--D|--nodaemonize
-~~~~~~~~~~~~~~~~
-
-This option instructs *uAnytun* to run in foreground
-instead of becoming a daemon which is the default.
-
--u|--username <username>
-~~~~~~~~~~~~~~~~~~~~~~~~
-
-run as this user. If no group is specified (*-g*) the default group of
-the user is used. The default is to not drop privileges.
-
--g|--groupname <groupname>
-~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-run as this group. If no username is specified (*-u*) this gets ignored.
-The default is to not drop privileges.
-
--C|--chroot <path>
-~~~~~~~~~~~~~~~~~~
-
-Instruct *uAnytun* to run in a chroot jail. The default is
-to not run in chroot.
-
--P|--write-pid <filename>
-~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Instruct *uAnytun* to write it's pid to this file. The default is
-to not create a pid file.
-
--L|--log <target>:<level>[,<param1>[,<param2>[..]]]
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-add log target to logging system. This can be invoked several times
-in order to log to different targets at the same time. Every target
-hast its own log level which is a number between 0 and 5. Where 0 means
-disabling log and 5 means debug messages are enabled.
-
-The following targets are supported:
-
-* *syslog* - log to syslog daemon, parameters <level>[,<logname>[,<facility>]]
-* *file* - log to file, parameters <level>[,<path>]
-* *stdout* - log to standard output, parameters <level>
-* *stderr* - log to standard error, parameters <level>
-
-The file target can be used more the once with different levels.
-If no target is provided at the command line a single target with the
-following config is added:
-
-*syslog:3,uanytun,daemon*
-
-
--i|--interface <ip address>
-~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-This IP address is used as the sender address for outgoing
-packets. The default is to not use a special inteface and just
-bind on all interfaces.
-
--p|--port <port>
-~~~~~~~~~~~~~~~~
-
-local port to bind to
-
-The local UDP port that is used to send and receive the
-payload data. The two tunnel endpoints can use different
-ports. default: 4444
-
--r|--remote-host <hostname|ip>
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-remote host
-
-This option can be used to specify the remote tunnel
-endpoint. In case of anycast tunnel endpoints, the
-anycast IP address has to be used. If you do not specify
-an address, it is automatically determined after receiving
-the first data packet.
-
--o|--remote-port <port>
-~~~~~~~~~~~~~~~~~~~~~~~
-
-remote port
-
-The UDP port used for payload data by the remote host
-(specified with -p on the remote host). If you do not specify
-a port, it is automatically determined after receiving
-the first data packet.
-
--4|--ipv4-only
-~~~~~~~~~~~~~~
-
-Resolv to IPv4 addresses only. The default is to resolv both
-IPv4 and IPv6 addresses.
-
--6|--ipv6-only
-~~~~~~~~~~~~~~
-
-Resolv to IPv6 addresses only. The default is to resolv both
-IPv4 and IPv6 addresses.
-
--d|--dev <name>
-~~~~~~~~~~~~~~~
-
-device name
-
-By default, tapN is used for Ethernet tunnel interfaces,
-and tunN for IP tunnels, respectively. This option can
-be used to manually override these defaults.
-
--t|--type <tun|tap>
-~~~~~~~~~~~~~~~~~~~
-
-device type
-
-Type of the tunnels to create. Use tap for Ethernet
-tunnels, tun for IP tunnels.
-
--n|--ifconfig <local>/<prefix>
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-*<local>* the local IP address for the tun/tap device
+*-D, --nodaemonize*::
+ This option instructs *uAnytun* to run in foreground
+ instead of becoming a daemon which is the default.
+
+*-u, --username '<username>'*::
+ run as this user. If no group is specified (*-g*) the default group of
+ the user is used. The default is to not drop privileges.
+
+*-g, --groupname '<groupname>'*::
+ run as this group. If no username is specified (*-u*) this gets ignored.
+ The default is to not drop privileges.
+
+*-C, --chroot '<path>'*::
+ Instruct *uAnytun* to run in a chroot jail. The default is
+ to not run in chroot.
+
+*-P, --write-pid <filename>*::
+ Instruct *uAnytun* to write it's pid to this file. The default is
+ to not create a pid file.
+
+*-L, --log '<target>:<level>[,<param1>[,<param2>[..]]]'*::
+ add log target to logging system. This can be invoked several times
+ in order to log to different targets at the same time. Every target
+ has its own log level which is a number between 0 and 5. Where 0 means
+ disabling log and 5 means debug messages are enabled. +
+ The file target can be used more than once with different levels.
+ If no target is provided at the command line a single target with the
+ config 'syslog:3,uanytun,daemon' is added. +
+ The following targets are supported:
+
+ 'syslog';; log to syslog daemon, parameters <level>[,<logname>[,<facility>]]
+ 'file';; log to file, parameters <level>[,<path>]
+ 'stdout';; log to standard output, parameters <level>
+ 'stderr';; log to standard error, parameters <level>
+
+*-U, --debug*::
+ This option instructs *uAnytun* to run in debug mode. It implicits *-D*
+ (don't daemonize) and adds a log target with the configuration
+ 'stdout:5' (logging with maximum level). In future releases there might
+ be additional output when this option is supplied.
+
+*-i, --interface '<ip address>'*::
+ This IP address is used as the sender address for outgoing
+ packets. The default is to not use a special inteface and just
+ bind on all interfaces.
+
+*-p, --port '<port>'*::
+ The local UDP port that is used to send and receive the
+ payload data. The two tunnel endpoints can use different
+ ports. default: 4444
+
+*-r, --remote-host '<hostname|ip>'*::
+ This option can be used to specify the remote tunnel
+ endpoint. In case of anycast tunnel endpoints, the
+ anycast IP address has to be used. If you do not specify
+ an address, it is automatically determined after receiving
+ the first data packet.
