cd /news/ai-agents/how-to-run-hermes-agent-24-7-on-a-vp… · home topics ai-agents article
[ARTICLE · art-15075] src=gist.github.com pub= topic=ai-agents verified=true sentiment=↑ positive

How to run Hermes Agent 24/7 on a VPS — Steven's Setup Guide

A developer has published a step-by-step guide for running the open-source Hermes Agent AI assistant 24/7 on a virtual private server (VPS) for as little as $5 per month. The setup, which connects the agent to messaging apps like Telegram and Discord for continuous task execution, requires no prior Linux or sysadmin experience and relies on external APIs for heavy AI processing. The guide recommends using a dedicated VPS with separate credentials and SSH key authentication to isolate security risks from personal accounts.

read9 min publishedMay 20, 2026

This guide is for anyone who wants to run Hermes Agent always-on without keeping their personal computer on. It's written for beginners — you don't need to know Linux or sysadmin work to get this working.

Hermes is an open-source AI agent from Nous Research. It runs on a server (or VPS), connects to your messaging apps (Telegram, Discord, etc.), and can execute tasks, browse the web, manage files, and more — 24 hours a day, 7 days a week.

The heavy AI processing happens via external API (OpenRouter, OpenAI, etc.) — the VPS just runs the coordinator.

A VPS (Virtual Private Server) means:

Your agent runs 24/7— no need to keep your laptop on** You can access it from anywhere**— phone, tablet, any computer** It stays secure**— no exposed ports on your personal machine** It's cheap**— decent VPS plans start at ~$5/month

Provider Price Best For Setup Difficulty
Hetzner CX22
~$5/mo Best price-to-performance Medium (manual Docker)
Hostinger VPS
~$5-9/mo intro Beginners — one-click Hermes template Very Easy
Oracle Free Tier
Free (if you can get it) Max specs for zero cost Medium-Hard

Plan: CX224.51 EUR/mo ($4.80-5 USD)Specs: 2 vCPU, 4 GB RAM, 40 GB NVMe SSDWhy: Consistently praised in the community. Reliable, stable pricing, good EU locations.Con: Manual Docker setup — not one-click, but straightforward.Best for: Cost-conscious users who want long-term reliability.

Plan: KVM 1 or KVM 2 (intro pricing ~$5-9/mo, renews higher)Why: They have anofficial one-click Docker template for Hermes Agent. Fastest setup. Lots of YouTube tutorials.** Con:Renewal pricing is higher than intro. Some mixed long-term feedback. Best for:**First-time VPS users who want quick deployment without deep sysadmin work.

Specs: Up to 4 ARM vCPU + 24 GB RAMWhy: Extremely powerful, completely free.Con: Often sold out for new accounts. ARM architecture (check compatibility). Account risk if you exceed limits.Best for: Users willing to try for the free tier or already have access.

Best value: Hetzner CX22 — ~$5/moEasiest setup: Hostinger — one-click Hermes templateBest free option: Oracle Free (if you can get it)Pre-built image: Lightnode — ~$10/mo with Hermes-ready image

This is one of the most important setup decisions you'll make.

Treat your VPS as its own operator — not an extension of your personal accounts.

  • Create a separate email for the VPS (e.g., vps-admin@[yourdomain].com) - Create a new GitHub account or use a dedicated GitHub token scoped only to what the agent needs Never give the VPS your personal GitHub credentials- Use scoped permissions — the agent should only have access to what it needs, not full read/write to everything

Why this matters:

  • If the VPS is ever compromised, the damage is isolated
  • You can rotate credentials without affecting your personal accounts
  • It makes it clear who's doing what in your agent logs and Git history

Most tutorials and guides assume Ubuntu. Stick with the LTS (Long Term Support) version.

ssh-keygen -t ed25519 -C "vps-hermes"

ssh-copy-id -i ~/.ssh/id_ed25519.pub your_vps_ip

sudo nano /etc/ssh/sshd_config
sudo systemctl restart sshd

Never run your agent as root. Create a dedicated user:

sudo adduser hermes
sudo usermod -aG sudo hermes

su - hermes
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp    # SSH
sudo ufw allow 80/tcp    # HTTP (for Let's Encrypt later)
sudo ufw allow 443/tcp  # HTTPS
sudo ufw enable

Hostinger has an official one-click Docker template for Hermes. Use their control panel — search for "Hermes" in the templates/marketplace section and follow the wizard.

This dramatically reduces the setup complexity. You'll still need to configure environment variables (see below).

sudo apt update && sudo apt upgrade -y

curl -fsSL https://get.docker.com | sh

sudo usermod -aG docker hermes

docker --version
git clone https://github.com/NousResearch/hermes-agent.git
cd hermes-agent

cp .env.example .env

nano .env

Key environment variables:

TELEGRAM_BOT_TOKEN=[REDACTED]

OPENROUTER_API_KEY=[REDACTED]

ADMIN_TELEGRAM_ID=[REDACTED]
docker compose up -d

docker compose logs -f

Never expose your VPS ports to the public internet. Use a tunnel instead.

You already use Cloudflare for domains. This is the easiest secure path.

How it works: Your VPS makes an outbound connection to Cloudflare. Anyone wanting to access your agent goes through Cloudflare — no open ports on your VPS.

curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o cloudflared
chmod +x cloudflared
sudo mv cloudflared /usr/local/bin/

cloudflared tunnel login

cloudflared tunnel create hermes-agent

cloudflared tunnel route dns hermes-agent your-domain.com

cloudflared tunnel run --token [YOUR_TUNNEL_TOKEN]

For the full Cloudflare Tunnel setup walkthrough, see the official docs.

