@@ -77,14 +77,14 @@ of its crypto capabilities from it.

 OpenVPN supports

 conventional encryption

-using a pre-shared secret key

+using a pre\-shared secret key

 .B (Static Key mode)

 or

 public key security

 .B (SSL/TLS mode)

 using client & server certificates.

 OpenVPN also

-supports non-encrypted TCP/UDP tunnels.  

+supports non\-encrypted TCP/UDP tunnels.

 OpenVPN is designed to work with the

 .B TUN/TAP

@@ -96,7 +96,7 @@ with a relatively lightweight footprint.

 .SH OPTIONS

 OpenVPN allows any option to be placed either on the command line

 or in a configuration file.  Though all command line options are preceded

-by a double-leading-dash ("\-\-"), this prefix can be removed when

+by a double\-leading\-dash ("\-\-"), this prefix can be removed when

 an option is placed in a configuration file.

 .\"*********************************************************

 .TP

@@ -126,7 +126,7 @@ can be used to enclose single parameters containing whitespace,

 and "#" or ";" characters in the first column

 can be used to denote comments.

-Note that OpenVPN 2.0 and higher performs backslash-based shell

+Note that OpenVPN 2.0 and higher performs backslash\-based shell

 escaping for characters not in single quotations,

 so the following mappings should be observed:

@@ -164,7 +164,7 @@ Here is an example configuration file:

 .in +4

 #

 # Sample OpenVPN configuration file for

-# using a pre-shared static key.

+# using a pre\-shared static key.

 #

 # '#' or ';' may be used to delimit comments.

@@ -178,7 +178,7 @@ remote mypeer.mydomain

 # 10.1.0.2 is our remote VPN endpoint

 ifconfig 10.1.0.1 10.1.0.2

-# Our pre-shared static key

+# Our pre\-shared static key

 secret static.key

 .in -4

 .ft

@@ -188,8 +188,8 @@ secret static.key

 .TP

 .B \-\-mode m

 Set OpenVPN major mode.  By default, OpenVPN runs in

-point-to-point mode ("p2p").  OpenVPN 2.0 introduces

-a new mode ("server") which implements a multi-client

+point\-to\-point mode ("p2p").  OpenVPN 2.0 introduces

+a new mode ("server") which implements a multi\-client

 server capability.

 .\"*********************************************************

 .TP

@@ -206,7 +206,7 @@ options may be specified for redundancy, each referring

 to a different OpenVPN server.  Specifying multiple

 .B \-\-remote

 options for this purpose is a special case of the more

-general connection-profile feature.  See the

+general connection\-profile feature.  See the

 .B <connection>

 documentation below.

@@ -243,7 +243,7 @@ the client with

 .B \-\-user

 and/or

 .B \-\-group,

-AND the client is running a non-Windows OS, if the client needs

+AND the client is running a non\-Windows OS, if the client needs

 to switch to a different server, and that server pushes

 back different TUN/TAP or route settings, the client may lack

 the necessary privileges to close and reopen the TUN/TAP interface.

@@ -277,7 +277,7 @@ and IPv6 addresses, in the order getaddrinfo() returns them.

 .B \-\-remote\-random\-hostname

 Prepend a random string (6 bytes, 12 hex characters) to hostname to prevent

 DNS caching.  For example, "foo.bar.gov" would be modified to

-"<random-chars>.foo.bar.gov".

+"<random\-chars>.foo.bar.gov".

 .\"*********************************************************

 .TP

 .B <connection>

@@ -404,7 +404,7 @@ When multiple

 .B \-\-remote

 address/ports are specified, or if connection profiles are being

 used, initially randomize the order of the list

-as a kind of basic load-balancing measure.

+as a kind of basic load\-balancing measure.

 .\"*********************************************************

 .TP

 .B \-\-proto p

@@ -453,12 +453,12 @@ networks.

 This article outlines some of problems with tunneling IP over TCP:

-.I http://sites.inka.de/sites/bigred/devel/tcp-tcp.html

+.I http://sites.inka.de/sites/bigred/devel/tcp\-tcp.html

 There are certain cases, however, where using TCP may be advantageous from

-a security and robustness perspective, such as tunneling non-IP or

-application-level UDP protocols, or tunneling protocols which don't

-possess a built-in reliability layer.

+a security and robustness perspective, such as tunneling non\-IP or

+application\-level UDP protocols, or tunneling protocols which don't

+possess a built\-in reliability layer.

