Why Proxmox
Proxmox VE is a Debian-based, open-source virtualization platform that combines KVM for full VMs and LXC for lightweight containers under a single, well-designed web UI. It's what I reach for when I need an enterprise-grade hypervisor without the licensing overhead of VMware — whether for a home lab, a lean DR environment, or a cost-conscious production workload.
This guide assumes you have a spare machine and want to stand up Proxmox properly — not just click "Next" through the installer. We'll cover the installation, network configuration, storage layout, and the first hardening pass you should do before the server ever touches a real workload.
Engineers setting up their first Proxmox host, or anyone moving from a VMware ESXi background who wants a sensible "day one" configuration that won't embarrass them later.
Prerequisites
Before you start, make sure you have:
- A 64-bit x86 machine with VT-x / AMD-V enabled in BIOS (without it you can't run KVM VMs)
- At least 8 GB RAM (16 GB+ recommended; the hypervisor itself uses ~1 GB)
- A dedicated system disk of 32 GB minimum (SSD strongly preferred)
- A USB stick of 4 GB+ for the installer
- A wired Ethernet connection (Wi-Fi is technically supported but not recommended for a hypervisor)
- Access to your router/switch admin interface in case you need to assign a DHCP reservation
On Linux, run grep -E 'vmx|svm' /proc/cpuinfo. If you get no output, virtualization is either disabled in BIOS or unsupported. Fix this first — every other step depends on it.
Step 1 — Download and Verify the ISO
Always grab the installer from the official Proxmox site and verify the checksum. A bad download on a hypervisor install is painful to discover after the fact.
# Download the latest Proxmox VE ISO
wget https://enterprise.proxmox.com/iso/proxmox-ve_8.2-1.iso
# Verify the SHA256 (compare against the value published on the download page)
sha256sum proxmox-ve_8.2-1.iso
On macOS you can use shasum -a 256 proxmox-ve_8.2-1.iso. On Windows, certutil -hashfile proxmox-ve_8.2-1.iso SHA256.
Step 2 — Create Bootable Installer Media
Write the ISO to a USB stick. Do not use UNetbootin or Rufus in "ISO mode" — they reformat the image and you'll get a non-booting installer. Use dd-style raw imaging.
On Linux or macOS
# Identify your USB device (be absolutely sure — wrong device = wiped disk)
lsblk # Linux
diskutil list # macOS
# Unmount it first
sudo umount /dev/sdX* # Linux
diskutil unmountDisk /dev/diskN # macOS
# Write the image (replace /dev/sdX with your actual USB device)
sudo dd if=proxmox-ve_8.2-1.iso of=/dev/sdX bs=4M status=progress oflag=syncOn Windows
Use Rufus in "DD Image" mode or balenaEtcher. Both preserve the ISO as a raw block image, which is what Proxmox expects.
Running dd with the wrong of= will instantly destroy the data on that disk. I've seen engineers wipe their laptop's internal drive this way. Always confirm with lsblk twice before pressing enter.
Step 3 — Run the Installer
Boot the target machine from your USB stick (usually F12 or F11 for boot menu). You'll land on the Proxmox installer's graphical screen. The steps are:
-
Accept the EULA
Standard Debian-style license acceptance — nothing surprising.
-
Choose the target disk and filesystem
Click Options. For a single-disk install,
ext4is fine and boring (a good thing). For two or more disks, use ZFS RAID-1 (mirror) or RAID-10 — you get snapshots, checksumming, and easy replication later. Avoid btrfs unless you have a specific reason. -
Set location, timezone, and keyboard
Self-explanatory. The timezone matters for logs and cron jobs later — get it right the first time.
-
Set the root password and admin email
Use a strong password and a monitored email. Proxmox sends alerts to this address: disk failures, ZFS scrub results, backup status. Do not use a throwaway email here.
-
Configure the management network
Set a static IP. The hostname should be a FQDN like
pve-01.lab.local— Proxmox stores the hostname in cluster config and changing it later is painful. Get this right the first time. -
Review summary and install
Takes about 5–10 minutes depending on disk speed. After reboot, pull the USB stick.
Stick to lowercase letters, digits, and hyphens. Resist the urge to use underscores or mixed case — some tools downstream still have opinions about this and you don't want to find out which ones the hard way.
Step 4 — First Login and Subscription Nag
Once installed, browse to https://<your-ip>:8006 and log in with user root and the Linux PAM realm. You'll see a subscription warning every time you log in, because the enterprise repo requires a paid subscription.
For a home lab or non-production workload, switch to the no-subscription repo:
# SSH into the host as root, then:
# Disable the enterprise repo
echo "# deb https://enterprise.proxmox.com/debian/pve bookworm pve-enterprise" \
> /etc/apt/sources.list.d/pve-enterprise.list
# Enable the no-subscription repo
echo "deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription" \
> /etc/apt/sources.list.d/pve-no-subscription.list
# Update the package index and upgrade
apt update && apt full-upgrade -yFor anything production-adjacent with business impact, yes — the community subscription tier is inexpensive and gives you the tested enterprise repo. For a home lab, the no-subscription repo is fine.
