How to run Hermes Agent 24/7 on a VPS — Steven's Setup Guide

A developer has published a step-by-step guide for running the open-source Hermes Agent AI assistant 24/7 on a virtual private server (VPS) for as little as $5 per month. The setup, which connects the agent to messaging apps like Telegram and Discord for continuous task execution, requires no prior Linux or sysadmin experience and relies on external APIs for heavy AI processing. The guide recommends using a dedicated VPS with separate credentials and SSH key authentication to isolate security risks from personal accounts.

This guide is for anyone who wants to run Hermes Agent always-on without keeping their personal computer on. It's written for beginners — you don't need to know Linux or sysadmin work to get this working. Hermes is an open-source AI agent from Nous Research https://github.com/NousResearch/hermes-agent . It runs on a server or VPS , connects to your messaging apps Telegram, Discord, etc. , and can execute tasks, browse the web, manage files, and more — 24 hours a day, 7 days a week. The heavy AI processing happens via external API OpenRouter, OpenAI, etc. — the VPS just runs the coordinator. A VPS Virtual Private Server means: Your agent runs 24/7 — no need to keep your laptop on You can access it from anywhere — phone, tablet, any computer It stays secure — no exposed ports on your personal machine It's cheap — decent VPS plans start at ~$5/month | Provider | Price | Best For | Setup Difficulty | |---|---|---|---| Hetzner CX22 | ~$5/mo | Best price-to-performance | Medium manual Docker | Hostinger VPS | ~$5-9/mo intro | Beginners — one-click Hermes template | Very Easy | Oracle Free Tier | Free if you can get it | Max specs for zero cost | Medium-Hard | Plan: CX22~~4.51 EUR/mo ~~$4.80-5 USD Specs: 2 vCPU, 4 GB RAM, 40 GB NVMe SSD Why: Consistently praised in the community. Reliable, stable pricing, good EU locations. Con: Manual Docker setup — not one-click, but straightforward. Best for: Cost-conscious users who want long-term reliability. Plan: KVM 1 or KVM 2 intro pricing ~$5-9/mo, renews higher Why: They have an official one-click Docker template for Hermes Agent . Fastest setup. Lots of YouTube tutorials. Con: Renewal pricing is higher than intro. Some mixed long-term feedback. Best for: First-time VPS users who want quick deployment without deep sysadmin work. Specs: Up to 4 ARM vCPU + 24 GB RAM Why: Extremely powerful, completely free. Con: Often sold out for new accounts. ARM architecture check compatibility . Account risk if you exceed limits. Best for: Users willing to try for the free tier or already have access. Best value: Hetzner CX22 — ~$5/mo Easiest setup: Hostinger — one-click Hermes template Best free option: Oracle Free if you can get it Pre-built image: Lightnode — ~$10/mo with Hermes-ready image This is one of the most important setup decisions you'll make. Treat your VPS as its own operator — not an extension of your personal accounts. - Create a separate email for the VPS e.g., vps-admin@ yourdomain .com - Create a new GitHub account or use a dedicated GitHub token scoped only to what the agent needs Never give the VPS your personal GitHub credentials - Use scoped permissions — the agent should only have access to what it needs, not full read/write to everything Why this matters: - If the VPS is ever compromised, the damage is isolated - You can rotate credentials without affecting your personal accounts - It makes it clear who's doing what in your agent logs and Git history Most tutorials and guides assume Ubuntu. Stick with the LTS Long Term Support version. On your local machine — generate an SSH key if you don't have one ssh-keygen -t ed25519 -C "vps-hermes" Copy it to your VPS ssh-copy-id -i ~/.ssh/id ed25519.pub your vps ip Then disable password authentication on the VPS sudo nano /etc/ssh/sshd config Set: PasswordAuthentication no / PermitRootLogin no / PubkeyAuthentication yes sudo systemctl restart sshd Never run your agent as root. Create a dedicated user: Create a new user sudo adduser hermes sudo usermod -aG sudo hermes Switch to that user su - hermes