Hermes Agent Security Setup: Why Most People Do This Wrong (VPS + Tailscale Tutorial)

In this video I show you how to install Hermes Agent on a VPS securely using Tailscale – step by step and beginner friendly.

👉 This setup keeps your server private and takes less than 30 minutes.

How to set up your VPS
Connect with Tailscale
Secure your setup properly
Install Hermes Agents
Configure your agent
Deploy and run your agent

This setup keeps your AI agents private and gives you full control without exposing everything to the public internet.

Step 1 - Set Up Your VPS

Start with a clean VPS. Connect via SSH using the IP your provider assigned:

ssh root@VPSIPHERE

Now your server is ready for the next steps.

Step 2 - Create a New User

Don't run things as root. Create a regular user and add them to the sudo group:

adduser --gecos "" username

adduser username sudo

Step 3 - Create an SSH Key

On your local machine, generate a modern Ed25519 key. Give it a name and a strong passphrase when prompted:

ssh-keygen -t ed25519

Copy the public key to your VPS:

ssh-copy-id -i keyname.pub username@VPSIPHERE

Then disable password authentication. Open the SSH config:

nano /etc/ssh/sshd_config.d/50-cloud-init.conf

Set PasswordAuthentication no. Press Ctrl + X, then Y, then Enter to save and exit.

Restart SSH:

service ssh restart

Always keep your existing SSH session open while testing the new key in a second terminal. If anything is wrong, you still have a way back in.

Connect with the new SSH key:

ssh -i ./keyname 'username@VPSIPHERE'

Step 4 - Set Up Tailscale

Download Tailscale to your local computer first:

tailscale.com/download

Then install Tailscale on the VPS:

curl -fsSL https://tailscale.com/install.sh | sh

sudo tailscale up

tailscale status

sudo tailscale set --operator=username

Firewall rule:

Make sure UDP 41641 is allowed outbound on your VPS so Tailscale can establish its WireGuard tunnels. You do not need to expose it publicly.

Once Tailscale is up, connect to your VPS over the private Tailscale IP instead of the public one:

ssh -i ./keyname 'username@TAILSCALEIPHERE'

Step 5 - Install Hermes Agent

Follow the official setup at:

github.com/nousresearch/hermes-agent.

Run the install script:

curl -fsSL https://hermes-agent.nousresearch.com/install.sh | bash

After installation, reload your shell so the hermes command is on your PATH:

source ~/.bashrc # or: source ~/.zshrc

Configure Hermes Agent

Run the one-time setup wizard:

hermes setup

Privacy-Focused Communication.

Matrix server: matrix-client.matrix.org

Element web client (create accounts): app.element.io

Start Chatting

Run this command to start a chat session with your self-hosted Hermes Agent:

hermes

Step 6 - Checklist for Your Server

For extra security, take a final pass over the server.

VPS hardening checklist

• Disable any unused ports in your firewall (UFW or provider firewall)

• Use SSH keys only - no password logins

• Disable root SSH and use a non-root sudo user

• Keep your OS patched (enable unattended-upgrades on Debian/Ubuntu)

• Only expose Hermes over the Tailscale IP, not the public IP

• Back up your Hermes config and Tailscale auth keys off-server

0 comments

Pro Level AI Academy

skool.com/pro-level-ai-academy-6501

Become a Pro-Level AI Engineer in 90 days. Master AI & automation with practical tutorials to save time, build smart workflows and scale fast.

Members

Online

Admin

KubeCraft Career Accelerator

Apna Kamao

Story Hacker Silver

The Cyber Range

AI Automations by Jack

Bring people together around your passion and get paid.