Hi everyone,
I’m evaluating OpenZiti / NetBird for a scenario where multiple users share the same Linux host.
Example:
User A and User B log in to the same machine.
User A should only access A’s resources.
User B should only access B’s resources.
They must not access each other’s services, identities, routes, DNS, or tunnels.
Questions:
- What is the recommended architecture for this scenario?
- Should each user run a dedicated tunnel/agent with a separate identity?
- How should routing, DNS, and TUN interfaces be isolated on the same host?
- Are Linux network namespaces, containers, or separate VMs recommended?
- Are there official best practices for this type of multi-user isolation?
Hi @tttjhgan, welcome to the community and to OpenZiti!
At the end of the day, if you're running a tunneler you should use different VMs or different hosts... As far as I know, what you are describing is generally (practically) not possible with any technology that creates a network interface on the host. Be it wireguard, netbird, tailscale or OpenZiti. All of these technologies, to my knowledge, will make a TUN device on the system and require a route in the routing table. I don't know of any way to do "per user routing tables". Claude seems to think it's doable but reviewing what it wrote seems -- less than ideal. The situation you describe is not something OpenZiti would support when running our tunneler. These are all meant for "host access" not per-user.
In doccker, you can use a feature called "shared network namespace" and then run a router and a sidecars and use the iptables, but that's also getting quite complex and not what you're asking really.
The real answer imo - application embedded zero trust
OpenZiti does allow developers to embed an SDK into applications. The only actual answer I know of would be to adopt an OpenZiti SDK into the target application and then give each user their own idenity. That would work but obviously requires you to have the ability to write your own app (not for apps that aren't OpenZiti-aware).
hope that helps
HI @TheLumberjack
Thanks a lot for the detailed explanation — this is very helpful.
I understand now that achieving strict per-user isolation on a single shared Linux host using a tunneler is quite difficult, since the TUN interface, routing table, DNS, and related network configuration are effectively host-level resources rather than user-level ones.
For our current use case, we’ll take this into account and reconsider the architecture. We may look into using separate VMs/hosts for stronger isolation, or potentially evaluate the OpenZiti SDK approach later if we can embed zero-trust access directly into our application.
Thanks again for clarifying the recommended direction and the limitations of the tunneler-based approach.