🌍 Exposing Your Hermes Agent to the Internet with Tailscale Funnel (Safely) A developer demonstrated how to securely expose a local Hermes Agent to the internet using Tailscale Funnel, avoiding the need for port forwarding or renting a VPS. The Hermes Agent runs an OpenAI-compatible API server locally, and Tailscale Funnel provides a public HTTPS URL with TLS termination and access controls. The setup involves enabling the API server in Hermes, configuring an API key, and running a Tailscale Funnel command to expose the service. Run your local Hermes Agent anywhere, then securely expose it to your backend without renting a VPS or configuring Nginx. One of the coolest things about Hermes Agent is that it exposes an OpenAI-compatible API server . That means your backend, frontend, mobile app, or even another AI agent can communicate with Hermes exactly like it would communicate with OpenAI. But there's one problem... Hermes usually runs on your local machine: http://127.0.0.1:8642 That works great for local development. It doesn't work when: So how do you expose it safely? The answer is Tailscale Funnel . Most developers immediately think: "I'll just port forward." Please don't. Opening ports on your home network is usually a bad idea. Instead, Tailscale Funnel gives you: Think of it as: Your Computer β”‚ β–Ό Tailscale β”‚ β–Ό Public HTTPS URL Instead of exposing your machine directly to the internet, Tailscale securely publishes only the service you choose. Here's what we're building. Internet β”‚ β–Ό https://my-machine.ts.net β”‚ Tailscale Funnel β”‚ β–Ό Hermes API Server 8642 β”‚ β–Ό Hermes Agent + Tools Your backend simply calls the HTTPS endpoint. It never needs to know your local IP. Hermes includes a built-in OpenAI-compatible API server. Open: ~/.hermes/.env Add: API SERVER ENABLED=true API SERVER KEY=my-super-secret-key API SERVER PORT=8642 API SERVER HOST=127.0.0.1 Let's understand each option. Turns on the API server. API SERVER ENABLED=true Protects your API. API SERVER KEY=super-secret-key Every request must include: Authorization: Bearer super-secret-key Never leave this empty. Default: 8642 You can change it if another application is already using that port. Normally: 127.0.0.1 Keep it this way when using Tailscale Funnel. You do not need to bind Hermes to 0.0.0.0 just to use Funnel. Keeping it on localhost reduces unnecessary exposure. Start the gateway. hermes gateway You should see something similar to: API server listening on http://127.0.0.1:8642 Hermes is now running locally. Before exposing anything, make sure Hermes works. curl http://127.0.0.1:8642/v1/models \ -H "Authorization: Bearer my-super-secret-key" If everything is configured correctly, Hermes should return the available model information. Always test locally before exposing a service. Install Tailscale on your machine. Login: tailscale login Verify: tailscale status You should see your machine connected. Now expose Hermes. tailscale funnel 8642 Or on some setups: tailscale funnel --bg 8642 Tailscale will generate something like: https://my-computer.tailnet.ts.net Now your local Hermes API is securely reachable over HTTPS. Tailscale terminates TLS for you and forwards requests to your local service. Run: tailscale funnel status You should see your public HTTPS URL and the local service it's forwarding to. Instead of calling: http://localhost:8642 Use: https://my-computer.tailnet.ts.net/v1 Example: js const client = new OpenAI { apiKey: process.env.HERMES API KEY, baseURL: process.env.HERMES URL } ; HERMES URL=https://my-computer.tailnet.ts.net/v1 HERMES API KEY=my-super-secret-key Nothing else changes. Because Hermes speaks the OpenAI API format, many existing OpenAI SDKs work by simply changing the baseURL . Frontend β”‚ β–Ό Backend β”‚ β–Ό https://my-machine.tailnet.ts.net/v1 β”‚ β–Ό Tailscale Funnel β”‚ β–Ό Hermes API Server β”‚ β–Ό Hermes Agent β”‚ β–Ό LLM Provider Your backend doesn't need SSH. It doesn't need VPN software. It simply makes HTTPS requests. python import OpenAI from "openai"; const client = new OpenAI { apiKey: process.env.HERMES API KEY, baseURL: process.env.HERMES URL } ; const response = await client.chat.completions.create { model: "hermes-agent", messages: { role: "user", content: "Summarize today's meeting." } } ; console.log response.choices 0 .message.content ; Notice that this looks almost identical to using the OpenAI SDKβ€”the only difference is the baseURL . Phone ↓ Backend ↓ Hermes at Home Your phone can interact with your personal AI wherever you are. Next.js ↓ Hermes ↓ Tools ↓ Terminal Your website can delegate tasks to Hermes without hosting the agent in the cloud. Slack ↓ Backend ↓ Hermes The bot communicates with your local Hermes instance securely. Flutter ↓ Backend ↓ Hermes Perfect for testing AI features without deploying Hermes to a cloud VM. Even though Funnel provides HTTPS, you should still secure your deployment. API SERVER KEY=... Never expose an unauthenticated API. .env HERMES URL=... HERMES API KEY=... Avoid hardcoding secrets into your source code. If you suspect a key has been exposed, generate a new one and update your backend. Review Hermes and Tailscale logs periodically to understand how your service is being used. Prefer: 127.0.0.1 instead of 0.0.0.0 when using Funnel. Instead of: apiKey: "abc123" Use: apiKey: process.env.HERMES API KEY If: curl localhost:8642 doesn't work, Funnel won't fix it. Always verify the local service before troubleshooting networking. Use authentication, monitor access, and update your software regularly. One of the biggest advantages of Hermes is that it exposes a standard OpenAI-compatible API . That means you can build your backend once and point it at: with only a configuration change. By combining Hermes with Tailscale Funnel , you can securely expose your local agent over HTTPS without managing reverse proxies or opening firewall ports. For personal projects, prototypes, and even some production workflows, it's a simple and elegant way to make a local AI agent available anywhere while keeping your networking setup straightforward. "The best infrastructure is often the one you don't have to think about."