 .\"*********************************************************

 .TP

 .B \-\-connect\-retry n [max]

@@ -489,12 +489,12 @@ Show sensed HTTP or SOCKS proxy settings. Currently, only Windows clients

 support this option.

 .\"*********************************************************

 .TP

-.B \-\-http\-proxy server port [authfile|'auto'|'auto\-nct'] [auth-method]

+.B \-\-http\-proxy server port [authfile|'auto'|'auto\-nct'] [auth\-method]

 Connect to remote host through an HTTP proxy at address

 .B server

 and port

 .B port.

-If HTTP Proxy-Authenticate is required,

+If HTTP Proxy\-Authenticate is required,

 .B authfile

 is a file containing a username and password on 2 lines, or

 "stdin" to prompt from console. Its content can also be specified

@@ -522,7 +522,7 @@ exists on OpenVPN 2.1 or higher.

 The

 .B auto\-nct

-flag (no clear-text auth) instructs OpenVPN to automatically

+flag (no clear\-text auth) instructs OpenVPN to automatically

 determine the authentication method, but to reject weak

 authentication protocols such as HTTP Basic Authentication.

 .\"*********************************************************

@@ -531,16 +531,16 @@ authentication protocols such as HTTP Basic Authentication.

 Set extended HTTP proxy options.

 Repeat to set multiple options.

-.B VERSION version --

+.B VERSION version \-\-

 Set HTTP version number to

 .B version

 (default=1.0).

-.B AGENT user-agent --

-Set HTTP "User-Agent" string to

-.B user-agent.

+.B AGENT user\-agent \-\-

+Set HTTP "User\-Agent" string to

+.B user\-agent.

-.B CUSTOM\-HEADER name content --

+.B CUSTOM\-HEADER name content \-\-

 Adds the custom Header with

 .B name

 as name and

@@ -588,7 +588,7 @@ at a known address, however if packets arrive from a new

 address and pass all authentication tests, the new address

 will take control of the session.  This is useful when

 you are connecting to a peer which holds a dynamic address

-such as a dial-in user or DHCP client.

+such as a dial\-in user or DHCP client.

 Essentially,

 .B \-\-float

@@ -601,12 +601,12 @@ option.

 .B \-\-ipchange cmd

 Run command

 .B cmd

-when our remote ip-address is initially authenticated or

+when our remote ip\-address is initially authenticated or

 changes.

 .B cmd

 consists of a path to script (or executable program), optionally

-followed by arguments. The path and arguments may be single- or double-quoted

+followed by arguments. The path and arguments may be single\- or double\-quoted

 and/or escaped using a backslash, and should be separated by one or more spaces.

 When

@@ -656,7 +656,7 @@ and

 .B \-\-rport

 options to given port).  The current

 default of 1194 represents the official IANA port number

-assignment for OpenVPN and has been used since version 2.0-beta17.

+assignment for OpenVPN and has been used since version 2.0\-beta17.

 Previous versions used port 5000 as the default.

 .\"*********************************************************

 .TP

@@ -717,9 +717,9 @@ devices encapsulate IPv4 or IPv6 (OSI Layer 3) while

 devices encapsulate Ethernet 802.3 (OSI Layer 2).

 .\"*********************************************************

 .TP

-.B \-\-dev\-type device-type

+.B \-\-dev\-type device\-type

 Which device type are we using?

-.B device-type

+.B device\-type

 should be

 .B tun

 (OSI Layer 3)

@@ -756,13 +756,13 @@ directive, this directive must always be compatible between client and server.

 can be one of:

 .B net30 \-\-

-Use a point-to-point topology, by allocating one /30 subnet per client.

-This is designed to allow point-to-point semantics when some

+Use a point\-to\-point topology, by allocating one /30 subnet per client.

+This is designed to allow point\-to\-point semantics when some

 or all of the connecting clients might be Windows systems.  This is the

 default on OpenVPN 2.0.

 .B p2p \-\-

-Use a point-to-point topology where the remote endpoint of the client's

+Use a point\-to\-point topology where the remote endpoint of the client's

 tun interface always points to the local endpoint of the server's tun interface.

 This mode allocates a single IP address per connecting client.

