Container Networking Options for a Multi-User VPS
Container Networking Options for a Multi-User VPS
The useful question was not "what networking modes exist?" It was "which one fits a VPS where different Unix users own different services?"
For that kind of setup, I cared about:
- isolation between service owners
- predictable TLS hostnames
- minimal public exposure
- a model that still works in rootless container runtimes
The options I looked at
At a high level, the options break down into a few families:
- shared internal networks between containers
- direct host exposure on selected ports
- reverse proxies or forwarders on the host
- overlay networks such as WireGuard or Tailscale
- pod-style sidecar patterns for tightly coupled traffic
Each of them can work. The tradeoff is how much trust you want to centralize and how much cross-service coupling you are willing to accept.
Why the rootless host-forwarder model won
For my VPS, the most practical model was:
- keep Vault and internal services local
- publish only deliberate entry points
- use a host-side forwarder or proxy when different rootless users need to reach a shared service
- enforce identity with TLS and narrow policies instead of pretending the network alone is enough
That gave me a cleaner boundary between users while still keeping the system operable.
What I would optimize for again
On a multi-user VPS, I would still optimize for:
- explicit routing
- per-user ownership
- narrow published surfaces
- authentication at the service layer, not just by source IP
That is less elegant on paper than one giant shared network, but much easier to trust once the system grows.