Skip to content

Multi-Tenancy

Watchgrid supports full multi-tenant isolation — each tenant gets its own WireGuard subnet, DNS zone, devices, and users.

Overview

Multi-tenancy lets you run multiple isolated environments on a single Watchgrid server. Each tenant has:

  • Its own WireGuard subnet (e.g., 100.64.1.0/24, 100.64.2.0/24)
  • Its own gateway IP and WireGuard interface
  • Isolated devices, DNS records, and applications
  • Dedicated users and access control
  • Configurable firewall policies

Tenant Management

Go to Admin → Tenants (super-admin only) to manage tenants.

Tenant Cards

Each tenant is displayed as a card showing:

  • Tenant name and ID
  • Active/inactive status
  • Subnet and gateway IP
  • WireGuard interface name
  • DNS zone
  • Peer-to-peer setting (allowed or isolated)
  • Admin users
  • Creation date

Creating a Tenant

  1. Click Create Tenant
  2. Fill in:
  3. Tenant ID — lowercase, hyphens allowed (e.g., london-office)
  4. Tenant Name — human-readable name
  5. Subnet — automatically suggested as the next available /24 block
  6. Admin Users — initial administrators for this tenant
  7. Click Create

The tenant's WireGuard interface and DNS zone are configured immediately.

Deleting a Tenant

Before deletion, Watchgrid shows a summary of resources that will be affected:

  • Number of devices
  • DNS records
  • WireGuard peers
  • Deployed applications

Confirm to proceed. This removes all tenant resources.

Firewall Policies

Each tenant has a master traffic switch:

  1. Click the Firewall button on a tenant card
  2. Toggle Allow peer-to-peer traffic — when enabled, all devices in the tenant can communicate freely; when disabled, devices are isolated by default

For granular control (allow/deny specific devices, sites, ports, or protocols), use the Firewall page under System → Firewall.

Switching Tenants

The tenant selector in the top navigation bar shows your available tenants. Select a different tenant to switch context — all pages (devices, DNS, apps, etc.) will filter to that tenant's data.

Device Tenant Binding

Devices are bound to their tenant at provisioning time:

  • Locked devices cannot be moved to another tenant
  • Unlocked devices can be reassigned by an admin (via Device Detail → Unlock Device)
  • The device's hardware fingerprint is tracked to prevent unauthorized tenant switching

Use onboarding tokens (--token flag during provisioning) to assign devices to specific tenants.