 Only use

@@ -773,7 +773,7 @@ directive which is available in OpenVPN 2.0, is deprecated and will be

 removed in OpenVPN 2.5

 .B subnet \-\-

-Use a subnet rather than a point-to-point topology by

+Use a subnet rather than a point\-to\-point topology by

 configuring the tun interface with a local IP address and subnet mask,

 similar to the topology used in

 .B \-\-dev tap

@@ -783,7 +783,7 @@ Windows as well.  Only available when server and clients are OpenVPN 2.1 or

 higher, or OpenVPN 2.0.x which has been manually patched with the

 .B \-\-topology

 directive code.  When used on Windows, requires version 8.2 or higher

-of the TAP-Win32 driver.  When used on *nix, requires that the tun

+of the TAP\-Win32 driver.  When used on *nix, requires that the tun

 driver supports an

 .BR ifconfig (8)

 command which sets a subnet instead of a remote endpoint IP address.

@@ -819,7 +819,7 @@ When not specifying a

 .B \-\-dev\-node

 option openvpn will first try to open utun, and fall back to tun.kext.

-On Windows systems, select the TAP-Win32 adapter which

+On Windows systems, select the TAP\-Win32 adapter which

 is named

 .B node

 in the Network Connections Control Panel or the

@@ -827,10 +827,10 @@ raw GUID of the adapter enclosed by braces.

 The

 .B \-\-show\-adapters

 option under Windows can also be used

-to enumerate all available TAP-Win32

+to enumerate all available TAP\-Win32

 adapters and will show both the network

 connections control panel name and the GUID for

-each TAP-Win32 adapter.

+each TAP\-Win32 adapter.

 .TP

 .B \-\-lladdr address

 Specify the link layer address, more commonly known as the MAC address.

@@ -846,7 +846,7 @@ May be used in order to execute OpenVPN in unprivileged environment.

 Set TUN/TAP adapter parameters. 

 .B l

 is the IP address of the local VPN endpoint.

-For TUN devices in point-to-point mode,

+For TUN devices in point\-to\-point mode,

 .B rn

 is the IP address of the remote VPN endpoint.

 For TAP devices, or TUN devices used with

@@ -856,7 +856,7 @@ is the subnet mask of the virtual network segment

 which is being created or connected to.

 For TUN devices, which facilitate virtual

-point-to-point IP connections (when used in

+point\-to\-point IP connections (when used in

 .B \-\-topology net30

 or

 .B p2p

@@ -876,7 +876,7 @@ you will be pinging across the VPN.

 For TAP devices, which provide

 the ability to create virtual

 ethernet segments, or TUN devices in

-.B --topology subnet

+.B \-\-topology subnet

 mode (which create virtual "multipoint networks"),

 .B \-\-ifconfig

 is used to set an IP address and

@@ -956,10 +956,10 @@ while at the same time providing portable semantics

 across OpenVPN's platform space.

 .B netmask

-default -- 255.255.255.255

+default \-\- 255.255.255.255

 .B gateway

-default -- taken from

+default \-\- taken from

 .B \-\-route\-gateway

 or the second parameter to

 .B \-\-ifconfig

@@ -968,7 +968,7 @@ when

 is specified.

 .B metric

-default -- taken from

+default \-\- taken from

 .B \-\-route\-metric

 otherwise 0.

@@ -984,7 +984,7 @@ also be specified as a DNS or /etc/hosts

 file resolvable name, or as one of three special keywords:

 .B vpn_gateway

+\-\- The remote VPN endpoint address

 (derived either from

 .B \-\-route\-gateway

 or the second parameter to

@@ -994,11 +994,11 @@ when

 is specified).

 .B net_gateway

+\-\- The pre\-existing IP default gateway, read from the routing

 table (not supported on all OSes).

 .B remote_host

+\-\- The

 .B \-\-remote

 address if OpenVPN is being run in client mode, and is undefined in server mode.

 .\"*********************************************************

@@ -1013,7 +1013,7 @@ If

 .B dhcp

 is specified as the parameter,

 the gateway address will be extracted from a DHCP

-negotiation with the OpenVPN server-side LAN.

+negotiation with the OpenVPN server\-side LAN.

 .\"*********************************************************

 .TP

 .B \-\-route\-metric m

@@ -1053,7 +1053,7 @@ On Windows,

 tries to be more intelligent by waiting

 .B w

 seconds (w=30 by default)

-for the TAP-Win32 adapter to come up before adding routes.

+for the TAP\-Win32 adapter to come up before adding routes.

