi

 .\"*********************************************************

 .TP

-.B \-\-ping-timer-rem

+.B \-\-ping\-timer\-rem

 Run the

-.B \-\-ping-exit

+.B \-\-ping\-exit

 /

-.B \-\-ping-restart

+.B \-\-ping\-restart

 timer only if we have a remote address.  Use this option if you are

 starting the daemon in listen mode (i.e. without an explicit

 .B \-\-remote

@@ -1663,12 +1663,12 @@ peer), and you don't want to start clocking timeouts until a remote

 peer connects.

 .\"*********************************************************

 .TP

-.B \-\-persist-tun

+.B \-\-persist\-tun

 Don't close and reopen TUN/TAP device or run up/down scripts

 across

 .B SIGUSR1

 or

-.B \-\-ping-restart

+.B \-\-ping\-restart

 restarts.

 .B SIGUSR1

@@ -1678,11 +1678,11 @@ but which offers finer-grained control over

 reset options.

 .\"*********************************************************

 .TP

-.B \-\-persist-key

+.B \-\-persist\-key

 Don't re-read key files across

 .B SIGUSR1

 or

-.B \-\-ping-restart.

+.B \-\-ping\-restart.

 This option can be combined with

 .B \-\-user nobody

@@ -1698,21 +1698,21 @@ This option solves the problem by persisting keys across

 resets, so they don't need to be re-read.

 .\"*********************************************************

 .TP

-.B \-\-persist-local-ip

+.B \-\-persist\-local\-ip