DEV Community

๐ŸŒ Exposing Your Hermes Agent to the Internet with Tailscale Funnel (Safely)

Run your local Hermes Agent anywhere, then securely expose it to your backend without renting a VPS or configuring Nginx.

One of the coolest things about Hermes Agent is that it exposes an OpenAI-compatible API server. That means your backend, frontend, mobile app, or even another AI agent can communicate with Hermes exactly like it would communicate with OpenAI.

But there's one problem... Hermes usually runs on your local machine: http://127.0.0.1:8642. That works great for local development. It doesn't work when:

  • your backend is deployed on Vercel
  • your API lives on Railway
  • your frontend is hosted on Netlify
  • your mobile app needs to call Hermes
  • your teammate wants to use your agent

So how do you expose it safely? The answer is Tailscale Funnel.

๐Ÿค” What is Tailscale Funnel?

Most developers immediately think: "I'll just port forward." Please don't. Opening ports on your home network is usually a bad idea.

Instead, Tailscale Funnel gives you:

  • HTTPS
  • automatic certificates
  • encrypted traffic
  • secure networking
  • no reverse proxy setup
  • no VPS required

Think of it as:

Your Computer
    โ”‚
    โ–ผ
Tailscale
    โ”‚
    โ–ผ
Public HTTPS URL

Instead of exposing your machine directly to the internet, Tailscale securely publishes only the service you choose.

๐Ÿ— The Architecture

Here's what we're building.

Internet
    โ”‚
    โ–ผ
https://my-machine.ts.net
    โ”‚
Tailscale Funnel
    โ”‚
    โ–ผ
Hermes API Server (8642)
    โ”‚
    โ–ผ
Hermes Agent + Tools

Your backend simply calls the HTTPS endpoint. It never needs to know your local IP.

๐Ÿ“ฆ Step 1 - Enable the Hermes API Server

Hermes includes a built-in OpenAI-compatible API server. Open ~/.hermes/.env and add:

API_SERVER_ENABLED=true
API_SERVER_KEY=my-super-secret-key
API_SERVER_PORT=8642
API_SERVER_HOST=127.0.0.1

Let's understand each option.

  • API_SERVER_ENABLED - Turns on the API server. API_SERVER_ENABLED=true
  • API_SERVER_KEY - Protects your API. API_SERVER_KEY=super-secret-key. Every request must include: Authorization: Bearer super-secret-key. Never leave this empty.
  • API_SERVER_PORT - Default: 8642. You can change it if another application is already using that port.
  • API_SERVER_HOST - Normally: 127.0.0.1. Keep it this way when using Tailscale Funnel. You do not need to bind Hermes to 0.0.0.0 just to use Funnel. Keeping it on localhost reduces unnecessary exposure.

๐Ÿš€ Step 2 - Start Hermes

Start the gateway:

hermes gateway

You should see something similar to:

API server listening on http://127.0.0.1:8642

Hermes is now running locally.

๐Ÿงช Step 3 - Test the API Locally

Before exposing anything, make sure Hermes works.

curl http://127.0.0.1:8642/v1/models \
  -H "Authorization: Bearer my-super-secret-key"

If everything is configured correctly, Hermes should return the available model information. Always test locally before exposing a service.

๐ŸŒ Step 4 - Install Tailscale

Install Tailscale on your machine. Login:

tailscale login

Verify:

tailscale status

You should see your machine connected.

๐ŸŒ Step 5 - Create a Funnel

Now expose Hermes.

tailscale funnel 8642

Or on some setups:

tailscale funnel --bg 8642

Tailscale will generate something like:

https://my-computer.tailnet.ts.net

Now your local Hermes API is securely reachable over HTTPS. Tailscale terminates TLS for you and forwards requests to your local service.

๐Ÿ” Verify the Funnel

Run:

tailscale funnel status

You should see your public HTTPS URL and the local service it's forwarding to.