 .\"*********************************************************

 .TP

 .B \-\-route\-up cmd

@@ -1064,7 +1064,7 @@ after routes are added, subject to

 .B cmd

 consists of a path to script (or executable program), optionally

-followed by arguments. The path and arguments may be single- or double-quoted

+followed by arguments. The path and arguments may be single\- or double\-quoted

 and/or escaped using a backslash, and should be separated by one or more spaces.

 See the "Environmental Variables" section below for

@@ -1078,7 +1078,7 @@ before routes are removed upon disconnection.

 .B cmd

 consists of a path to script (or executable program), optionally

-followed by arguments. The path and arguments may be single- or double-quoted

+followed by arguments. The path and arguments may be single\- or double\-quoted

 and/or escaped using a backslash, and should be separated by one or more spaces.

 See the "Environmental Variables" section below for

@@ -1096,7 +1096,7 @@ When used with

 .B \-\-client

 or

 .B \-\-pull,

-accept options pushed by server EXCEPT for routes, block-outside-dns and dhcp

+accept options pushed by server EXCEPT for routes, block\-outside\-dns and dhcp

 options like DNS servers.

 When used on the client, this option effectively bars the

@@ -1115,7 +1115,7 @@ and

 .\"*********************************************************

 .TP

 .B \-\-client\-nat snat|dnat network netmask alias

-This pushable client option sets up a stateless one-to-one NAT

+This pushable client option sets up a stateless one\-to\-one NAT

 rule on packet addresses (not ports), and is useful in cases

 where routes or ifconfig settings pushed to the client would

 create an IP numbering conflict.

@@ -1141,14 +1141,14 @@ addresses in packets.

 .TP

 .B \-\-redirect\-gateway flags...

 Automatically execute routing commands to cause all outgoing IP traffic

-to be redirected over the VPN.  This is a client-side option.

+to be redirected over the VPN.  This is a client\-side option.

 This option performs three steps:

 .B (1)

 Create a static route for the

 .B \-\-remote

-address which forwards to the pre-existing default gateway.

+address which forwards to the pre\-existing default gateway.

 This is done so that

 .B (3)

 will not create a routing loop.

@@ -1185,39 +1185,39 @@ Try to automatically determine whether to enable

 .B local

 flag above.

-.B def1 --

+.B def1 \-\-

 Use this flag to override

 the default gateway by using 0.0.0.0/1 and 128.0.0.0/1

 rather than 0.0.0.0/0.  This has the benefit of overriding

 but not wiping out the original default gateway. 

-.B bypass-dhcp --

-Add a direct route to the DHCP server (if it is non-local) which

+.B bypass\-dhcp \-\-

+Add a direct route to the DHCP server (if it is non\-local) which

 bypasses the tunnel

 (Available on Windows clients, may not be available

-on non-Windows clients).

+on non\-Windows clients).

-.B bypass-dns --

-Add a direct route to the DNS server(s) (if they are non-local) which

+.B bypass\-dns \-\-

+Add a direct route to the DNS server(s) (if they are non\-local) which

 bypasses the tunnel

 (Available on Windows clients, may not be available

-on non-Windows clients).

+on non\-Windows clients).

-.B block-local --

+.B block\-local \-\-

 Block access to local LAN when the tunnel is active, except for

 the LAN gateway itself.  This is accomplished by routing the local

 LAN (except for the LAN gateway address) into the tunnel.

-.B ipv6 --

+.B ipv6 \-\-

 Redirect IPv6 routing into the tunnel.  This works similar to the

 .B def1

 flag, that is, more specific IPv6 routes are added (2000::/4, 3000::/4),

 covering the whole IPv6 unicast space.

-.B !ipv4 --

-Do not redirect IPv4 traffic - typically used in the flag pair

+.B !ipv4 \-\-

+Do not redirect IPv4 traffic \- typically used in the flag pair

 .B "ipv6 !ipv4"

-to redirect IPv6-only.

+to redirect IPv6\-only.

 .\"*********************************************************

 .TP

 .B \-\-link\-mtu n

@@ -1271,13 +1271,13 @@ Should we do Path MTU discovery on TCP/UDP channel?  Only supported on OSes such

 as Linux that supports the necessary system call to set.

 .B 'no'

+\-\- Never send DF (Don't Fragment) frames

 .br

 .B 'maybe'

+\-\- Use per\-route hints

 .br

 .B 'yes'

+\-\- Always DF (Don't Fragment)

 .br

 .\"*********************************************************

 .TP

@@ -1357,7 +1357,7 @@ without IP level fragmentation.

