diff --git a/cmd/vfkit/main.go b/cmd/vfkit/main.go
index a1053109..ca526da4 100644
--- a/cmd/vfkit/main.go
+++ b/cmd/vfkit/main.go
@@ -151,7 +151,8 @@ func runVirtualMachine(vmConfig *config.VirtualMachine, vm *vz.VirtualMachine) e
 	}
 	log.Infof("virtual machine is running")
 
-	for _, vsock := range vmConfig.VirtioVsockDevices() {
+	vsockDevs := vmConfig.VirtioVsockDevices()
+	for _, vsock := range vsockDevs {
 		port := vsock.Port
 		socketURL := vsock.SocketURL
 		if socketURL == "" {
@@ -163,9 +164,12 @@ func runVirtualMachine(vmConfig *config.VirtualMachine, vm *vz.VirtualMachine) e
 			listenStr = " (listening)"
 		}
 		log.Infof("Exposing vsock port %d on %s%s", port, socketURL, listenStr)
-		if err := vf.ExposeVsock(vm, port, socketURL, vsock.Listen); err != nil {
+		closer, err := vf.ExposeVsock(vm, port, socketURL, vsock.Listen)
+		if err != nil {
 			log.Warnf("error exposing vsock port %d: %v", port, err)
+			continue
 		}
+		defer closer.Close()
 	}
 
 	if err := setupGuestTimeSync(vm, vmConfig.TimeSync()); err != nil {
diff --git a/pkg/vf/vsock.go b/pkg/vf/vsock.go
index 4a8e93af..47ccf01d 100644
--- a/pkg/vf/vsock.go
+++ b/pkg/vf/vsock.go
@@ -3,6 +3,7 @@ package vf
 import (
 	"context"
 	"fmt"
+	"io"
 	"net"
 	"net/url"
 	"strconv"
@@ -11,7 +12,7 @@ import (
 	"inet.af/tcpproxy"
 )
 
-func ExposeVsock(vm *vz.VirtualMachine, port uint, vsockPath string, listen bool) error {
+func ExposeVsock(vm *vz.VirtualMachine, port uint, vsockPath string, listen bool) (io.Closer, error) {
 	if listen {
 		return listenVsock(vm, port, vsockPath)
 	}
@@ -36,7 +37,7 @@ func ConnectVsockSync(vm *vz.VirtualMachine, port uint) (net.Conn, error) {
 
 // connectVsock proxies connections from a host unix socket to a vsock port
 // This allows the host to initiate connections to the guest over vsock
-func connectVsock(vm *vz.VirtualMachine, port uint, vsockPath string) error {
+func connectVsock(vm *vz.VirtualMachine, port uint, vsockPath string) (io.Closer, error) {
 
 	var proxy tcpproxy.Proxy
 	// listen for connections on the host unix socket
@@ -70,12 +71,12 @@ func connectVsock(vm *vz.VirtualMachine, port uint, vsockPath string) error {
 			}
 		},
 	})
-	return proxy.Start()
+	return &proxy, proxy.Start()
 }
 
 // listenVsock proxies connections from a vsock port to a host unix socket.
 // This allows the guest to initiate connections to the host over vsock
-func listenVsock(vm *vz.VirtualMachine, port uint, vsockPath string) error {
+func listenVsock(vm *vz.VirtualMachine, port uint, vsockPath string) (io.Closer, error) {
 	var proxy tcpproxy.Proxy
 	// listen for connections on the vsock port
 	proxy.ListenFunc = func(_, laddr string) (net.Listener, error) {
@@ -116,6 +117,6 @@ func listenVsock(vm *vz.VirtualMachine, port uint, vsockPath string) error {
 			}
 		},
 	})
-	// FIXME: defer proxy.Close()
-	return proxy.Start()
+
+	return &proxy, proxy.Start()
 }