Enable UFW Uncomplicated Firewall sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw allow 22/tcp SSH sudo ufw allow 80/tcp HTTP for Let's Encrypt later sudo ufw allow 443/tcp HTTPS sudo ufw enable Hostinger has an official one-click Docker template for Hermes. Use their control panel — search for "Hermes" in the templates/marketplace section and follow the wizard. This dramatically reduces the setup complexity. You'll still need to configure environment variables see below . Update the system sudo apt update && sudo apt upgrade -y Install Docker curl -fsSL https://get.docker.com | sh Add your user to the docker group sudo usermod -aG docker hermes Log out and back in for group to take effect Then verify docker --version Clone the Hermes Agent repo git clone https://github.com/NousResearch/hermes-agent.git cd hermes-agent Copy the environment template cp .env.example .env Edit the .env file with your settings nano .env Key environment variables: Telegram bot token get from @BotFather on Telegram TELEGRAM BOT TOKEN= REDACTED Your OpenRouter or OpenAI API key for AI processing OPENROUTER API KEY= REDACTED Admin Telegram ID so only you can talk to it ADMIN TELEGRAM ID= REDACTED Start Hermes via Docker docker compose up -d Check the logs docker compose logs -f Never expose your VPS ports to the public internet. Use a tunnel instead. You already use Cloudflare for domains. This is the easiest secure path. How it works: Your VPS makes an outbound connection to Cloudflare. Anyone wanting to access your agent goes through Cloudflare — no open ports on your VPS. Install cloudflared on your VPS curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o cloudflared chmod +x cloudflared sudo mv cloudflared /usr/local/bin/ Authenticate you'll need your Cloudflare API token cloudflared tunnel login Create a tunnel cloudflared tunnel create hermes-agent Route it to your domain cloudflared tunnel route dns hermes-agent your-domain.com Run the tunnel cloudflared tunnel run --token YOUR TUNNEL TOKEN For the full Cloudflare Tunnel setup walkthrough, see the official docs https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/ . Tailscale creates a VPN mesh between your devices. Good if you want SSH access from anywhere plus web dashboard access. Install Tailscale on your VPS curl -fsSL https://tailscale.com/install.sh | sh Connect you'll get a one-click link from the Tailscale admin console sudo tailscale up --accept-routes Cloudflare Tunnel vs Tailscale: | Cloudflare Tunnel | Tailscale | | |---|---|---| | Best for | Web dashboards, HTTPS | Full SSH, any port/service | | Setup | Easier | Slightly more complex | | Encryption | Cloudflare terminates TLS | True end-to-end WireGuard | | DDoS protection | Excellent built-in | None you handle it | | Client needed? | No | Yes on your devices | Recommendation: Start with Cloudflare Tunnel you're already in the Cloudflare ecosystem . You can add Tailscale later if you want easier SSH access. Once Hermes is running and your tunnel is active, you'll set up Telegram. - Open Telegram and chat with @BotFather - Send /newbot - Follow the prompts — give it a name and username - Copy the bot token — this goes in your .env file as TELEGRAM BOT TOKEN With Cloudflare Tunnel running, your agent's web dashboard is accessible via your domain. You'll also receive messages in Telegram once the bot is connected. Configure in your .env : TELEGRAM BOT TOKEN= your bot token from BotFather ADMIN TELEGRAM ID= your Telegram user ID — get it from @userinfobot Your Telegram bot is public by default — anyone who finds the URL can message it. Use ADMIN TELEGRAM ID to restrict access so only you can control the agent. Combine with Cloudflare Tunnel so the dashboard isn't publicly indexed. Once your VPS is set up, you'll access it via SSH: Standard SSH ssh -i ~/.ssh/your key.pem hermes@your vps ip With Tailscale from anywhere, if connected to your tailnet ssh hermes@hostnamefromtailscale Add this to your local ~/.ssh/config : Host vps-hermes HostName your vps ip User hermes IdentityFile ~/.ssh/your key.pem ForwardAgent yes Then simply run: ssh vps-hermes MCP