.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
If you've been wrestling with Nginx reverse proxy, Cloudflare Tunnel or SSH tunneling to reach your VPS-hosted Hermes Agent from a laptop, there's a simpler answer most homelab people landed on years ago: Tailscale. Your VPS and your laptop join the same private mesh network. The Hermes dashboard binds to a private Tailscale IP. From the laptop you point Hermes Desktop or your browser at that IP and you're in.
No public port, DNS, Let's Encrypt, or reverse proxy. The only thing on the public internet is the SSH port you already had for admin.
Why Tailscale for this
Three reasons people pick Tailscale over the alternatives....
Encryption end to end without you doing crypto work. WireGuard under the hood. Keys handled for you. You join the tailnet on each device and traffic between them is encrypted.
No firewall holes. Your VPS doesn't need any new public ports open. Tailscale connects outbound from each device to the Tailscale coordination service, then peer-to-peer between them. Inbound firewall rules can stay locked down.
Works from anywhere. Coffee shop wifi. Hotel network. Mobile data. Your laptop reaches the VPS the same way it would on a home LAN.
The catch: you're trusting Tailscale's coordination service to broker connections. If you're paranoid about that, self-hosted Headscale is the open-source alternative with the same UX. For most people Tailscale's hosted service is fine.
Install Tailscale on the VPS
On Ubuntu/Debian:
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale upThe up command prints a URL. Open it in a browser, log into your Tailscale account (free tier is generous, no credit card needed), authorise the device. The VPS now has a private IP in your tailnet, something like 100.x.y.z.
Check the IP:
tailscale ip -4Install Tailscale on the laptop
It's the same flow. Download the Tailscale client from tailscale.com/download (there's a native client for Windows, macOS, Linux, iOS, Android). Install, log into the same account, your laptop joins the tailnet.
Verify the VPS is reachable from the laptop:
ping 100.x.y.z # the VPS's tailnet IP
ssh [email protected]If ping works, SSH works, you're done with the networking bit.
Bind Hermes dashboard to the Tailscale interface
By default Hermes binds the dashboard to 127.0.0.1. You need it bound to either 0.0.0.0 (all interfaces) or specifically to the Tailscale IP. I prefer 0.0.0.0 with proper auth so the same config works on multiple networks.
export HERMES_DASHBOARD_USERNAME="your-user"
export HERMES_DASHBOARD_PASSWORD="long-random-string"
hermes dashboard start --host 0.0.0.0 --auth basicThe basic auth is a belt-and-braces measure. The tailnet itself is already restricted to your authorised devices but I sleep better with both.
For production, put the env vars in your systemd unit's Environment= directives, not in bashrc. Pattern in our Hermes Agent systemd setup tutorial.
Reach the dashboard from your laptop
Browser to http://100.x.y.z:8642 (your VPS tailnet IP, the Hermes default port). Basic auth prompt. Enter the username and password you set. Dashboard opens.
For Hermes Desktop in remote mode, the same pattern. API URL: http://100.x.y.z:8642. API key: your basic auth password. Full Desktop setup details in our Hermes Desktop remote backend on VPS piece.
Adding HTTPS with Tailscale Serve
If you really want HTTPS (some clients refuse plain HTTP or you want browser auto-fill to behave well), Tailscale Serve gives you a HTTPS endpoint on your tailnet without you provisioning a cert. Tailscale acts as a managed Let's Encrypt for your tailnet domains.
sudo tailscale serve --bg 8642Now https://your-machine.your-tailnet.ts.net serves the Hermes dashboard with a valid cert. No Nginx, no certbot, no renewal cron.
You can list active serve configs with:
tailscale serve statusThe only catch: Serve URLs work only from inside the tailnet. So this isn't a public HTTPS endpoint. It's an HTTPS endpoint that requires the requester to be on the tailnet first. Which is what you want for this use case.
ACLs: limit which devices can reach Hermes
By default any device on your tailnet can hit any other. If you want to restrict so only specific devices reach the Hermes box, use Tailscale ACLs. Edit your tailnet's ACL JSON in the Tailscale admin console:
{
"tagOwners": {
"tag:hermes": ["[email protected]"]
},
"acls": [
{
"action": "accept",
"src": ["[email protected]"],
"dst": ["tag:hermes:8642"]
}
]
}Tag the VPS with tailscale up --advertise-tags=tag:hermes. Only the listed user (and their devices) can now reach port 8642 on tagged machines.
Overkill for a personal setup. Worth it for a small team where Bob shouldn't be able to reach Alice's Hermes.
Vs Cloudflare Tunnel
Well, both let you reach an internal service from outside without port forwarding. Cloudflare Tunnel is the right pick when you want the service publicly reachable behind Cloudflare's auth. Tailscale is the right pick when you want the service reachable only by your devices and absolutely nothing public.
For Hermes specifically, I honestly prefer Tailscale. The dashboard can edit API keys and bot tokens. It doesn't need to be publicly reachable even behind auth. Tailscale's "only my devices see this" model fits the threat profile better.
If you ever do need Cloudflare Tunnel (because a webhook from an external service needs to reach Hermes), that setup gets its own piece. The two patterns coexist fine.
Tailscale on mobile reaching the agent
This is the sneaky win in my opinion. Install Tailscale on your phone, join the tailnet, browse to http://100.x.y.z:8642 on mobile. Hermes dashboard works on the phone screen. Or use the community Hermes WebUI on the same tailnet IP for a better mobile experience.
No app to install (beyond Tailscale itself). No port forwarded on the home router. Your phone reaches the VPS-hosted agent securely from anywhere.
Common thigns to watch out for
Dashboard not reachable after binding to 0.0.0.0
Check the VPS firewall. Even though Tailscale traffic is encrypted, packets still have to traverse the host firewall. If you've got ufw enabled, allow the port on the tailscale0 interface:
sudo ufw allow in on tailscale0 to any port 8642Devices show as offline in Tailscale console
Usually a service issue (tailscaled stopped on one end) or a token expired. Check with sudo systemctl status tailscaled on the VPS, tailscale status on the laptop.
Slow throughput between devices
Tailscale prefers direct peer-to-peer connections (UDP) but falls back to relayed connections (DERP servers) if NAT punching fails. Relayed connections are slower. Check with:
tailscale netcheckIf you're always falling back to DERP, your router may be blocking UDP. Opening UDP 41641 outbound on the VPS's host firewall usually helps.
What this replaces in the rest of the stack
If you set up Tailscale and like it, you can simplify a few other pieces. The SSH tunnel approach in our Desktop remote backend piece becomes redundant; just browse to the tailnet IP. The Nginx HTTPS setup in our Hermes Nginx HTTPS tutorial is also redundant if you go with Tailscale Serve for the HTTPS bit.
You're not deleting those options. They still work. They just become "one of three ways to do this" rather than the default.
What Tailscale doesn't replace
Public webhook endpoints. If your Hermes setup needs to receive webhooks from external services (Stripe, GitHub, a Telegram webhook subscription instead of polling), those services have to be able to reach Hermes from the public internet. Tailscale doesn't help with that. Either keep Nginx HTTPS on a separate port for the webhook receiver or use Cloudflare Tunnel just for those endpoints.
LumaDock VPS plus Tailscale
The LumaDock Hermes Agent template doesn't bundle Tailscale (every box-level firewall and identity layer is your choice) but the install above is two commands and works out of the box. Unmetered bandwidth on every plan, which matters because Tailscale's DERP relay fallback can move real data when NAT is hostile. No setup fees, instant deploy. Setup walkthrough in our Hermes Agent complete guide.
