Skip to content

Multi-Tenancy

Watchgrid supports full multi-tenant isolation — each tenant gets its own WireGuard subnet, DNS zone, devices, and users.

Overview

Multi-tenancy lets you run multiple isolated environments on a single Watchgrid server. Each tenant has:

  • Its own WireGuard subnet (e.g., 100.64.1.0/24, 100.64.2.0/24)
  • Its own gateway IP and WireGuard interface
  • Isolated devices, DNS records, and applications
  • Dedicated users and access control
  • Configurable firewall policies

Tenant Management

Go to Admin → Tenants (super-admin only) to manage tenants.

Tenant Cards

Each tenant is displayed as a card showing:

  • Tenant name and ID
  • Active/inactive status
  • Subnet and gateway IP
  • WireGuard interface name
  • DNS zone
  • Peer-to-peer setting (allowed or isolated)
  • Admin users
  • Creation date

Creating a Tenant

  1. Click Create Tenant
  2. Fill in:
  3. Tenant ID — lowercase, hyphens allowed (e.g., london-office)
  4. Tenant Name — human-readable name
  5. Subnet — automatically suggested as the next available /24 block
  6. Admin Users — initial administrators for this tenant
  7. Click Create

The tenant's WireGuard interface and DNS zone are configured immediately.

Deleting a Tenant

Before deletion, Watchgrid shows a summary of resources that will be affected:

  • Number of devices
  • DNS records
  • WireGuard peers
  • Deployed applications

Confirm to proceed. This removes all tenant resources.

Firewall Policies

Each tenant has configurable firewall settings:

  1. Click the Firewall button on a tenant card
  2. Configure:
  3. Peer-to-peer traffic — toggle to allow or block direct device-to-device communication within the tenant
  4. Peer allowlist — specific peers that can always communicate (one per line)

Switching Tenants

The tenant selector in the top navigation bar shows your available tenants. Select a different tenant to switch context — all pages (devices, DNS, apps, etc.) will filter to that tenant's data.

Device Tenant Binding

Devices are bound to their tenant at provisioning time:

  • Locked devices cannot be moved to another tenant
  • Unlocked devices can be reassigned by an admin (via Device Detail → Unlock Device)
  • The device's hardware fingerprint is tracked to prevent unauthorized tenant switching

Use onboarding tokens (--token flag during provisioning) to assign devices to specific tenants.