{"slug": "exposing-your-hermes-agent-to-the-internet-with-tailscale-funnel-safely", "title": "🌍 Exposing Your Hermes Agent to the Internet with Tailscale Funnel (Safely)", "summary": "A developer demonstrated how to securely expose a local Hermes Agent to the internet using Tailscale Funnel, avoiding the need for port forwarding or renting a VPS. The Hermes Agent runs an OpenAI-compatible API server locally, and Tailscale Funnel provides a public HTTPS URL with TLS termination and access controls. The setup involves enabling the API server in Hermes, configuring an API key, and running a Tailscale Funnel command to expose the service.", "body_md": "Run your local Hermes Agent anywhere, then securely expose it to your backend without renting a VPS or configuring Nginx.\n\nOne of the coolest things about **Hermes Agent** is that it exposes an **OpenAI-compatible API server**.\n\nThat means your backend, frontend, mobile app, or even another AI agent can communicate with Hermes exactly like it would communicate with OpenAI.\n\nBut there's one problem...\n\nHermes usually runs on your local machine:\n\n```\nhttp://127.0.0.1:8642\n```\n\nThat works great for local development.\n\nIt doesn't work when:\n\nSo how do you expose it safely?\n\nThe answer is **Tailscale Funnel**.\n\nMost developers immediately think:\n\n\"I'll just port forward.\"\n\nPlease don't.\n\nOpening ports on your home network is usually a bad idea.\n\nInstead, Tailscale Funnel gives you:\n\nThink of it as:\n\n```\nYour Computer\n      │\n      ▼\nTailscale\n      │\n      ▼\nPublic HTTPS URL\n```\n\nInstead of exposing your machine directly to the internet, Tailscale securely publishes only the service you choose.\n\nHere's what we're building.\n\n```\n                 Internet\n                     │\n                     ▼\n      https://my-machine.ts.net\n                     │\n             Tailscale Funnel\n                     │\n                     ▼\n        Hermes API Server (8642)\n                     │\n                     ▼\n          Hermes Agent + Tools\n```\n\nYour backend simply calls the HTTPS endpoint.\n\nIt never needs to know your local IP.\n\nHermes includes a built-in OpenAI-compatible API server.\n\nOpen:\n\n```\n~/.hermes/.env\n```\n\nAdd:\n\n```\nAPI_SERVER_ENABLED=true\n\nAPI_SERVER_KEY=my-super-secret-key\n\nAPI_SERVER_PORT=8642\n\nAPI_SERVER_HOST=127.0.0.1\n```\n\nLet's understand each option.\n\nTurns on the API server.\n\n```\nAPI_SERVER_ENABLED=true\n```\n\nProtects your API.\n\n```\nAPI_SERVER_KEY=super-secret-key\n```\n\nEvery request must include:\n\n```\nAuthorization: Bearer super-secret-key\n```\n\nNever leave this empty.\n\nDefault:\n\n```\n8642\n```\n\nYou can change it if another application is already using that port.\n\nNormally:\n\n```\n127.0.0.1\n```\n\nKeep it this way when using Tailscale Funnel.\n\nYou do **not** need to bind Hermes to `0.0.0.0`\n\njust to use Funnel. Keeping it on localhost reduces unnecessary exposure.\n\nStart the gateway.\n\n```\nhermes gateway\n```\n\nYou should see something similar to:\n\n```\nAPI server listening on\n\nhttp://127.0.0.1:8642\n```\n\nHermes is now running locally.\n\nBefore exposing anything, make sure Hermes works.\n\n```\ncurl http://127.0.0.1:8642/v1/models \\\n  -H \"Authorization: Bearer my-super-secret-key\"\n```\n\nIf everything is configured correctly, Hermes should return the available model information.\n\nAlways test locally before exposing a service.\n\nInstall Tailscale on your machine.\n\nLogin:\n\n```\ntailscale login\n```\n\nVerify:\n\n```\ntailscale status\n```\n\nYou should see your machine connected.\n\nNow expose Hermes.\n\n```\ntailscale funnel 8642\n```\n\nOr on some setups:\n\n```\ntailscale funnel --bg 8642\n```\n\nTailscale will generate something like:\n\n```\nhttps://my-computer.tailnet.ts.net\n```\n\nNow your local Hermes API is securely reachable over HTTPS. Tailscale terminates TLS for you and forwards requests to your local service.\n\nRun:\n\n```\ntailscale funnel status\n```\n\nYou should see your public HTTPS URL and the local service it's forwarding to.