Can I use Tailscale to access my self-hosted Hermes Agent remotely?

Yes. Install Tailscale on the machine running Hermes and on your remote device. Both will share a private tailnet IP (100.x.x.x). You can then access the Hermes gateway UI at http://100.x.x.x:8642 from anywhere without opening any public ports.

How do I connect a local Ollama GPU to a remote Hermes via Tailscale?

Install Tailscale on both the GPU machine running Ollama and the machine running Hermes. Bind Ollama to the Tailscale interface (e.g. OLLAMA_HOST=100.64.1.42) so it listens beyond localhost without exposing every interface, then set the Hermes config.yaml provider base URL to that Tailscale IP, for example "http://100.64.1.42:11434/v1".

Yes. Tailscale's free plan supports up to 100 devices and 3 users — more than enough for personal Hermes setups. Paid plans add features like multiple admin users, custom DNS, and higher device limits.

Is Tailscale safe to use with Hermes Agent?

Yes. Tailscale uses WireGuard for end-to-end encryption between devices. Only devices you approve in the Tailscale admin console can join your tailnet. Connections are direct peer-to-peer whenever possible; when a direct path is not available, traffic falls back to encrypted DERP relays that cannot read your data.

← Home

Setup Guide

Hermes Agent + Tailscale: Secure Remote Access Without Port Forwarding

Use Tailscale to securely reach your self-hosted Hermes Agent from anywhere — connect your home GPU to a remote instance, open the gateway UI privately, and never expose a port to the public internet.

What Is Tailscale?

Tailscale is a mesh VPN built on WireGuard, the modern encrypted tunneling protocol. Unlike traditional VPNs that route all traffic through a central server, Tailscale creates direct peer-to-peer connections between your devices. Each device in your "tailnet" gets a stable private IP (in the 100.x.x.x range) that stays the same regardless of your physical location or network. Setup takes under five minutes and requires no manual firewall rules, no port forwarding, and no public IP.

Why Use Tailscale with Hermes Agent?

Hermes Agent by Nous Research runs as a local server with a browser gateway on localhost:8642. By default that gateway is only reachable on the machine running it. Getting remote access normally requires opening firewall ports, setting up dynamic DNS, or paying for a reverse proxy service. Tailscale eliminates all of that:

Access Hermes from anywhere — Reach your home or office Hermes gateway from your phone, laptop, or any other Tailscale device. No public exposure needed.
Connect local Ollama to a remote Hermes — Run Ollama on a machine with a powerful GPU at home and point a cloud or remote Hermes instance at it via the Tailscale IP. Your GPU does the inference; Hermes handles the agent logic.
No port forwarding — Your router never needs to be touched. Tailscale handles NAT traversal automatically, even through double-NAT or CGNAT connections.
Encrypted tunnel — All traffic between Tailscale nodes is encrypted with WireGuard. Nobody between your devices can intercept or inspect it.
Stable IPs across reboots — Device IPs in your tailnet never change, so your Hermes config stays valid indefinitely.

Use Cases

1. Access the Hermes gateway UI remotely

You run Hermes on a home server or NAS. With Tailscale installed on both the server and your laptop, you can open the gateway UI at http://100.x.x.x:8642 from anywhere — coffee shop, hotel, office — as if you were on your home network. No VPN client configuration, no split tunneling headaches.

2. Connect home GPU to a cloud Hermes

You have a gaming PC with a capable GPU running Ollama at home, and a small VPS or OpenClaw Launch Hermes instance in the cloud. Install Tailscale on both, then point your cloud Hermes provider config at your home machine's Tailscale IP as the Ollama API base. You get cloud availability and reliability with local GPU inference — zero per-token API costs.

3. Secure multi-node setups

Running Hermes across multiple servers — one for the gateway, one for heavy inference, one as a relay? Tailscale gives each node a stable private address and lets them communicate without exposing any ports to the internet. Define ACLs in the Tailscale admin console to control exactly which nodes can reach which services.

How to Set Up Tailscale

Create a free Tailscale account — Sign up at tailscale.com. The free plan supports up to 100 devices and 3 users — more than enough for personal use.
Install Tailscale on your first machine — Download from tailscale.com/download. On Linux (Debian/Ubuntu):
```
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
```
On macOS and Windows, download the GUI app and sign in.
Install Tailscale on your second machine — Repeat the same install on every device you want to connect (home server, VPS, laptop, phone).
Find your Tailscale IPs — Run tailscale ip on each device or check the Tailscale admin console to see all connected machines and their stable 100.x.x.x addresses.
Verify connectivity — From one machine, ping another by its Tailscale IP: ping 100.x.x.x. If it responds, your tailnet is working.