+
+*-o, --remote-port '<port>'*::
+ The UDP port used for payload data by the remote host
+ (specified with -p on the remote host). If you do not specify
+ a port, it is automatically determined after receiving
+ the first data packet.
+
+*-4, --ipv4-only*::
+ Resolv to IPv4 addresses only. The default is to resolv both
+ IPv4 and IPv6 addresses.
+
+*-6, --ipv6-only*::
+ Resolv to IPv6 addresses only. The default is to resolv both
+ IPv4 and IPv6 addresses.
+
+*-d, --dev '<name>'*::
+ device name +
+ By default, tapN is used for Ethernet tunnel interfaces,
+ and tunN for IP tunnels, respectively. This option can
+ be used to manually override these defaults.
+
+*-t, --type '<tun|tap>'*::
+ device type +
+ Type of the tunnels to create. Use tap for Ethernet
+ tunnels, tun for IP tunnels.
+
+*-n, --ifconfig '<local>/<prefix>'*::
+ The local IP address and prefix length. The remote tunnel endpoint
+ has to use a different IP address in the same subnet.
+
+ '<local>';; the local IP address for the tun/tap device
+ '<prefix>';; the prefix length of the network
+
+*-x, --post-up-script '<script>'*::
+ This option instructs *uAnytun* to run this script after the interface
+ is created. By default no script will be executed.
+
+*-m, --mux '<mux-id>'*::
+ the multiplex id to use. default: 0
+
+*-s, --sender-id '<sender id>'*::
+ Each anycast tunnel endpoint needs a unique sender id
+ (1, 2, 3, ...). It is needed to distinguish the senders
+ in case of replay attacks. As *uAnytun* does not support
+ synchronisation it can't be used as an anycast endpoint therefore
+ this option is quite useless but implemented for compatibility
+ reasons. default: 0
+
+*-w, --window-size '<window size>'*::
+ seqence window size +
+ Sometimes, packets arrive out of order on the receiver
+ side. This option defines the size of a list of received
+ packets' sequence numbers. If, according to this list,
+ a received packet has been previously received or has
+ been transmitted in the past, and is therefore not in
+ the list anymore, this is interpreted as a replay attack
+ and the packet is dropped. A value of 0 deactivates this
+ list and, as a consequence, the replay protection employed
+ by filtering packets according to their secuence number.
+ By default the sequence window is disabled and therefore a
+ window size of 0 is used.
+
+*-k, --kd--prf '<kd-prf type>'*::
+ key derivation pseudo random function +
+ The pseudo random function which is used for calculating the
+ session keys and session salt. +
+ Possible values:
+
+ 'null';; no random function, keys and salt are set to 0..00
+ 'aes-ctr';; AES in counter mode with 128 Bits, default value
+ 'aes-ctr-128';; AES in counter mode with 128 Bits
+ 'aes-ctr-192';; AES in counter mode with 192 Bits
+ 'aes-ctr-256';; AES in counter mode with 256 Bits
+
+*-e, --role '<role>'*::
+ SATP uses different session keys for inbound and outbound traffic. The
+ role parameter is used to determine which keys to use for outbound or
+ inbound packets. On both sides of a vpn connection different roles have
+ to be used. Possible values are 'left' and 'right'. You may also use
+ 'alice' or 'server' as a replacement for 'left' and 'bob' or 'client' as
+ a replacement for 'right'. By default 'left' is used.
+
+*-E, --passphrase '<pass phrase>'*::
+ This passphrase is used to generate the master key and master salt.
+ For the master key the last n bits of the SHA256 digest of the
+ passphrase (where n is the length of the master key in bits) is used.
+ The master salt gets generated with the SHA1 digest.
+ You may force a specific key and or salt by using *--key* and *--salt*.
+
+*-K, --key '<master key>'*::
+ master key to use for key derivation +
+ Master key in hexadecimal notation, e.g.
+ 01a2b3c4d5e6f708a9b0cadbecfd0fa1, with a mandatory length
+ of 32, 48 or 64 characters (128, 192 or 256 bits).
+
+*-A, --salt '<master salt>'*::
+ master salt to use for key derivation +
+ Master salt in hexadecimal notation, e.g.
+ 01a2b3c4d5e6f708a9b0cadbecfd, with a mandatory length
+ of 28 characters (14 bytes).
+
+*-c, --cipher '<cipher type>'*::
+ payload encryption algorithm +
+ Encryption algorithm used for encrypting the payload +
+ Possible values:
+
+ 'null';; no encryption
+ 'aes-ctr';; AES in counter mode with 128 Bits, default value
+ 'aes-ctr-128';; AES in counter mode with 128 Bits
+ 'aes-ctr-192';; AES in counter mode with 192 Bits
+ 'aes-ctr-256';; AES in counter mode with 256 Bits
+
+*-a, --auth-algo '<algo type>'*::
+ message authentication algorithm +
+ This option sets the message authentication algorithm. +
+ If HMAC-SHA1 is used, the packet length is increased. The additional bytes
+ contain the authentication data. see *--auth-tag-length* for more info. +
+ Possible values:
+
+ 'null';; no message authentication
+ 'sha1';; HMAC-SHA1, default value
+
+*-b, --auth-tag-length '<length>'*::
+ The number of bytes to use for the auth tag. This value defaults to 10 bytes
+ unless the 'null' auth algo is used in which case it defaults to 0.