# How to run Hermes Agent 24/7 on a VPS — Steven's Setup Guide

> Source: <https://gist.github.com/thothagent/0e581c97f527f0ae2dbdb78e946f81a6>
> Published: 2026-05-20 16:09:37+00:00

This guide is for anyone who wants to run Hermes Agent always-on without keeping their personal computer on. It's written for beginners — you don't need to know Linux or sysadmin work to get this working.

Hermes is an open-source AI agent from [Nous Research](https://github.com/NousResearch/hermes-agent). It runs on a server (or VPS), connects to your messaging apps (Telegram, Discord, etc.), and can execute tasks, browse the web, manage files, and more — 24 hours a day, 7 days a week.

The heavy AI processing happens via external API (OpenRouter, OpenAI, etc.) — the VPS just runs the coordinator.

A VPS (Virtual Private Server) means:

**Your agent runs 24/7**— no need to keep your laptop on** You can access it from anywhere**— phone, tablet, any computer** It stays secure**— no exposed ports on your personal machine** It's cheap**— decent VPS plans start at ~$5/month

| Provider | Price | Best For | Setup Difficulty |
|---|---|---|---|
Hetzner CX22 |
~$5/mo | Best price-to-performance | Medium (manual Docker) |
Hostinger VPS |
~$5-9/mo intro | Beginners — one-click Hermes template | Very Easy |
Oracle Free Tier |
Free (if you can get it) | Max specs for zero cost | Medium-Hard |

**Plan:** CX22~~4.51 EUR/mo (~~$4.80-5 USD)**Specs:** 2 vCPU, 4 GB RAM, 40 GB NVMe SSD**Why:** Consistently praised in the community. Reliable, stable pricing, good EU locations.**Con:** Manual Docker setup — not one-click, but straightforward.**Best for:** Cost-conscious users who want long-term reliability.

**Plan:** KVM 1 or KVM 2 (intro pricing ~$5-9/mo, renews higher)**Why:** They have an**official one-click Docker template for Hermes Agent**. Fastest setup. Lots of YouTube tutorials.** Con:**Renewal pricing is higher than intro. Some mixed long-term feedback.** Best for:**First-time VPS users who want quick deployment without deep sysadmin work.

**Specs:** Up to 4 ARM vCPU + 24 GB RAM**Why:** Extremely powerful, completely free.**Con:** Often sold out for new accounts. ARM architecture (check compatibility). Account risk if you exceed limits.**Best for:** Users willing to try for the free tier or already have access.

**Best value:** Hetzner CX22 — ~$5/mo**Easiest setup:** Hostinger — one-click Hermes template**Best free option:** Oracle Free (if you can get it)**Pre-built image:** Lightnode — ~$10/mo with Hermes-ready image

This is one of the most important setup decisions you'll make.

**Treat your VPS as its own operator — not an extension of your personal accounts.**

- Create a
**separate email** for the VPS (e.g., vps-admin@[yourdomain].com) - Create a
**new GitHub account** or use a dedicated GitHub token scoped only to what the agent needs **Never give the VPS your personal GitHub credentials**- Use scoped permissions — the agent should only have access to what it needs, not full read/write to everything

Why this matters:

- If the VPS is ever compromised, the damage is isolated
- You can rotate credentials without affecting your personal accounts
- It makes it clear who's doing what in your agent logs and Git history

Most tutorials and guides assume Ubuntu. Stick with the LTS (Long Term Support) version.

```
# On your local machine — generate an SSH key if you don't have one
ssh-keygen -t ed25519 -C "vps-hermes"

# Copy it to your VPS
ssh-copy-id -i ~/.ssh/id_ed25519.pub your_vps_ip

# Then disable password authentication on the VPS
sudo nano /etc/ssh/sshd_config
# Set: PasswordAuthentication no / PermitRootLogin no / PubkeyAuthentication yes
sudo systemctl restart sshd
```

Never run your agent as root. Create a dedicated user:

```
# Create a new user
sudo adduser hermes
sudo usermod -aG sudo hermes

# Switch to that user
su - hermes
# Enable UFW (Uncomplicated Firewall)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp    # SSH
sudo ufw allow 80/tcp    # HTTP (for Let's Encrypt later)
sudo ufw allow 443/tcp  # HTTPS
sudo ufw enable
```

Hostinger has an official one-click Docker template for Hermes. Use their control panel — search for "Hermes" in the templates/marketplace section and follow the wizard.