Tailscale creates a VPN mesh between your devices. Good if you want SSH access from anywhere plus web dashboard access.

curl -fsSL https://tailscale.com/install.sh | sh

sudo tailscale up --accept-routes

Cloudflare Tunnel vs Tailscale:

Cloudflare Tunnel Tailscale
Best for Web dashboards, HTTPS Full SSH, any port/service
Setup Easier Slightly more complex
Encryption Cloudflare terminates TLS True end-to-end (WireGuard)
DDoS protection Excellent (built-in) None (you handle it)
Client needed? No Yes (on your devices)

Recommendation: Start with Cloudflare Tunnel (you're already in the Cloudflare ecosystem). You can add Tailscale later if you want easier SSH access.

Once Hermes is running and your tunnel is active, you'll set up Telegram.

  • Open Telegram and chat with @BotFather - Send /newbot

  • Follow the prompts — give it a name and username

  • Copy the bot token — this goes in your .env

file asTELEGRAM_BOT_TOKEN

With Cloudflare Tunnel running, your agent's web dashboard is accessible via your domain. You'll also receive messages in Telegram once the bot is connected.

Configure in your .env

:

TELEGRAM_BOT_TOKEN=[your bot token from BotFather]
ADMIN_TELEGRAM_ID=[your Telegram user ID — get it from @userinfobot]

Your Telegram bot is public by default — anyone who finds the URL can message it. Use ADMIN_TELEGRAM_ID

to restrict access so only you can control the agent. Combine with Cloudflare Tunnel so the dashboard isn't publicly indexed.

Once your VPS is set up, you'll access it via SSH:

ssh -i ~/.ssh/your_key.pem hermes@your_vps_ip

ssh hermes@hostnamefromtailscale

Add this to your local ~/.ssh/config

:

Host vps-hermes
    HostName your_vps_ip
    User hermes
    IdentityFile ~/.ssh/your_key.pem
    ForwardAgent yes

Then simply run: ssh vps-hermes

MCP (Model Context Protocol) is the recommended long-term access method — it's more token-efficient than SSHing in, and lets you connect to your Hermes agent from any computer without needing to maintain an SSH session.

Instead of opening an SSH tunnel and running commands live, MCP lets you make API calls to your running agent from any client that supports MCP (including code editors and other AI tools).

To set up MCP with your Hermes agent:

Enable the MCP server in your Hermes configuration — this exposes a local MCP endpointConfigure your MCP clients(Claude Desktop, Cursor, Zed, etc.) to connect to your VPS's MCP endpoint** Authenticate**— use a scoped token so the connection is secure

This is the direction the Hermes community is moving. It's cleaner than SSH for most use cases, and it's what Devon uses for his production setup.

SSH is still the right choice for initial server setup, troubleshooting, and when you need direct terminal access. MCP is your ongoing interface.

Docker Compose handles restarts automatically, but add a watchdog for extra reliability:

sudo apt install tmux

tmux new -s hermes

docker compose up -d

A simple cron job that checks if Hermes is running and restarts it if not:

crontab -e

*/5 * * * * /home/hermes/check_hermes.sh

Where check_hermes.sh

contains:

#!/bin/bash
if ! docker ps | grep -q hermes-agent; then
    cd /home/hermes/hermes-agent
    docker compose up -d
    echo "$(date): Hermes restarted" >> /home/hermes/hermes.log
fi

These are the minimum rules for keeping your VPS safe:

SSH keys only— no password authentication** Non-root user**— run your agent as a regular user, not root** Cloudflare Tunnel or Tailscale**— no open ports on the VPS** ufw/firewall enabled**— only allow ports you explicitly need** Fail2ban**— prevents brute force attacks on SSH

sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Regular updates:

sudo apt update && sudo apt upgrade -y

Scoped GitHub credentials— the VPS agent has only the permissions it needs, nothing more** No credentials in public repos**— all tokens/keys go in.env

or environment variables, never hardcoded

These are the durable practices that make running an always-on agent sustainable:

Think of yourself as the CEO. You define what needs to be done, then let the agent execute. Don't try to micromanage every step.

  • Agents should leave evidence of what they did (comments, logs, saved files)

  • If something fails, report what was accomplished before the failure — not just "it failed"

  • Escalate to a human only for: architecture decisions, security issues, risky changes

  • Work flows through issues/tasks, not just chat memory

  • One task at a time, with clear completion criteria

  • Improvements and lessons learned become issues, not just chat notes

Stable patterns get promoted:

  • Repeated procedure — skill (automated)

  • Lesson learned — documentation

  • Decision made — decision log (with rationale)

  • Evidence gathered — research file

  • Route simple tasks to cheaper models

  • Save the strongest models for tasks that actually need reasoning

  • Track API costs — this is where the real spending is (not the VPS)

Hermes Agent GitHubdigitalknk/openclaw-runbook— community runbook (may need updating for latest Hermes)Cloudflare Tunnel DocsTailscale— VPN mesh for secure accessHetzner Cloud— best price/performance VPSHostinger VPS— easiest beginner setup with one-click Hermes

If something in this guide is outdated or unclear, open an issue on the Hermes Agent repo or reach out to the community on Discord/Reddit.

This guide is maintained by the Main Branch community. Last updated: 2026-05.

source & further reading
gist.github.com — original article Think, Durable Objects, and the Real Shape of AI Applications Show HN: AgentToolBench-Code – security benchmark for AI coding agents Auto-draft replies to recruiters and headhunters when you're not interested
── more in #ai-agents 4 stories · sorted by recency
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/how-to-run-hermes-ag…] indexed:0 read:9min 2026-05-20 ·