Source: wiki synthesis: Access Your Hermes Agent From Anywhere — Tailscale + Termius + tmux, Hermex — Native SwiftUI iPhone Client for Hermes Agent, Claude Code Channels, Hermes Desktop — Official Nous Research App
The wiki documents several ways to reach an always-on agent that lives on a machine you control — and they cluster into three distinct patterns: raw SSH/tmux over a private mesh network, a purpose-built native companion app, and chat-channel bridges that put the agent inside the messaging apps already on your phone. The two ecosystems covered (Hermes and Claude Code) have converged on the same three shapes independently. ^[inferred — the convergence framing is this article’s synthesis; each pattern is documented separately in its source article] This article compares the patterns on setup cost, notification behavior, security surface, and what you can actually do from the phone — and shows why they compose rather than compete.
Key Takeaways
- Three patterns, four articles. Raw transport (Tailscale + Termius + tmux), native client (Hermex on iOS; the official Hermes Desktop’s remote-gateway thin-client is the same shape on a laptop), and chat bridge (Claude Code channel plugins for Telegram/Discord/iMessage; Hermes Desktop’s built-in messaging pillar for Telegram/WhatsApp/Signal/Slack/Discord/Email).
- Ceiling vs. convenience. SSH/tmux has the highest ceiling: reattach the exact live session mid-task from the phone, keep typing instructions, port-forward the web dashboard — but nothing pushes to you; you connect to look. ^[inferred — the source demonstrates reattaching to a still-running task and describes no push mechanism] Chat channels are the opposite: the agent’s replies and even tool-permission prompts land in your chat app, but the interface is conversation, not a shell. The companion app sits between: a cockpit UI (streaming chat, sessions, scheduling, skills, workspace files, memory and usage analytics, attachments) that you open like any app.
- The security surfaces differ in kind, not just degree. The SSH pattern is network-layer security: no public IP, no open ports, peer-to-peer WireGuard, SSH-key-gated, optional tailnet ACLs — with the explicit caveat that it “secures reach, not the agent itself.” Channels are identity-layer security: sender gating on identity (not chat room) is mandatory because an ungated channel is a direct prompt-injection vector, and permission relay may only be declared on channels that authenticate the sender. Hermex inherits whatever security posture exposes your hermes-webui server.
- Both ecosystems gate the chat pattern on sender identity. Claude Code uses pairing codes plus an allowlist policy; Hermes Desktop’s GUI Telegram setup takes a bot token plus allowed user IDs “so the agent only answers you.” Same discipline, two vendors. ^[inferred parallel — each half is documented in its own source]
- Permission relay is the chat pattern’s unique capability. A two-way authenticated Claude Code channel can forward tool-approval prompts to your phone (5-letter request ID, reply
yes abcde/no abcde, first answer between terminal and remote wins). Neither the SSH nor the companion-app sources document an equivalent remote-approval mechanism — over SSH you’d answer the prompt in the reattached terminal itself. ^[inferred — absence noted from the sources, not a tested comparison] - Terminal surfaces are the token-efficient ones. Hermes v0.16 creator guides flag that the desktop GUI “bleeds tokens on heavy UI schemas” while terminal/CLI use passes raw, filtered text — an operational reason to keep the SSH path around even after installing prettier surfaces.
The three patterns
Pattern 1 — Raw transport: SSH + tmux over a tailnet
- Stack: Tailscale (reach — private WireGuard mesh, devices addressed by name via MagicDNS), Termius (control — phone-grade SSH client with mosh, port forwarding, file browser), tmux (persistence — the session survives dropped SSH; tmux owns the shell, SSH is just a window into it).
- Setup cost: install Tailscale on the agent host (inside WSL/container if that’s where the agent runs) and on the phone, enable OpenSSH server, create a Termius host + SSH key, wrap the agent in a named tmux session. Tailscale’s personal plan (up to 6 users) and Termius’s free tier cover the whole walkthrough — $0.
- From the phone: everything you could do at the desk —
tmux attach -t hermesresumes the live session (the source demos rejoining a running Telegram-research task from an iPhone), plus the Hermes web dashboard via local port forwarding. - Trade-off: pull-only, terminal-native, and deliberately agent-agnostic — nothing in the transport stack is Hermes-specific, so the same rig fronts any CLI agent pinned to one strong machine. ^[inferred — the walkthrough is Hermes-specific; the tools themselves are generic]
Pattern 2 — Native companion app: Hermex (and the thin-client direction)
- Hermex is a native SwiftUI iPhone app (iOS 18+, MIT, open-sourced 2026-07-02) that is a pure client pointing at a hermes-webui server you already run — “a mobile cockpit for an AI agent that lives on a machine you control.” No server component of its own; unofficial and early (39 stars at ingest), but with contract tests against upstream hermes-webui, a security policy, and TestFlight ops docs.
- Setup cost: highest builder friction of the three — clone the repo, build in Xcode 26+, and have hermes-webui already running and reachable. No confirmed App Store or open TestFlight distribution.
- From the phone: real-time streaming chat, session management, model/provider switching, task scheduling, skill browsing, workspace file exploration, memory and usage analytics, file/image attachments — the widest structured feature surface of the three patterns.