This dramatically reduces the setup complexity. You'll still need to configure environment variables (see below).

```
# Update the system
sudo apt update && sudo apt upgrade -y

# Install Docker
curl -fsSL https://get.docker.com | sh

# Add your user to the docker group
sudo usermod -aG docker hermes

# Log out and back in for group to take effect
# Then verify
docker --version
# Clone the Hermes Agent repo
git clone https://github.com/NousResearch/hermes-agent.git
cd hermes-agent

# Copy the environment template
cp .env.example .env

# Edit the .env file with your settings
nano .env
```

Key environment variables:

```
# Telegram bot token (get from @BotFather on Telegram)
TELEGRAM_BOT_TOKEN=[REDACTED]

# Your OpenRouter or OpenAI API key (for AI processing)
OPENROUTER_API_KEY=[REDACTED]

# Admin Telegram ID (so only you can talk to it)
ADMIN_TELEGRAM_ID=[REDACTED]
# Start Hermes via Docker
docker compose up -d

# Check the logs
docker compose logs -f
```

**Never expose your VPS ports to the public internet.** Use a tunnel instead.

You already use Cloudflare for domains. This is the easiest secure path.

**How it works:** Your VPS makes an outbound connection to Cloudflare. Anyone wanting to access your agent goes through Cloudflare — no open ports on your VPS.

```
# Install cloudflared on your VPS
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o cloudflared
chmod +x cloudflared
sudo mv cloudflared /usr/local/bin/

# Authenticate (you'll need your Cloudflare API token)
cloudflared tunnel login

# Create a tunnel
cloudflared tunnel create hermes-agent

# Route it to your domain
cloudflared tunnel route dns hermes-agent your-domain.com

# Run the tunnel
cloudflared tunnel run --token [YOUR_TUNNEL_TOKEN]
```

For the full Cloudflare Tunnel setup walkthrough, see the [official docs](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/).

Tailscale creates a VPN mesh between your devices. Good if you want SSH access from anywhere plus web dashboard access.

```
# Install Tailscale on your VPS
curl -fsSL https://tailscale.com/install.sh | sh

# Connect (you'll get a one-click link from the Tailscale admin console)
sudo tailscale up --accept-routes
```

**Cloudflare Tunnel vs Tailscale:**

| Cloudflare Tunnel | Tailscale | |
|---|---|---|
| Best for | Web dashboards, HTTPS | Full SSH, any port/service |
| Setup | Easier | Slightly more complex |
| Encryption | Cloudflare terminates TLS | True end-to-end (WireGuard) |
| DDoS protection | Excellent (built-in) | None (you handle it) |
| Client needed? | No | Yes (on your devices) |

**Recommendation:** Start with Cloudflare Tunnel (you're already in the Cloudflare ecosystem). You can add Tailscale later if you want easier SSH access.

Once Hermes is running and your tunnel is active, you'll set up Telegram.

- Open Telegram and chat with
**@BotFather** - Send
`/newbot`

- Follow the prompts — give it a name and username
- Copy the bot token — this goes in your
`.env`

file as`TELEGRAM_BOT_TOKEN`

With Cloudflare Tunnel running, your agent's web dashboard is accessible via your domain. You'll also receive messages in Telegram once the bot is connected.

Configure in your `.env`

:

```
TELEGRAM_BOT_TOKEN=[your bot token from BotFather]
ADMIN_TELEGRAM_ID=[your Telegram user ID — get it from @userinfobot]
```

Your Telegram bot is public by default — anyone who finds the URL can message it. Use `ADMIN_TELEGRAM_ID`

to restrict access so only you can control the agent. Combine with Cloudflare Tunnel so the dashboard isn't publicly indexed.