Connect Local Ollama to Remote Hermes via Tailscale

This lets you run Ollama on a machine with a powerful GPU (e.g., your home PC) and use it as the AI backend for a Hermes instance running elsewhere (VPS, cloud, another room). Hermes talks to any OpenAI-compatible endpoint, and Ollama exposes exactly that at /v1 — see the Hermes + Ollama guide for the full provider setup.

Step 1: Install Tailscale and Ollama on the GPU machine

Install Tailscale as above, then install Ollama and pull a tool-capable model:

ollama pull qwen3:32b
ollama serve

Step 2: Note your GPU machine's Tailscale IP

tailscale ip
# Example output: 100.64.1.42

Step 3: Point Hermes at the Tailscale IP

In your Hermes config.yaml, set the provider base URL to your GPU machine's Tailscale IP instead of localhost:

# In your Hermes config.yaml — provider section
# Point the OpenAI-compatible base URL at the Tailscale IP:
#   http://100.64.1.42:11434/v1
# Then select an Ollama-served model (e.g. qwen3:32b) as the agent model.

Step 4: Restart Hermes

Restart the Hermes gateway (hermes start, or restart your Docker container) to pick up the new config. All inference requests will now travel over the encrypted Tailscale tunnel to your home GPU.

Ollama binding note: By default, Ollama only listens on localhost. To accept connections from Tailscale, bind it to your Tailscale interface — for example OLLAMA_HOST=100.64.1.42 (your tailnet IP) — rather than 0.0.0.0. Binding to 0.0.0.0 exposes Ollama on every interface, including your LAN and any public interface, so if you must use it, add a host firewall rule that only allows traffic in on tailscale0. The WireGuard tunnel itself is encrypted; the firewall is what keeps non-tailnet devices out.

Access the Hermes Gateway UI Through Tailscale

If Hermes is running on a machine in your tailnet, you can reach its web gateway from any other tailnet device — no public DNS record or open port required.

Find the Tailscale IP of the machine running Hermes: tailscale ip on that machine.
From another tailnet device, open your browser to http://100.x.x.x:8642 (replacing with the actual IP and port).
Complete authentication in the gateway. The UI loads privately over the WireGuard tunnel — the port is never exposed to the public internet.

For a custom domain experience, you can also use Tailscale's HTTPS support with MagicDNS to access the gateway at a name like https://my-server.tail1234.ts.net:8642.

Security Benefits

Tailscale adds a meaningful security layer to any Hermes deployment:

WireGuard encryption — Every packet between tailnet devices is encrypted with modern cryptography. Eavesdroppers on public Wi-Fi see nothing.
No open ports — Your Hermes gateway port never needs to be exposed on your router or cloud firewall. Attack surface is drastically reduced.
Device authentication — Only devices you explicitly approve in the Tailscale admin console can join your tailnet. No anonymous access.
ACL policies — Tailscale's access control lists (ACLs) let you specify exactly which devices can reach which ports. You can isolate Hermes so only your laptop can connect, not every device in your tailnet.
Key expiry and device management — Revoke access for lost or compromised devices instantly from the Tailscale admin console.

Tailscale vs. Other Remote Access Methods

	Tailscale	Port Forwarding	Cloudflare Tunnel	Ngrok
Setup difficulty	Very easy	Medium	Easy	Very easy
Open ports needed	None	Yes — public exposure	None	None
Traffic encryption	WireGuard (E2E)	Depends on app TLS	TLS (via Cloudflare)	TLS (via Ngrok)
Third-party traffic routing	Direct P2P (encrypted relay fallback)	No	Yes — via Cloudflare	Yes — via Ngrok
Works behind CGNAT	Yes	No	Yes	Yes
Cost	Free (up to 100 devices)	Free	Free tier available	Free tier (limited)
Latency	Very low (direct P2P)	Very low (direct)	Low (CDN edge)	Medium (relay servers)
Best for	Private device networks	Simple static setups	Public HTTP services	Quick temporary tunnels

For Hermes Agent specifically, Tailscale is the best choice when you want private access from your own devices. Cloudflare Tunnel is better if you want to expose the Hermes gateway to the public internet (though that requires careful authentication setup). Port forwarding works but exposes your IP and port to scanners. Ngrok is convenient for short-term testing but not suitable for persistent production use.

What's Next

With Tailscale connected, explore these related guides:

Hermes Agent + Ollama — Run local AI models and connect them to Hermes for free, private inference.
Deploy Hermes Agent on a VPS — Self-host Hermes on a remote server and use Tailscale to access it privately.
Hermes Agent Desktop App — Run Hermes locally and pin the gateway as a desktop-style PWA.
Hermes Agent Docker Setup — Learn the full Docker run command and configuration options for self-hosted deployments.