# 🌍 Exposing Your Hermes Agent to the Internet with Tailscale Funnel (Safely) > Source: > Published: 2026-06-25 07:21:29+00:00 Run your local Hermes Agent anywhere, then securely expose it to your backend without renting a VPS or configuring Nginx. One of the coolest things about **Hermes Agent** is that it exposes an **OpenAI-compatible API server**. That means your backend, frontend, mobile app, or even another AI agent can communicate with Hermes exactly like it would communicate with OpenAI. But there's one problem... Hermes usually runs on your local machine: ``` http://127.0.0.1:8642 ``` That works great for local development. It doesn't work when: So how do you expose it safely? The answer is **Tailscale Funnel**. Most developers immediately think: "I'll just port forward." Please don't. Opening ports on your home network is usually a bad idea. Instead, Tailscale Funnel gives you: Think of it as: ``` Your Computer β”‚ β–Ό Tailscale β”‚ β–Ό Public HTTPS URL ``` Instead of exposing your machine directly to the internet, Tailscale securely publishes only the service you choose. Here's what we're building. ``` Internet β”‚ β–Ό https://my-machine.ts.net β”‚ Tailscale Funnel β”‚ β–Ό Hermes API Server (8642) β”‚ β–Ό Hermes Agent + Tools ``` Your backend simply calls the HTTPS endpoint. It never needs to know your local IP. Hermes includes a built-in OpenAI-compatible API server. Open: ``` ~/.hermes/.env ``` Add: ``` API_SERVER_ENABLED=true API_SERVER_KEY=my-super-secret-key API_SERVER_PORT=8642 API_SERVER_HOST=127.0.0.1 ``` Let's understand each option. Turns on the API server. ``` API_SERVER_ENABLED=true ``` Protects your API. ``` API_SERVER_KEY=super-secret-key ``` Every request must include: ``` Authorization: Bearer super-secret-key ``` Never leave this empty. Default: ``` 8642 ``` You can change it if another application is already using that port. Normally: ``` 127.0.0.1 ``` Keep it this way when using Tailscale Funnel. You do **not** need to bind Hermes to `0.0.0.0` just to use Funnel. Keeping it on localhost reduces unnecessary exposure. Start the gateway. ``` hermes gateway ``` You should see something similar to: ``` API server listening on http://127.0.0.1:8642 ``` Hermes is now running locally. Before exposing anything, make sure Hermes works. ``` curl http://127.0.0.1:8642/v1/models \ -H "Authorization: Bearer my-super-secret-key" ``` If everything is configured correctly, Hermes should return the available model information. Always test locally before exposing a service. Install Tailscale on your machine. Login: ``` tailscale login ``` Verify: ``` tailscale status ``` You should see your machine connected. Now expose Hermes. ``` tailscale funnel 8642 ``` Or on some setups: ``` tailscale funnel --bg 8642 ``` Tailscale will generate something like: ``` https://my-computer.tailnet.ts.net ``` Now your local Hermes API is securely reachable over HTTPS. Tailscale terminates TLS for you and forwards requests to your local service. Run: ``` tailscale funnel status ``` You should see your public HTTPS URL and the local service it's forwarding to. Instead of calling: ``` http://localhost:8642 ``` Use: ``` https://my-computer.tailnet.ts.net/v1 ``` Example: ``` js const client = new OpenAI({ apiKey: process.env.HERMES_API_KEY, baseURL: process.env.HERMES_URL }); HERMES_URL=https://my-computer.tailnet.ts.net/v1 HERMES_API_KEY=my-super-secret-key ``` Nothing else changes. Because Hermes speaks the OpenAI API format, many existing OpenAI SDKs work by simply changing the `baseURL` . ``` Frontend β”‚ β–Ό Backend β”‚ β–Ό https://my-machine.tailnet.ts.net/v1 β”‚ β–Ό Tailscale Funnel β”‚ β–Ό Hermes API Server β”‚ β–Ό Hermes Agent β”‚ β–Ό LLM Provider ``` Your backend doesn't need SSH. It doesn't need VPN software. It simply makes HTTPS requests. ``` python import OpenAI from "openai"; const client = new OpenAI({ apiKey: process.env.HERMES_API_KEY, baseURL: process.env.HERMES_URL }); const response = await client.chat.completions.create({ model: "hermes-agent", messages: [ { role: "user", content: "Summarize today's meeting." } ] }); console.log(response.choices[0].message.content); ``` Notice that this looks almost identical to using the OpenAI SDKβ€”the only difference is the `baseURL` . ``` Phone ↓ Backend ↓ Hermes at Home ``` Your phone can interact with your personal AI wherever you are. ``` Next.js ↓ Hermes ↓ Tools ↓ Terminal ``` Your website can delegate tasks to Hermes without hosting the agent in the cloud. ``` Slack ↓ Backend ↓ Hermes ``` The bot communicates with your local Hermes instance securely. ``` Flutter ↓ Backend ↓ Hermes ``` Perfect for testing AI features without deploying Hermes to a cloud VM. Even though Funnel provides HTTPS, you should still secure your deployment. ``` API_SERVER_KEY=... ``` Never expose an unauthenticated API. ``` .env HERMES_URL=... HERMES_API_KEY=... ``` Avoid hardcoding secrets into your source code. If you suspect a key has been exposed, generate a new one and update your backend. Review Hermes and Tailscale logs periodically to understand how your service is being used. Prefer: ``` 127.0.0.1 ``` instead of ``` 0.0.0.0 ``` when using Funnel. Instead of: ``` apiKey: "abc123" ``` Use: ``` apiKey: process.env.HERMES_API_KEY ``` If: ``` curl localhost:8642 ``` doesn't work, Funnel won't fix it. Always verify the local service before troubleshooting networking. Use authentication, monitor access, and update your software regularly. One of the biggest advantages of Hermes is that it exposes a standard **OpenAI-compatible API**. That means you can build your backend once and point it at: with only a configuration change. By combining Hermes with **Tailscale Funnel**, you can securely expose your local agent over HTTPS without managing reverse proxies or opening firewall ports. For personal projects, prototypes, and even some production workflows, it's a simple and elegant way to make a local AI agent available anywhere while keeping your networking setup straightforward. "The best infrastructure is often the one you don't have to think about."