diff --git a/roles/dante/README.md b/roles/dante/README.md
index cbe54a2..27e18c1 100644
--- a/roles/dante/README.md
+++ b/roles/dante/README.md
@@ -34,6 +34,12 @@ Password and salt.
     dante_verbose_log: false
 Enables verbose logging (see https://www.inet.no/dante/doc/1.4.x/config/logging.html).
 
+    dante_logoutput: syslog
+Override default log output
+
+    dante_user_privileged: root
+Change default user privileged
+
 
 ## Tags
 
diff --git a/roles/dante/defaults/main.yml b/roles/dante/defaults/main.yml
index 43e8500..21fe741 100644
--- a/roles/dante/defaults/main.yml
+++ b/roles/dante/defaults/main.yml
@@ -3,6 +3,13 @@ dante_enable: true
 dante_port: 1080
 dante_direct: true
 
+## config customization
+dante_logoutput: syslog
+dante_user_privileged: root
+
+dante_timeout_negotiate: 300
+dante_timeout_io: 3600
+
 ## dante username must start with 'dante_' because it's global linux user
 dante_user: dante_socks
 dante_pass: secret
diff --git a/roles/dante/templates/danted.conf b/roles/dante/templates/danted.conf
index 37afdfc..7437190 100644
--- a/roles/dante/templates/danted.conf
+++ b/roles/dante/templates/danted.conf
@@ -2,11 +2,23 @@
 # dante with authentication and ipv6 support
 # see: https://www.inet.no/dante/doc/1.4.x/config/ipv6.html
 
-logoutput: syslog
+# the server will log both via syslog, to stdout and to /var/log/sockd.log
+#logoutput: syslog stdout /var/log/sockd.log
+logoutput: {{ dante_logoutput }}
 
-user.privileged: root
+# when doing something that can require privilege, it will use the
+user.privileged: {{ dante_user_privileged }}
+
+# when running as usual, it will use the unprivileged userid of:
 user.unprivileged: nobody
 
+# If you are not using libwrap, no need for the below line, so leave
+# it commented.
+# If you compiled with libwrap support, what userid should it use
+# when executing your libwrap commands?  "libwrap".
+#user.libwrap: libwrap
+user.libwrap: nobody
+
 internal.protocol: ipv4 ipv6
 external.protocol: ipv4 ipv6
 
@@ -17,7 +29,7 @@ internal: ::      port={{ dante_port }}
 external: {{ address }}
 {% endfor %}
 
-socksmethod: username none
+socksmethod: username none #rfc931
 
 {% for address in dante_noauth_listen_addresses %}
 client pass {
@@ -55,3 +67,10 @@ socks block {
     from: 0/0 to: 0/0
     log: {{ log_what }}
 }
+
+#
+# Misc options.
+#
+
+# timeout.negotiate: {{ dante_timeout_negotiate }}   # on a lan, this should be enough.
+# timeout.io: {{ dante_timeout_io }} # or perhaps 86400, for a day.