diff --git a/scripts/crl-revoked.test b/scripts/crl-revoked.test
index 5588aa5b4..d13b70369 100755
--- a/scripts/crl-revoked.test
+++ b/scripts/crl-revoked.test
@@ -1,7 +1,17 @@
-#!/bin/sh
+#!/bin/bash
 
 #crl.test
 
+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 revocation_code="-361"
 exit_code=1
 counter=0
diff --git a/scripts/ocsp-stapling-with-ca-as-responder.test b/scripts/ocsp-stapling-with-ca-as-responder.test
index ac9027f30..1baadb996 100755
--- a/scripts/ocsp-stapling-with-ca-as-responder.test
+++ b/scripts/ocsp-stapling-with-ca-as-responder.test
@@ -2,19 +2,13 @@
 
 # ocsp-stapling-with-ca-as-responder.test
 
-# if we can, isolate the network namespace to eliminate port collisions
+# if we can, isolate the network namespace to eliminate port collisions.
 if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
     bwrap_path="$(command -v bwrap)"
-    if [[ -z "$bwrap_path" ]]; then
-	echo "couldn't find bwrap -- not isolating network namespace."
-    elif [[ ! -u "$bwrap_path" ]]; then
-	echo "$bwrap_path isn't setuid -- not isolating network namespace."
-    else
-	echo "isolating network namespace..."
-	export AM_BWRAPPED=yes
-	exec $bwrap_path --unshare-net --dev-bind / / "$0" "$@"
-	unset AM_BWRAPPED
-	echo "not isolating network namespace."
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
     fi
 fi
 
diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test
index 707158290..073cb0352 100755
--- a/scripts/ocsp-stapling.test
+++ b/scripts/ocsp-stapling.test
@@ -3,22 +3,6 @@
 # ocsp-stapling.test
 # Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST
 
-# if we can, isolate the network namespace to eliminate port collisions
-if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
-    bwrap_path="$(command -v bwrap)"
-    if [[ -z "$bwrap_path" ]]; then
-	echo "couldn't find bwrap -- not isolating network namespace."
-    elif [[ ! -u "$bwrap_path" ]]; then
-	echo "$bwrap_path isn't setuid -- not isolating network namespace."
-    else
-	echo "isolating network namespace..."
-	export AM_BWRAPPED=yes
-	exec $bwrap_path --unshare-net --dev-bind / / "$0" "$@"
-	unset AM_BWRAPPED
-	echo "not isolating network namespace."
-    fi
-fi
-
 if [[ -z "${RETRIES_REMAINING-}" ]]; then
     export RETRIES_REMAINING=2
 fi
diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test
index 8d31890bb..eb1a3c4e4 100755
--- a/scripts/ocsp-stapling2.test
+++ b/scripts/ocsp-stapling2.test
@@ -3,19 +3,13 @@
 # ocsp-stapling2.test
 # Test requires HAVE_OCSP and HAVE_CERTIFICATE_STATUS_REQUEST_V2
 
-# if we can, isolate the network namespace to eliminate port collisions
+# if we can, isolate the network namespace to eliminate port collisions.
 if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
     bwrap_path="$(command -v bwrap)"
-    if [[ -z "$bwrap_path" ]]; then
-	echo "couldn't find bwrap -- not isolating network namespace."
-    elif [[ ! -u "$bwrap_path" ]]; then
-	echo "$bwrap_path isn't setuid -- not isolating network namespace."
-    else
-	echo "isolating network namespace..."
-	export AM_BWRAPPED=yes
-	exec $bwrap_path --unshare-net --dev-bind / / "$0" "$@"
-	unset AM_BWRAPPED
-	echo "not isolating network namespace."
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
     fi
 fi
 
diff --git a/scripts/openssl.test b/scripts/openssl.test
index 4b4106551..69724478c 100755
--- a/scripts/openssl.test
+++ b/scripts/openssl.test
@@ -1,14 +1,24 @@
-#!/bin/sh
+#!/bin/bash
 
 #openssl.test
 
-if test -n "$WOLFSSL_OPENSSL_TEST"; then
-    echo "WOLFSSL_OPENSSL_TEST set, running test..."
-else
+if ! test -n "$WOLFSSL_OPENSSL_TEST"; then
     echo "WOLFSSL_OPENSSL_TEST NOT set, won't run"
     exit 0
 fi
 
+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
+echo "WOLFSSL_OPENSSL_TEST set, running test..."
+
 # need a unique port since may run the same time as testsuite
 generate_port() {
     port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
diff --git a/scripts/pkcallbacks.test b/scripts/pkcallbacks.test
index 24c9228f5..a28820090 100755
--- a/scripts/pkcallbacks.test
+++ b/scripts/pkcallbacks.test
@@ -1,7 +1,17 @@
-#!/bin/sh
+#!/bin/bash
 
 #pkcallbacks.test
 
+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 exit_code=1
 counter=0
 # need a unique resume port since may run the same time as testsuite
diff --git a/scripts/psk.test b/scripts/psk.test
index d11ac59b5..e5f435a01 100755
--- a/scripts/psk.test
+++ b/scripts/psk.test
@@ -1,8 +1,18 @@
-#!/bin/sh
+#!/bin/bash
 
 # psk.test
 # copyright wolfSSL 2016
 
+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 # getting unique port is modeled after resume.test script
 # need a unique port since may run the same time as testsuite
 # use server port zero hack to get one
diff --git a/scripts/resume.test b/scripts/resume.test
index 35d05e1f2..af23a669a 100755
--- a/scripts/resume.test
+++ b/scripts/resume.test
@@ -1,7 +1,17 @@
-#!/bin/sh
+#!/bin/bash
 
 #resume.test
 
+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 # need a unique resume port since may run the same time as testsuite
 # use server port zero hack to get one
 resume_string="reused"
diff --git a/scripts/sniffer-testsuite.test b/scripts/sniffer-testsuite.test
index 9bfb39b46..79aca3df1 100755
--- a/scripts/sniffer-testsuite.test
+++ b/scripts/sniffer-testsuite.test
@@ -1,7 +1,17 @@
-#!/bin/sh
+#!/bin/bash
 
 #sniffer-testsuite.test
 
+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 # ./configure --enable-sniffer [--enable-session-ticket]
 # Resumption tests require "--enable-session-ticket"
 
diff --git a/scripts/tls13.test b/scripts/tls13.test
index 8bcf2c3d3..665799b20 100755
--- a/scripts/tls13.test
+++ b/scripts/tls13.test
@@ -1,8 +1,18 @@
-#!/bin/sh
+#!/bin/bash
 
 # tls13.test
 # copyright wolfSSL 2016
 
+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 # getting unique port is modeled after resume.test script
 # need a unique port since may run the same time as testsuite
 # use server port zero hack to get one
diff --git a/scripts/trusted_peer.test b/scripts/trusted_peer.test
index 67ee7803e..fbf7260d8 100755
--- a/scripts/trusted_peer.test
+++ b/scripts/trusted_peer.test
@@ -1,8 +1,18 @@
-#!/bin/sh
+#!/bin/bash
 
 # trusted_peer.test
 # copyright wolfSSL 2016
 
+# if we can, isolate the network namespace to eliminate port collisions.
+if [[ "${AM_BWRAPPED-}" != "yes" ]]; then
+    bwrap_path="$(command -v bwrap)"
+    if [[ -n "$bwrap_path" ]]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --unshare-net --dev-bind / / "$0" "$@"
+        unset AM_BWRAPPED
+    fi
+fi
+
 # getting unique port is modeled after resume.test script
 # need a unique port since may run the same time as testsuite
 # use server port zero hack to get one