Do not use leading underscores for SNI.

README.md

@@ -321,12 +321,12 @@ tcp:
   modules:
     - type: proxy
       domains:
-        - _ssh.example.com      # Note: this domain would also listed in tls.acme.domains
+        - ssh.example.com      # Note: this domain would also listed in tls.acme.domains
       host: localhost
       port: 22
     - type: proxy
       domains:
-        - _vpn.example.com      # Note: this domain would also listed in tls.acme.domains
+        - vpn.example.com      # Note: this domain would also listed in tls.acme.domains
       host: localhost
       port: 1194
 ```
@@ -339,17 +339,17 @@ in place on such networks.
 #### Using with ssh
 
 In order to use this to route SSH connections you will need to use `ssh`'s
-`ProxyCommand` option. For example to use the TLS certificate for `_ssh.example.com`
+`ProxyCommand` option. For example to use the TLS certificate for `ssh.example.com`
 to wrap an ssh connection you could use the following command:
 
 ```bash
-ssh user@example.com -o ProxyCommand='openssl s_client -quiet -connect example.com:443 -servername _ssh.example.com'
+ssh user@example.com -o ProxyCommand='openssl s_client -quiet -connect example.com:443 -servername ssh.example.com'
 ```
 
 Alternatively you could add the following lines to your ssh config file.
 ```
 Host example.com
-  ProxyCommand openssl s_client -quiet -connect example.com:443 -servername _ssh.example.com
+  ProxyCommand openssl s_client -quiet -connect example.com:443 -servername ssh.example.com
 ```
 
 #### Using with OpenVPN
@@ -368,7 +368,7 @@ ssh -L 1194:localhost:1194 example.com
 [openvpn-over-goldilocks]
 client = yes
 accept = 127.0.0.1:1194
-sni = _vpn.example.com
+sni = vpn.example.com
 connect = example.com:443
 ```