\n\nInstead of calling:\n\n```\nhttp://localhost:8642\n```\n\nUse:\n\n```\nhttps://my-computer.tailnet.ts.net/v1\n```\n\nExample:\n\n``` js\nconst client = new OpenAI({\n    apiKey: process.env.HERMES_API_KEY,\n    baseURL: process.env.HERMES_URL\n});\nHERMES_URL=https://my-computer.tailnet.ts.net/v1\n\nHERMES_API_KEY=my-super-secret-key\n```\n\nNothing else changes.\n\nBecause Hermes speaks the OpenAI API format, many existing OpenAI SDKs work by simply changing the `baseURL`\n\n.\n\n```\nFrontend\n\n      │\n\n      ▼\n\nBackend\n\n      │\n\n      ▼\n\nhttps://my-machine.tailnet.ts.net/v1\n\n      │\n\n      ▼\n\nTailscale Funnel\n\n      │\n\n      ▼\n\nHermes API Server\n\n      │\n\n      ▼\n\nHermes Agent\n\n      │\n\n      ▼\n\nLLM Provider\n```\n\nYour backend doesn't need SSH.\n\nIt doesn't need VPN software.\n\nIt simply makes HTTPS requests.\n\n``` python\nimport OpenAI from \"openai\";\n\nconst client = new OpenAI({\n    apiKey: process.env.HERMES_API_KEY,\n    baseURL: process.env.HERMES_URL\n});\n\nconst response = await client.chat.completions.create({\n    model: \"hermes-agent\",\n    messages: [\n        {\n            role: \"user\",\n            content: \"Summarize today's meeting.\"\n        }\n    ]\n});\n\nconsole.log(response.choices[0].message.content);\n```\n\nNotice that this looks almost identical to using the OpenAI SDK—the only difference is the `baseURL`\n\n.\n\n```\nPhone\n\n↓\n\nBackend\n\n↓\n\nHermes at Home\n```\n\nYour phone can interact with your personal AI wherever you are.\n\n```\nNext.js\n\n↓\n\nHermes\n\n↓\n\nTools\n\n↓\n\nTerminal\n```\n\nYour website can delegate tasks to Hermes without hosting the agent in the cloud.\n\n```\nSlack\n\n↓\n\nBackend\n\n↓\n\nHermes\n```\n\nThe bot communicates with your local Hermes instance securely.\n\n```\nFlutter\n\n↓\n\nBackend\n\n↓\n\nHermes\n```\n\nPerfect for testing AI features without deploying Hermes to a cloud VM.\n\nEven though Funnel provides HTTPS, you should still secure your deployment.\n\n```\nAPI_SERVER_KEY=...\n```\n\nNever expose an unauthenticated API.\n\n```\n.env\n\nHERMES_URL=...\n\nHERMES_API_KEY=...\n```\n\nAvoid hardcoding secrets into your source code.\n\nIf you suspect a key has been exposed, generate a new one and update your backend.\n\nReview Hermes and Tailscale logs periodically to understand how your service is being used.\n\nPrefer:\n\n```\n127.0.0.1\n```\n\ninstead of\n\n```\n0.0.0.0\n```\n\nwhen using Funnel.\n\nInstead of:\n\n```\napiKey: \"abc123\"\n```\n\nUse:\n\n```\napiKey: process.env.HERMES_API_KEY\n```\n\nIf:\n\n```\ncurl localhost:8642\n```\n\ndoesn't work,\n\nFunnel won't fix it.\n\nAlways verify the local service before troubleshooting networking.\n\nUse authentication, monitor access, and update your software regularly.\n\nOne of the biggest advantages of Hermes is that it exposes a standard **OpenAI-compatible API**.\n\nThat means you can build your backend once and point it at:\n\nwith only a configuration change.\n\nBy combining Hermes with **Tailscale Funnel**, you can securely expose your local agent over HTTPS without managing reverse proxies or opening firewall ports.\n\nFor personal projects, prototypes, and even some production workflows, it's a simple and elegant way to make a local AI agent available anywhere while keeping your networking setup straightforward.\n\n\"The best infrastructure is often the one you don't have to think about.\"", "url": "https://wpnews.pro/news/exposing-your-hermes-agent-to-the-internet-with-tailscale-funnel-safely", "canonical_source": "https://dev.to/charan_gutti_cf60c6185074/exposing-your-hermes-agent-to-the-internet-with-tailscale-funnel-safely-3m7h", "published_at": "2026-06-25 07:21:29+00:00", "updated_at": "2026-06-25 07:43:00.187440+00:00", "lang": "en", "topics": ["developer-tools", "ai-agents", "ai-infrastructure", "ai-products"], "entities": ["Hermes Agent", "Tailscale Funnel", "OpenAI", "Tailscale"], "alternates": {"html": "https://wpnews.pro/news/exposing-your-hermes-agent-to-the-internet-with-tailscale-funnel-safely", "markdown": "https://wpnews.pro/news/exposing-your-hermes-agent-to-the-internet-with-tailscale-funnel-safely.md", "text": "https://wpnews.pro/news/exposing-your-hermes-agent-to-the-internet-with-tailscale-funnel-safely.txt", "jsonld": "https://wpnews.pro/news/exposing-your-hermes-agent-to-the-internet-with-tailscale-funnel-safely.jsonld"}}