 The

 .B \-\-mssfix

 option only makes sense when you are using the UDP protocol

-for OpenVPN peer-to-peer communication, i.e.

+for OpenVPN peer\-to\-peer communication, i.e.

 .B \-\-proto udp.

 .B \-\-mssfix

@@ -1396,7 +1396,7 @@ parameter from the

 option.

 Therefore, one could lower the maximum UDP packet size

-to 1300 (a good first try for solving MTU-related

+to 1300 (a good first try for solving MTU\-related

 connection problems) with the following options:

 .B \-\-tun\-mtu 1500 \-\-fragment 1300 \-\-mssfix

@@ -1459,11 +1459,11 @@ seconds before queuing the next write.

 It should be noted that OpenVPN supports multiple

 tunnels between the same two peers, allowing you

-to construct full-speed and reduced bandwidth tunnels

+to construct full\-speed and reduced bandwidth tunnels

 at the same time,

-routing low-priority data such as off-site backups

+routing low\-priority data such as off\-site backups

 over the reduced bandwidth tunnel, and other data

-over the full-speed tunnel.

+over the full\-speed tunnel.

 Also note that for low bandwidth tunnels

 (under 1000 bytes per second), you should probably

@@ -1538,7 +1538,7 @@ This option can be combined with

 .B \-\-inactive, \-\-ping,

 and

 .B \-\-ping\-exit

-to create a two-tiered inactivity disconnect.

+to create a two\-tiered inactivity disconnect.

 For example,

@@ -1561,7 +1561,7 @@ or other packet from remote.

 This option is useful in cases

 where the remote peer has a dynamic IP address and

-a low-TTL DNS name is used to track the IP address using

+a low\-TTL DNS name is used to track the IP address using

 a service such as

 .I http://dyndns.org/

 + a dynamic DNS client such

@@ -1571,7 +1571,7 @@ as

 If the peer cannot be reached, a restart will be triggered, causing

 the hostname used with

 .B \-\-remote

-to be re-resolved (if

+to be re\-resolved (if

 .B \-\-resolv\-retry

 is also specified).

@@ -1677,12 +1677,12 @@ restarts.

 .B SIGUSR1

 is a restart signal similar to

 .B SIGHUP,

-but which offers finer-grained control over

+but which offers finer\-grained control over

 reset options.

 .\"*********************************************************

 .TP

 .B \-\-persist\-key

-Don't re-read key files across

+Don't re\-read key files across

 .B SIGUSR1

 or

 .B \-\-ping\-restart.

@@ -1693,12 +1693,12 @@ to allow restarts triggered by the

 .B SIGUSR1

 signal.

 Normally if you drop root privileges in OpenVPN,

-the daemon cannot be restarted since it will now be unable to re-read protected

+the daemon cannot be restarted since it will now be unable to re\-read protected

 key files.

 This option solves the problem by persisting keys across

 .B SIGUSR1

-resets, so they don't need to be re-read.

+resets, so they don't need to be re\-read.

 .\"*********************************************************

 .TP

 .B \-\-persist\-local\-ip

@@ -1755,7 +1755,7 @@ UID change).

 .B cmd

 consists of a path to script (or executable program), optionally

-followed by arguments. The path and arguments may be single- or double-quoted

+followed by arguments. The path and arguments may be single\- or double\-quoted

 and/or escaped using a backslash, and should be separated by one or more spaces.

 The up command is useful for specifying route

@@ -1780,7 +1780,7 @@ additional parameters passed as environmental variables.

 Note that if

 .B cmd

-includes arguments, all OpenVPN-generated arguments will be appended

+includes arguments, all OpenVPN\-generated arguments will be appended

 to them to build an argument list with which the executable will be

 called.

@@ -1812,7 +1812,7 @@ as the last parameter.

 NOTE: on restart, OpenVPN will not pass the full set of environment

 variables to the script.  Namely, everything related to routing and

-gateways will not be passed, as nothing needs to be done anyway - all

+gateways will not be passed, as nothing needs to be done anyway \- all

 the routing setup is already in place.  Additionally, the up\-restart

 script will run with the downgraded UID/GID settings (if configured).

@@ -1821,7 +1821,7 @@ The following standalone example shows how the

 script can be called in both an initialization and restart context.

 (NOTE: for security reasons, don't run the following example unless UDP port

 9999 is blocked by your firewall.  Also, the example will run indefinitely,

-so you should abort with control-c).

+so you should abort with control\-c).

