What is Hermes Agent and why install it on a VPS?

Hermes Agent is an open-source AI agent project from Nous Research. Self-hosting it on a VPS gives you full control over the model, the runtime, and the data flowing through it without depending on a hosted provider. Combined with Tailscale, the agent stays accessible to you from any of your devices but never exposed to the public internet.

Why use Tailscale to secure a VPS instead of opening public ports?

Putting your VPS on a Tailscale network means only your enrolled devices can reach it. Tailscale uses WireGuard under the hood and gives every machine a private 100.x.y.z IP. You don't need to expose SSH or the agent UI on the public internet, which kills the entire class of port-scanning, brute-force, and zero-day attacks against open services.

What VPS specs do I need to run Hermes Agent with Tailscale?

A modest VPS is enough to start. We recommend at least 2 vCPU, 8 GB RAM, and 100 GB NVMe SSD. Hostinger KVM 2, Hetzner CX22, DigitalOcean Basic, or Contabo VPS S all work. Tailscale itself uses negligible CPU and RAM; the bottleneck will be the model you point Hermes at.

How do I disable password-only SSH and enforce key-based login?

After copying your public key to the server with ssh-copy-id, edit /etc/ssh/sshd_config.d/50-cloud-init.conf, set PasswordAuthentication no, save, and run service ssh restart. Always test the new key in a second terminal before closing your existing root session, so you don't lock yourself out.

What firewall rule does Tailscale need to work on a VPS?

Tailscale needs UDP 41641 allowed outbound on the VPS so its WireGuard tunnels can establish. You do not need to expose it publicly inbound. Once Tailscale is up, reach SSH and the Hermes UI over the Tailscale IP (100.x.y.z) and keep public ports closed.

How do I start a Hermes chat session after installation?

After running the install script, reload your shell with source ~/.bashrc (or source ~/.zshrc if you use zsh), then run hermes setup once to configure the agent. From then on, just run hermes from a terminal connected over Tailscale to start a chat session against your self-hosted agent.

Hermes Agent + Tailscale = Bulletproof VPS Security (Step-by-Step Tutorial)

Learn how to run Hermes Agent on your own server without exposing it to the public internet. This setup is one of the easiest and safest ways to do it.

In this guide, you'll install Hermes Agent on a VPS and secure it using Tailscale. No complicated DevOps. Just a clean, working setup.

Watch the Full Tutorial

Full video walkthrough on YouTube: https://youtu.be/7ay5-hneN2c

Why Use Tailscale?

Most VPS setups expose your app directly to the internet. That's risky.

With Tailscale, you:

Create a private network (a WireGuard mesh)
Access your server securely with no public-facing ports
Avoid opening unnecessary ports to the internet

Bottom line: Your VPS stays private, but still accessible to you from any device on your Tailnet.

What You Need

VPS hosting (I use Hostinger)
SSH keys (no password logins)
A free Tailscale account
A firewall (UFW or your provider's) to keep unused ports closed

Step 1 - Set Up Your VPS

Start with a clean VPS. Connect via SSH using the IP your provider assigned:

ssh root@VPSIPHERE

Now your server is ready for the next steps.

Step 2 - Create a New User

Don't run things as root. Create a regular user and add them to the sudo group:

adduser --gecos "" username
adduser username sudo

Step 3 - Create an SSH Key

On your local machine, generate a modern Ed25519 key. Give it a name and a strong passphrase when prompted:

ssh-keygen -t ed25519

Copy the public key to your VPS:

ssh-copy-id -i keyname.pub username@VPSIPHERE

Then disable password authentication. Open the SSH config:

nano /etc/ssh/sshd_config.d/50-cloud-init.conf

Set PasswordAuthentication no. Press Ctrl+X, then Y, then Enter to save and exit. Restart SSH:

service ssh restart

Always keep your existing SSH session open while testing the new key in a second terminal. If anything is wrong, you still have a way back in.

Connect with the new SSH key:

ssh -i ./keyname 'username@VPSIPHERE'

Step 4 - Set Up Tailscale

Download Tailscale to your local computer first: tailscale.com/download

Then install Tailscale on the VPS:

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
tailscale status
sudo tailscale set --operator=username

Firewall rule: Make sure UDP 41641 is allowed outbound on your VPS so Tailscale can establish its WireGuard tunnels. You do not need to expose it publicly.

Once Tailscale is up, connect to your VPS over the private Tailscale IP instead of the public one:

ssh -i ./keyname 'username@TAILSCALEIPHERE'

Step 5 - Install Hermes Agent

Follow the official setup at github.com/nousresearch/hermes-agent. Run the install script:

curl -fsSL https://hermes-agent.nousresearch.com/install.sh | bash

After installation, reload your shell so the hermes command is on your PATH:

source ~/.bashrc   # or: source ~/.zshrc

Configure Hermes Agent

Run the one-time setup wizard:

hermes setup

Privacy-Focused Communication

Matrix server: matrix-client.matrix.org
Element web client (create accounts): app.element.io

Start Chatting

Run this command to start a chat session with your self-hosted Hermes Agent:

hermes

Step 6 - Checklist for Your Server

For extra security, take a final pass over the server.

VPS hardening checklist:

Disable any unused ports in your firewall (UFW or provider firewall)
Use SSH keys only - no password logins
Disable root SSH and use a non-root sudo user
Keep your OS patched (enable unattended-upgrades on Debian/Ubuntu)
Only expose Hermes over the Tailscale IP, not the public IP
Back up your Hermes config and Tailscale auth keys off-server

Now you're running a proper, locked-down setup.

Final Thoughts

This setup gives you full control over your AI agent and the data it sees, secure access via Tailscale with no public-facing services, and no platform lock-in - you own the box. Once you try it, it's hard to go back.

Want to go deeper into AI tools, automation, and building real systems? Visit prolevelaiacademy.com and become a Pro Level AI Builder in 28 days.