Container Networking Options for a Multi-User VPS

The useful question was not "what networking modes exist?" It was "which one fits a VPS where different Unix users own different services?"

For that kind of setup, I cared about:

  • isolation between service owners
  • predictable TLS hostnames
  • minimal public exposure
  • a model that still works in rootless container runtimes

The options I looked at

At a high level, the options break down into a few families:

  • shared internal networks between containers
  • direct host exposure on selected ports
  • reverse proxies or forwarders on the host
  • overlay networks such as WireGuard or Tailscale
  • pod-style sidecar patterns for tightly coupled traffic

Each of them can work. The tradeoff is how much trust you want to centralize and how much cross-service coupling you are willing to accept.

Why the rootless host-forwarder model won

For my VPS, the most practical model was:

  • keep Vault and internal services local
  • publish only deliberate entry points
  • use a host-side forwarder or proxy when different rootless users need to reach a shared service
  • enforce identity with TLS and narrow policies instead of pretending the network alone is enough

That gave me a cleaner boundary between users while still keeping the system operable.

What I would optimize for again

On a multi-user VPS, I would still optimize for:

  • explicit routing
  • per-user ownership
  • narrow published surfaces
  • authentication at the service layer, not just by source IP

That is less elegant on paper than one giant shared network, but much easier to trust once the system grows.