- The first-party echo: Nous’s official Hermes Desktop ships the same architecture at laptop scale — run the actual agent on your main machine or homelab, connect the desktop app as a thin client over a secure WebSocket with OAuth, one remote host per profile. The vendor and the community are converging on “agent on the strong box, thin surfaces everywhere.” ^[inferred framing]
Pattern 3 — Chat-channel bridge: the agent inside your messaging apps
- Claude Code channels are MCP servers that push external events into an already-running local session (research preview, v2.1.80+; permission relay v2.1.81+; Team/Enterprise orgs must enable
channelsEnabled). Telegram, Discord, and iMessage ship as official plugins; two-way channels expose areplytool, so your DM to the bot reaches the session and Claude’s answer lands back in the chat app. - Setup cost: minutes, no new client software — e.g. Telegram: create a bot via BotFather,
/plugin install telegram@claude-plugins-official,/telegram:configure <token>, restart with--channels, pair via DM code, set the allowlist policy. - From the phone: converse with the running session, receive event-driven pushes (webhooks, CI alerts routed through a channel), and — uniquely — approve or deny tool-permission prompts remotely. Project-trust and MCP-consent dialogs stay terminal-only.
- The Hermes equivalent is built into the official desktop app’s Connect pillar: one agent, one memory across Telegram, Discord, Slack, WhatsApp, Signal, Email, and CLI, configured from a GUI pane with no config-file editing.
Chooser
| Dimension | SSH/tmux over tailnet | Native companion app (Hermex) | Chat-channel bridge |
|---|---|---|---|
| Ecosystem | Any CLI agent on a box you own ^[inferred] | Hermes (hermes-webui) only | Claude Code (official plugins); Hermes (desktop messaging pillar) |
| Setup cost | ~30 min of commodity tools, $0 | Xcode 26+ build + running webui | Bot token + plugin install + pairing |
| From the phone | Full live terminal + forwarded dashboard | Cockpit UI: chat, sessions, schedules, files, analytics | Conversation + event pushes + permission approvals |
| Notification model | Pull-only — connect to see ^[inferred] | Open-the-app streaming; push not documented | Replies and permission prompts land in the chat app |
| Security surface | No public IP/ports, SSH keys, tailnet ACLs; doesn’t sandbox the agent | Whatever exposes hermes-webui + repo security policy | Mandatory sender-identity gating; ungated = prompt-injection vector |
| Maturity | Stable commodity tools | Early, unofficial, unverified hands-on | Research preview, flag-gated |
- Pick SSH/tmux if you’re terminal-native, want the full ceiling (including fixing the agent when it breaks), or run a non-Hermes/non-Claude agent. It’s also the fallback every other pattern quietly depends on when things go wrong. ^[inferred]
- Pick the companion app if you’re a phone-first Hermes operator who wants sessions, schedules, files, and analytics as tappable UI rather than shell commands — and you accept early-project risk.
- Pick the chat bridge if you mostly need to hear from the agent and answer its questions — status pings, webhook events, remote permission approvals — inside apps you already check all day.
- Compose them. Hermex requires hermes-webui to be “reachable”; putting the webui host on the same tailnet as your phone gets reachability with zero public exposure — pattern 1 as the transport under pattern 2. ^[inferred — neither source describes this combination, but the requirements slot together]
Try It
- Terminal path (any agent): install Tailscale on the agent host,
sudo tailscale up --hostname <name>, enable OpenSSH, add your phone to the tailnet, create a Termius host with a generated key, thentmux new -s agentand confirm you cantmux attach -t agentfrom the phone. - Claude Code path: smoke-test the channel system with fakechat (
/plugin install fakechat@claude-plugins-official, restart with--channels, openlocalhost:8787), then wire the Telegram bot and set/telegram:access policy allowlist. Only add permission relay after sender gating is in place. - Hermes iPhone path: clone
uzairansaruzi/hermex, build in Xcode 26+, point it at your hermes-webui address, and check the repo’s contract tests against your installed webui version before trusting it with scheduling. - Compose: if you build Hermex, put the webui host behind the tailnet from step 1 instead of exposing it publicly. ^[inferred]
- Whichever pattern you pick, read the Hermes security model (or the channels sender-gating docs for Claude Code): all three patterns govern who can reach the agent, none of them constrain what the agent can do once reached.
Related
- Access Your Hermes Agent From Anywhere — Tailscale + Termius + tmux
- Hermex — Native SwiftUI iPhone Client for Hermes Agent
- Claude Code Channels
- Hermes Desktop — Official Nous Research App
- Hermes Desktop (dodo-reach) — Native macOS SSH Client — the SSH-direct philosophy in GUI form, between patterns 1 and 2
- Hermes Security Model — what none of the three access patterns cover
- Hermes Architecture Explained — the gateway layer hermes-webui (and so Hermex) talks to
Open Questions
- Does Hermex deliver background push notifications, or only in-app streaming? The source documents “real-time streaming chat” but no push mechanism, and the wiki has no hands-on verification of the app.
- Do Hermes’ chat-channel surfaces support anything like Claude Code’s permission relay (approving privileged actions from the phone), or is remote approval a Claude-Code-only capability today? Not established by any source here.