Once your VPS is set up, you'll access it via SSH:

```
# Standard SSH
ssh -i ~/.ssh/your_key.pem hermes@your_vps_ip

# With Tailscale (from anywhere, if connected to your tailnet)
ssh hermes@hostnamefromtailscale
```

Add this to your local `~/.ssh/config`

:

```
Host vps-hermes
    HostName your_vps_ip
    User hermes
    IdentityFile ~/.ssh/your_key.pem
    ForwardAgent yes
```

Then simply run: `ssh vps-hermes`

**MCP (Model Context Protocol)** is the recommended long-term access method — it's more token-efficient than SSHing in, and lets you connect to your Hermes agent from any computer without needing to maintain an SSH session.

Instead of opening an SSH tunnel and running commands live, MCP lets you make API calls to your running agent from any client that supports MCP (including code editors and other AI tools).

To set up MCP with your Hermes agent:

**Enable the MCP server** in your Hermes configuration — this exposes a local MCP endpoint**Configure your MCP clients**(Claude Desktop, Cursor, Zed, etc.) to connect to your VPS's MCP endpoint** Authenticate**— use a scoped token so the connection is secure

This is the direction the Hermes community is moving. It's cleaner than SSH for most use cases, and it's what Devon uses for his production setup.

SSH is still the right choice for initial server setup, troubleshooting, and when you need direct terminal access. MCP is your ongoing interface.

Docker Compose handles restarts automatically, but add a watchdog for extra reliability:

```
# Install tmux to keep your session alive
sudo apt install tmux

# Create a named tmux session
tmux new -s hermes

# Run your docker compose inside
docker compose up -d

# Detach from tmux with Ctrl+B, then D
# Reattach later with: tmux attach -t hermes
```

A simple cron job that checks if Hermes is running and restarts it if not:

```
# Add to crontab
crontab -e

# Check every 5 minutes
*/5 * * * * /home/hermes/check_hermes.sh
```

Where `check_hermes.sh`

contains:

``` bash
#!/bin/bash
if ! docker ps | grep -q hermes-agent; then
    cd /home/hermes/hermes-agent
    docker compose up -d
    echo "$(date): Hermes restarted" >> /home/hermes/hermes.log
fi
```

These are the minimum rules for keeping your VPS safe:

**SSH keys only**— no password authentication** Non-root user**— run your agent as a regular user, not root** Cloudflare Tunnel or Tailscale**— no open ports on the VPS** ufw/firewall enabled**— only allow ports you explicitly need** Fail2ban**— prevents brute force attacks on SSH

```
# Install fail2ban
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
```

**Regular updates:**

```
# Weekly update script
sudo apt update && sudo apt upgrade -y
```

**Scoped GitHub credentials**— the VPS agent has only the permissions it needs, nothing more** No credentials in public repos**— all tokens/keys go in`.env`

or environment variables, never hardcoded

These are the durable practices that make running an always-on agent sustainable:

Think of yourself as the CEO. You define what needs to be done, then let the agent execute. Don't try to micromanage every step.

- Agents should leave evidence of what they did (comments, logs, saved files)
- If something fails, report what was accomplished before the failure — not just "it failed"
- Escalate to a human only for: architecture decisions, security issues, risky changes

- Work flows through issues/tasks, not just chat memory
- One task at a time, with clear completion criteria
- Improvements and lessons learned become issues, not just chat notes

Stable patterns get promoted:

- Repeated procedure — skill (automated)
- Lesson learned — documentation
- Decision made — decision log (with rationale)
- Evidence gathered — research file

- Route simple tasks to cheaper models
- Save the strongest models for tasks that actually need reasoning
- Track API costs — this is where the real spending is (not the VPS)

[Hermes Agent GitHub](https://github.com/NousResearch/hermes-agent)[digitalknk/openclaw-runbook](https://github.com/digitalknk/openclaw-runbook)— community runbook (may need updating for latest Hermes)[Cloudflare Tunnel Docs](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/)[Tailscale](https://tailscale.com/)— VPN mesh for secure access[Hetzner Cloud](https://www.hetzner.com/cloud/)— best price/performance VPS[Hostinger VPS](https://www.hostinger.com/vps-hosting)— easiest beginner setup with one-click Hermes

If something in this guide is outdated or unclear, open an issue on the [Hermes Agent repo](https://github.com/NousResearch/hermes-agent) or reach out to the community on Discord/Reddit.

*This guide is maintained by the Main Branch community. Last updated: 2026-05.*