 .B openvpn \-\-dev tun \-\-port 9999 \-\-verb 4 \-\-ping\-restart 10 \-\-up 'echo up' \-\-down 'echo down' \-\-persist\-tun \-\-up\-restart

@@ -1858,7 +1858,7 @@ mode, this option normally requires the use of

 to allow connection initiation to be sensed in the absence

 of tunnel data, since UDP is a "connectionless" protocol.

-On Windows, this option will delay the TAP-Win32 media state

+On Windows, this option will delay the TAP\-Win32 media state

 transitioning to "connected" until connection establishment,

 i.e. the receipt of the first authenticated packet from the peer.

 .\"*********************************************************

@@ -1874,7 +1874,7 @@ UID change and/or

 ).

 .B cmd

 consists of a path to script (or executable program), optionally

-followed by arguments. The path and arguments may be single- or double-quoted

+followed by arguments. The path and arguments may be single\- or double\-quoted

 and/or escaped using a backslash, and should be separated by one or more spaces.

 Called with the same parameters and environmental

@@ -1970,7 +1970,7 @@ is available since OpenVPN 2.3.3.

 .\"*********************************************************

 .TP

 .B \-\-script\-security level

-This directive offers policy-level control over OpenVPN's usage of external programs

+This directive offers policy\-level control over OpenVPN's usage of external programs

 and scripts.  Lower

 .B level

 values are more restrictive, higher values are more permissive.  Settings for

@@ -1980,10 +1980,10 @@ values are more restrictive, higher values are more permissive.  Settings for

 Strictly no calling of external programs.

 .br

 .B 1 \-\-

-(Default) Only call built-in executables such as ifconfig, ip, route, or netsh.

+(Default) Only call built\-in executables such as ifconfig, ip, route, or netsh.

 .br

 .B 2 \-\-

-Allow calling of built-in executables and user-defined scripts.

+Allow calling of built\-in executables and user\-defined scripts.

 .br

 .B 3 \-\-

 Allow passwords to be passed to scripts via environmental variables (potentially unsafe).

@@ -2008,14 +2008,14 @@ versions you needed to either add a full path to the script interpreter which ca

 script or use the

 .B system

 flag to run these scripts.  As of OpenVPN 2.3 it is now a strict requirement to have

-full path to the script interpreter when running non-executables files.

+full path to the script interpreter when running non\-executables files.

 This is not needed for executable files, such as .exe, .com, .bat or .cmd files.  For

 example, if you have a Visual Basic script, you must use this syntax now:

 .nf

 .ft 3

 .in +4

-\-\-up 'C:\\\\Windows\\\\System32\\\\wscript.exe C:\\\\Program\\ Files\\\\OpenVPN\\\\config\\\\my-up-script.vbs'

+\-\-up 'C:\\\\Windows\\\\System32\\\\wscript.exe C:\\\\Program\\ Files\\\\OpenVPN\\\\config\\\\my\-up\-script.vbs'

 .in -4

 .ft

 .fi

@@ -2065,7 +2065,7 @@ signal

 to a DHCP reset), you should make use of one or more of the

 .B \-\-persist

 options to ensure that OpenVPN doesn't need to execute any privileged

-operations in order to restart (such as re-reading key files

+operations in order to restart (such as re\-reading key files

 or running

 .BR ifconfig

 on the TUN device).

@@ -2111,7 +2111,7 @@ This can be desirable from a security standpoint.

 Since the chroot operation is delayed until after

 initialization, most OpenVPN options that reference

-files will operate in a pre-chroot context.

+files will operate in a pre\-chroot context.

 In many cases, the

 .B dir

@@ -2146,7 +2146,7 @@ it inside the chroot directory (e.g. with mount \-\-bind).

 Since the setcon operation is delayed until after

 initialization, OpenVPN can be restricted to just

-network-related system calls, whereas by applying the

+network\-related system calls, whereas by applying the

 context before startup (such as the OpenVPN one provided

 in the SELinux Reference Policies) you will have to

 allow many things required only during initialization.

@@ -2195,11 +2195,11 @@ that initialization scripts can test the return status of the

 openvpn command for a fairly reliable indication of whether the command

 has correctly initialized and entered the packet forwarding event loop.

-In OpenVPN, the vast majority of errors which occur after initialization are non-fatal.

+In OpenVPN, the vast majority of errors which occur after initialization are non\-fatal.

