January 3, 2019


This is a shameless copy and paste from various pages(*) for my own record.

Edit sysctl.conf

# cat >> /etc/sysctl.conf <<-__EOF__

Enable them on the running session:

# sysctl net.inet.ip.forwarding=1
# sysctl net.inet6.ip6.forwarding=1

Change your pf rules:

# cat > /etc/pf.conf <<-__EOF__

set skip on lo
block return

match out on $ext_if inet from $vmd_if:network to any nat-to ($ext_if)

IP and subnet

# cat > /etc/hostname.vether0 <<-__EOF__

Bridge interface for the guest VMs to attach to, and bridge vether0 to it:

# cat > /etc/hostname.bridge0 <<-__EOF__
add vether0

Bring vether0 and bridge0 online:

# sh /etc/netstart vether0
# sh /etc/netstart bridge0

Reload the pf configuration now (not earlier):

# pfctl -f /etc/pf.conf

Create a basic DHCP server configuration file that matches the vether0 configuration:

# cat > /etc/dhcpd.conf <<-__EOF__
option  domain-name "vmm.openbsd.local";
option  domain-name-servers,;

subnet netmask {
        option routers;


Configure a switch for vmm, so the VMs have connectivity:

# cat > /etc/vm.conf <<-__EOF__

switch "local" {
        interface bridge0

Enable and start the DHCP server. We also need to set the flags on dhcpd so that it only listens on vether0. Otherwise, you’ll end up with a rogue DHCP server on your primary network:

# rcctl enable dhcpd
# rcctl set dhcpd flags vether0
# rcctl start dhcpd

Enable vmd, and start it as well:

# rcctl enable vmd
# rcctl start vmd
# fw_update

You should notice a new interface, bridge0, in ifconfig now.

If you have avahi-daemon installed, edit


to ignore your virtual ethernet device:


Grab a Linux ISO,

$ cd /tmp
$ wget https://nl.alpinelinux.org/alpine/latest-stable/releases/x86_64/alpine-virt-3.8.0-x86_64.iso

Make a new virtual disk image,

$ vmctl create -s 15G alpine-virt.img 

Boot it (login root, no passwd):

# vmctl start -c -d alpine-virt-*.iso -d alpine-virt.img -m 1024M -n local  "alpine-vm"

When your install is done,

# poweroff

Boot it,

# vmctl start -c -d alpine-virt.img -m 1024M -n local "alpine-vm"

Install docker, edit


and uncomment


(or similar line, depending on the version you downloaded).

Update and install docker

# apk update
# apk add docker

Make a User

# adduser pau -G wheel docker



and configure


to allow wheel users to do root stuff:

## Uncomment to allow members of group wheel to execute any command             
 %wheel ALL=(ALL) ALL

It is more stable to close the terminal after you have started the VM session, and then ssh from another to it. You can of course find out the IP from ifconfig.

(*) namely

  1. https://medium.com/@dave_voutila/docker-on-openbsd-6-1-current-c620513b8110
  2. http://www.h-i-r.net/2017/04/openbsd-vmm-hypervisor-part-2.html
  3. https://gist.github.com/voutilad/1f018ba1fd8e177e40370dda143e5713