๐Ÿ”— Your Backend Can Now Use Hermes

Instead of calling http://localhost:8642, use https://my-computer.tailnet.ts.net/v1.

Example:

const client = new OpenAI({
  apiKey: process.env.HERMES_API_KEY,
  baseURL: process.env.HERMES_URL
});

HERMES_URL=https://my-computer.tailnet.ts.net/v1
HERMES_API_KEY=my-super-secret-key

Nothing else changes. Because Hermes speaks the OpenAI API format, many existing OpenAI SDKs work by simply changing the baseURL.

๐Ÿงฉ Complete Flow

Frontend
    โ”‚
    โ–ผ
Backend
    โ”‚
    โ–ผ
https://my-machine.tailnet.ts.net/v1
    โ”‚
    โ–ผ
Tailscale Funnel
    โ”‚
    โ–ผ
Hermes API Server
    โ”‚
    โ–ผ
Hermes Agent
    โ”‚
    โ–ผ
LLM Provider

Your backend doesn't need SSH. It doesn't need VPN software. It simply makes HTTPS requests.

๐Ÿ’ป Example Backend

import OpenAI from "openai";

const client = new OpenAI({
  apiKey: process.env.HERMES_API_KEY,
  baseURL: process.env.HERMES_URL
});

const response = await client.chat.completions.create({
  model: "hermes-agent",
  messages: [
    { role: "user", content: "Summarize today's meeting." }
  ]
});

console.log(response.choices[0].message.content);

Notice that this looks almost identical to using the OpenAI SDK-the only difference is the baseURL.

๐ŸŽฏ Real-World Use Cases

Personal AI Assistant

Phone
    โ†“
Backend
    โ†“
Hermes at Home

Your phone can interact with your personal AI wherever you are.

Portfolio Website

Next.js
    โ†“
Hermes
    โ†“
Tools
    โ†“
Terminal

Your website can delegate tasks to Hermes without hosting the agent in the cloud.

Slack or Discord Bot

Slack
    โ†“
Backend
    โ†“
Hermes

The bot communicates with your local Hermes instance securely.

Mobile App

Flutter
    โ†“
Backend
    โ†“
Hermes

Perfect for testing AI features without deploying Hermes to a cloud VM.

๐Ÿ” Security Best Practices

Even though Funnel provides HTTPS, you should still secure your deployment.

โœ… Always require an API key - API_SERVER_KEY=.... Never expose an unauthenticated API.

โœ… Store secrets in environment variables - .env with HERMES_URL=... and HERMES_API_KEY=.... Avoid hardcoding secrets into your source code.

โœ… Rotate API keys - If you suspect a key has been exposed, generate a new one and update your backend.

โœ… Monitor logs - Review Hermes and Tailscale logs periodically to understand how your service is being used.

๐Ÿš€ Tips

  • Keep Hermes on localhost - Prefer 127.0.0.1 instead of 0.0.0.0 when using Funnel.
  • Use environment variables - Instead of apiKey: "abc123", use apiKey: process.env.HERMES_API_KEY.
  • Verify locally first - If curl localhost:8642 doesn't work, Funnel won't fix it. Always verify the local service before troubleshooting networking.
  • Treat Hermes like any production API - Use authentication, monitor access, and update your software regularly.

๐Ÿ“š Useful Resources

๐ŸŽฏ Final Thoughts

One of the biggest advantages of Hermes is that it exposes a standard OpenAI-compatible API. That means you can build your backend once and point it at:

  • OpenAI
  • OpenRouter
  • Ollama
  • LM Studio
  • Hermes Agent

with only a configuration change.

By combining Hermes with Tailscale Funnel, you can securely expose your local agent over HTTPS without managing reverse proxies or opening firewall ports. For personal projects, prototypes, and even some production workflows, it's a simple and elegant way to make a local AI agent available anywhere while keeping your networking setup straightforward.

"The best infrastructure is often the one you don't have to think about."

Read on DEV Community ↗ ← Back to News

Comments

No comments yet. Start the discussion.