 Note: as soon as OpenVPN has daemonized, it can not ask for usernames,

 passwords, or key pass phrases anymore.  This has certain consequences,

-namely that using a password-protected private key will fail unless the

+namely that using a password\-protected private key will fail unless the

 .B \-\-askpass

 option is used to tell OpenVPN to ask for the pass phrase (this

 requirement is new in v2.3.7, and is a consequence of calling daemon()

@@ -2208,9 +2208,9 @@ before initializing the crypto layer).

 Further, using

 .B \-\-daemon

 together with

-.B \-\-auth-user-pass

+.B \-\-auth\-user\-pass

 (entered on console) and

-.B \-\-auth-nocache

+.B \-\-auth\-nocache

 will fail as soon as key renegotiation (and reauthentication) occurs.

 .\"*********************************************************

 .TP

@@ -2347,7 +2347,7 @@ less than zero is higher priority).

 .\".B \-\-tls\-server

 .\"specified).

 .\"

-.\"Using a TLS thread offloads the CPU-intensive process of SSL/TLS-based

+.\"Using a TLS thread offloads the CPU\-intensive process of SSL/TLS\-based

 .\"key exchange to a background thread so that it does not become

 .\"a latency bottleneck in the tunnel packet forwarding process.

 .\"

@@ -2369,7 +2369,7 @@ or TUN/TAP devices.  In such cases, one can optimize the event loop

 by avoiding the poll/epoll/select call, improving CPU efficiency

 by 5% to 10%.

-This option can only be used on non-Windows systems, when

+This option can only be used on non\-Windows systems, when

 .B \-\-proto udp

 is specified, and when

 .B \-\-shaper

@@ -2377,7 +2377,7 @@ is NOT specified.

 .\"*********************************************************

 .TP

 .B \-\-multihome

-Configure a multi-homed UDP server.  This option needs to be used when

+Configure a multi\-homed UDP server.  This option needs to be used when

 a server has more than one IP address (e.g. multiple interfaces, or

 secondary IP addresses), and is not using

 .B \-\-local

@@ -2389,10 +2389,10 @@ processing, so it's not enabled by default.

 Note: this option is only relevant for UDP servers.

-Note 2: if you do an IPv6+IPv4 dual-stack bind on a Linux machine with

+Note 2: if you do an IPv6+IPv4 dual\-stack bind on a Linux machine with

 multiple IPv4 address, connections to IPv4 addresses will not work

 right on kernels before 3.15, due to missing kernel support for the

-IPv4-mapped case (some distributions have ported this to earlier kernel

+IPv4\-mapped case (some distributions have ported this to earlier kernel

 versions, though).

 .\"*********************************************************

 .TP

@@ -2492,7 +2492,7 @@ newer

 .B \-\-compress

 instead.

-Use LZO compression -- may add up to 1 byte per

+Use LZO compression \-\- may add up to 1 byte per

 packet for incompressible data.

 .B mode

 may be "yes", "no", or "adaptive" (default).

@@ -2500,7 +2500,7 @@ may be "yes", "no", or "adaptive" (default).

 In a server mode setup, it is possible to selectively turn

 compression on or off for individual clients.

-First, make sure the client-side config file enables selective

+First, make sure the client\-side config file enables selective

 compression by having at least one

 .B \-\-comp\-lzo

 directive, such as

@@ -2539,19 +2539,19 @@ Normally, adaptive compression is enabled with

 Adaptive compression tries to optimize the case where you have

 compression enabled, but you are sending predominantly incompressible

-(or pre-compressed) packets over the tunnel, such as an FTP or rsync transfer

+(or pre\-compressed) packets over the tunnel, such as an FTP or rsync transfer

 of a large, compressed file.  With adaptive compression,

 OpenVPN will periodically sample the compression process to measure its

 efficiency.  If the data being sent over the tunnel is already compressed,

 the compression efficiency will be very low, triggering openvpn to disable

-compression for a period of time until the next re-sample test.

+compression for a period of time until the next re\-sample test.

 .\"*********************************************************

 .TP

-.B \-\-management IP port [pw-file]

+.B \-\-management IP port [pw\-file]

 Enable a TCP server on

 .B IP:port

 to handle daemon management functions.

-.B pw-file,

+.B pw\-file,

 if specified,

 is a password file (password on first line)

 or "stdin" to prompt from standard input.  The password

@@ -2618,28 +2618,28 @@ console.