Step 5 — Network Configuration
By default, Proxmox creates a bridge called vmbr0 bound to your primary NIC. All VMs attached to vmbr0 share that physical interface. This is fine for simple setups, but for anything with more than a handful of VMs you'll want to add VLANs.
Add a VLAN-aware bridge
Edit /etc/network/interfaces and mark vmbr0 as VLAN-aware. Then you can assign VLAN tags per VM in the web UI:
nano /etc/network/interfacesAdd bridge-vlan-aware yes and bridge-vids 2-4094:
auto vmbr0
iface vmbr0 inet static
address 192.168.1.50/24
gateway 192.168.1.1
bridge-ports eno1
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094Apply the changes:
ifreload -a
# Verify
ip -d link show vmbr0 | grep vlanStep 6 — Storage Layout
Out of the box, Proxmox creates two storage pools: local (for ISOs, container templates, backup targets) and local-lvm or local-zfs (for VM disks). This is usable, but for anything serious I recommend adding dedicated storage.
| Storage Type | Best For | Supports Snapshots |
|---|---|---|
| ZFS | Local VM disks, replication | Yes |
| LVM-Thin | Local VM disks (simpler than ZFS) | Yes |
| NFS | Shared storage for small clusters | Yes (with qcow2) |
| Ceph RBD | Hyperconverged clusters | Yes |
| iSCSI + LVM | Shared SAN-backed storage | No (without qcow2) |
Step 7 — Basic Hardening
Before you put real workloads on this host, do at least this much:
-
Disable root SSH password login
Set up key-based auth first, then in
/etc/ssh/sshd_configsetPermitRootLogin prohibit-password. Restart sshd withsystemctl restart ssh. -
Enable the built-in firewall
In the web UI, go to Datacenter → Firewall → Options and enable it. Add rules to allow 8006 (web UI), 22 (SSH), and anything else you need — then set the default policy to drop.
-
Configure email alerts
Edit
/etc/pve/user.cfgto verify the root email matches what you entered during install. Test withsendmail -tand a small message. -
Set up a backup target
Add an NFS share, a second disk, or a Proxmox Backup Server as a backup storage. Then configure a backup job under Datacenter → Backup. An unbacked-up VM is a liability, not an asset.
Step 8 — Create Your First VM
Upload an OS ISO first:
- In the web UI, navigate to
localstorage → ISO Images → Upload - Upload your preferred Linux or Windows ISO
- Click Create VM in the top-right
Recommended defaults for a general-purpose Linux VM:
| Setting | Value | Why |
|---|---|---|
| OS Type | Linux 6.x / 5.x Kernel | Enables sensible virtualization defaults |
| Machine | q35 | Modern PCIe support |
| BIOS | OVMF (UEFI) | Matches modern distros; SecureBoot-capable |
| SCSI Controller | VirtIO SCSI Single | Best performance on Linux guests |
| Disk Cache | Write-back (with UPS) or Default | Write-back is faster but risks data loss without battery backup |
| Network Model | VirtIO (paravirtualized) | Dramatically faster than emulated Intel E1000 |
After the VM boots, install qemu-guest-agent inside the guest and enable it in VM Options. You'll get real IP addresses in the UI, graceful shutdowns, and filesystem-consistent backups.
Verification
Run through this quick checklist before declaring the host done:
- Web UI reachable on HTTPS port 8006 and no certificate warnings (after installing a cert you trust, or a Let's Encrypt cert via ACME)
- All disks healthy —
zpool statusfor ZFS orvgs/lvsfor LVM shows clean state - Backups running — the first backup job has completed successfully
- Email alerts working — trigger a test from
pveshor withsendmail -t - First VM powered on, pingable, and responsive on SSH / RDP
Troubleshooting
VMs are slow to boot or run
Check that VT-x/AMD-V is actually enabled and exposed. Inside a VM, run lscpu | grep Virtualization. If the flag is missing, revisit BIOS. Also check for wrong disk cache settings — cache=none with spinning disks is painfully slow; writeback (with a UPS) is the usual fix.
Network bridge not carrying traffic
brctl show should list your physical NIC as attached to the bridge. If it doesn't, you likely edited /etc/network/interfaces but didn't run ifreload -a. A reboot fixes it if all else fails.
"Subscription active" nag won't go away
If you disabled the enterprise repo but still see the warning after a browser refresh, clear your browser cache. The message is injected via JavaScript on first page load.
Next Steps
Now that the host is up, the natural extensions are:
- Set up Proxmox Backup Server for incremental, dedup-aware backups
- Configure Prometheus + Grafana against the Proxmox metrics endpoint for real observability
- Cluster two or more nodes together for live migration and HA
- Harden further with Fail2Ban, 2FA on the web UI, and a Let's Encrypt cert
A hypervisor is infrastructure, not a toy. The 30 extra minutes spent on networking, storage, and backup config on day one prevent a bad weekend six months from now.