Best practice for multi-user zero-trust isolation on the same host

Hi everyone,

I’m evaluating OpenZiti / NetBird for a scenario where multiple users share the same Linux host.

User A and User B log in to the same machine.  
User A should only access A’s resources.  
User B should only access B’s resources.  
They must not access each other’s services, identities, routes, DNS, or tunnels.  

Questions:

1. What is the recommended architecture for this scenario?
2. Should each user run a dedicated tunnel/agent with a separate identity?
3. How should routing, DNS, and TUN interfaces be isolated on the same host?
4. Are Linux network namespaces, containers, or separate VMs recommended?
5. Are there official best practices for this type of multi-user isolation?

1. What is the recommended architecture for this scenario?

ACL’s, you can create ACL rules for the users using Netbird. Make sure that people login to their own account/client when they do. So no setup key, but SSO on login for the users who need to access resources. Then limit their group (Group A) to access only resources to A resources (Resources A)

2. Should each user run a dedicated tunnel/agent with a separate identity?

Sort of, yes. They can both run the same agent, iirc you should have it run in the user space then instead of the whole system. Or install netbird on the go and apply temporary files for the initial setup on login.

3. How should routing, DNS, and TUN interfaces be isolated on the same host?

You can scope DNS (and routes) to a specific group (Group A) with an ACL.

4. Are Linux network namespaces, containers, or separate VMs recommended?

No comment from me, haven’t gone this deep in my setups.

5. Are there official best practices for this type of multi-user isolation?

No full on deployments from me, maybe someone else on the forum