 .B \-\-management\-query\-proxy

 Query management channel for proxy server information for a specific

 .B \-\-remote

-(client-only).

+(client\-only).

 .\"*********************************************************

 .TP

 .B \-\-management\-query\-remote

 Allow management interface to override

 .B \-\-remote

-directives (client-only).

+directives (client\-only).

 .\"*********************************************************

 .TP

 .B \-\-management\-external\-key

 Allows usage for external private key file instead of

 .B \-\-key

-option (client-only).

+option (client\-only).

 .\"*********************************************************

 .TP

-.B \-\-management\-external\-cert certificate-hint

+.B \-\-management\-external\-cert certificate\-hint

 Allows usage for external certificate instead of

 .B \-\-cert

-option (client-only).

-.B certificate-hint

+option (client\-only).

+.B certificate\-hint

 is an arbitrary string which is passed to a management

-interface client as an argument of NEED-CERTIFICATE notification.

+interface client as an argument of NEED\-CERTIFICATE notification.

 Requires \-\-management\-external\-key.

 .\"*********************************************************

 .TP

@@ -2682,7 +2682,7 @@ Report tunnel up/down events to management interface.

 .B \-\-management\-client\-auth

 Gives management interface client the responsibility

 to authenticate clients after their client certificate

-has been verified.  See management-notes.txt in OpenVPN

+has been verified.  See management\-notes.txt in OpenVPN

 distribution for detailed notes.

 .\"*********************************************************

 .TP

@@ -2704,21 +2704,21 @@ only allow connections from group

 .B g.

 .\"*********************************************************

 .TP

-.B \-\-plugin module-pathname [init-string]

-Load plug-in module from the file

-.B module-pathname,

+.B \-\-plugin module\-pathname [init\-string]

+Load plug\-in module from the file

+.B module\-pathname,

 passing

-.B init-string

+.B init\-string

 as an argument

 to the module initialization function.  Multiple

 plugin modules may be loaded into one OpenVPN

 process.

 The

-.B module-pathname

+.B module\-pathname

 argument can be just a filename or a filename with a relative

 or absolute path.  The format of the filename and path defines

-if the plug-in will be loaded from a default plug-in directory

+if the plug\-in will be loaded from a default plug\-in directory

 or outside this directory.

 .nf

@@ -2733,7 +2733,7 @@ or outside this directory.

 .in -4

 .fi

-DEFAULT_DIR is replaced by the default plug-in directory,

+DEFAULT_DIR is replaced by the default plug\-in directory,

 which is configured at the build time of OpenVPN.  CWD is the

 current directory where OpenVPN was started or the directory

 OpenVPN have swithed into via the

@@ -2743,7 +2743,7 @@ option before the

 option.

 For more information and examples on how to build OpenVPN

-plug-in modules, see the README file in the

+plug\-in modules, see the README file in the

 .B plugin

 folder of the OpenVPN source distribution.

@@ -2766,7 +2766,7 @@ every module and script must return success (0) in order for

 the connection to be authenticated.

 .\"*********************************************************

 .TP

-.B \-\-keying-material-exporter label len

+.B \-\-keying\-material\-exporter label len

 Save Exported Keying Material [RFC5705] of len bytes (must be

 between 16 and 4095 bytes) using label in environment

 (exported_keying_material) for use by plugins in

@@ -2777,7 +2777,7 @@ labels. In order to prevent this, labels MUST begin with "EXPORTER".

 .\"*********************************************************

 .SS Server Mode

-Starting with OpenVPN 2.0, a multi-client TCP/UDP server mode

+Starting with OpenVPN 2.0, a multi\-client TCP/UDP server mode

 is supported, and can be enabled with the

 .B \-\-mode server

 option.  In server mode, OpenVPN will listen on a single

@@ -2795,7 +2795,7 @@ of OpenVPN's server mode.  This directive will set up an

 OpenVPN server which will allocate addresses to clients

 out of the given network/netmask.  The server itself

 will take the ".1" address of the given network

-for use as the server-side endpoint of the local

+for use as the server\-side endpoint of the local

 TUN/TAP interface.

 For example,

@@ -2838,7 +2838,7 @@ if you are ethernet bridging.  Use

 instead.

 .\"*********************************************************

 .TP

-.B \-\-server\-bridge gateway netmask pool-start-IP pool-end-IP

+.B \-\-server\-bridge gateway netmask pool\-start\-IP pool\-end\-IP

 .TP

 .B \-\-server\-bridge ['nogw']