Model Context Protocol is the recommended long-term access method — it's more token-efficient than SSHing in, and lets you connect to your Hermes agent from any computer without needing to maintain an SSH session. Instead of opening an SSH tunnel and running commands live, MCP lets you make API calls to your running agent from any client that supports MCP including code editors and other AI tools . To set up MCP with your Hermes agent: Enable the MCP server in your Hermes configuration — this exposes a local MCP endpoint Configure your MCP clients Claude Desktop, Cursor, Zed, etc. to connect to your VPS's MCP endpoint Authenticate — use a scoped token so the connection is secure This is the direction the Hermes community is moving. It's cleaner than SSH for most use cases, and it's what Devon uses for his production setup. SSH is still the right choice for initial server setup, troubleshooting, and when you need direct terminal access. MCP is your ongoing interface. Docker Compose handles restarts automatically, but add a watchdog for extra reliability: Install tmux to keep your session alive sudo apt install tmux Create a named tmux session tmux new -s hermes Run your docker compose inside docker compose up -d Detach from tmux with Ctrl+B, then D Reattach later with: tmux attach -t hermes A simple cron job that checks if Hermes is running and restarts it if not: Add to crontab crontab -e Check every 5 minutes /5 /home/hermes/check hermes.sh Where check hermes.sh contains: bash /bin/bash if docker ps | grep -q hermes-agent; then cd /home/hermes/hermes-agent docker compose up -d echo "$ date : Hermes restarted" /home/hermes/hermes.log fi These are the minimum rules for keeping your VPS safe: SSH keys only — no password authentication Non-root user — run your agent as a regular user, not root Cloudflare Tunnel or Tailscale — no open ports on the VPS ufw/firewall enabled — only allow ports you explicitly need Fail2ban — prevents brute force attacks on SSH Install fail2ban sudo apt install fail2ban -y sudo systemctl enable fail2ban sudo systemctl start fail2ban Regular updates: Weekly update script sudo apt update && sudo apt upgrade -y Scoped GitHub credentials — the VPS agent has only the permissions it needs, nothing more No credentials in public repos — all tokens/keys go in .env or environment variables, never hardcoded These are the durable practices that make running an always-on agent sustainable: Think of yourself as the CEO. You define what needs to be done, then let the agent execute. Don't try to micromanage every step. - Agents should leave evidence of what they did comments, logs, saved files - If something fails, report what was accomplished before the failure — not just "it failed" - Escalate to a human only for: architecture decisions, security issues, risky changes - Work flows through issues/tasks, not just chat memory - One task at a time, with clear completion criteria - Improvements and lessons learned become issues, not just chat notes Stable patterns get promoted: - Repeated procedure — skill automated - Lesson learned — documentation - Decision made — decision log with rationale - Evidence gathered — research file - Route simple tasks to cheaper models - Save the strongest models for tasks that actually need reasoning - Track API costs — this is where the real spending is not the VPS Hermes Agent GitHub https://github.com/NousResearch/hermes-agent digitalknk/openclaw-runbook https://github.com/digitalknk/openclaw-runbook — community runbook may need updating for latest Hermes Cloudflare Tunnel Docs https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/ Tailscale https://tailscale.com/ — VPN mesh for secure access Hetzner Cloud https://www.hetzner.com/cloud/ — best price/performance VPS Hostinger VPS https://www.hostinger.com/vps-hosting — easiest beginner setup with one-click Hermes If something in this guide is outdated or unclear, open an issue on the Hermes Agent repo https://github.com/NousResearch/hermes-agent or reach out to the community on Discord/Reddit. This guide is maintained by the Main Branch community. Last updated: 2026-05.