Source: wiki synthesis: Access Your Hermes Agent From Anywhere — Tailscale + Termius + tmux, Hermex — Native SwiftUI iPhone Client for Hermes Agent, Claude Code Channels, Hermes Desktop — Official Nous Research App

The wiki documents several ways to reach an always-on agent that lives on a machine you control — and they cluster into three distinct patterns: raw SSH/tmux over a private mesh network, a purpose-built native companion app, and chat-channel bridges that put the agent inside the messaging apps already on your phone. The two ecosystems covered (Hermes and Claude Code) have converged on the same three shapes independently. ^[inferred — the convergence framing is this article’s synthesis; each pattern is documented separately in its source article] This article compares the patterns on setup cost, notification behavior, security surface, and what you can actually do from the phone — and shows why they compose rather than compete.

Key Takeaways

  • Three patterns, four articles. Raw transport (Tailscale + Termius + tmux), native client (Hermex on iOS; the official Hermes Desktop’s remote-gateway thin-client is the same shape on a laptop), and chat bridge (Claude Code channel plugins for Telegram/Discord/iMessage; Hermes Desktop’s built-in messaging pillar for Telegram/WhatsApp/Signal/Slack/Discord/Email).
  • Ceiling vs. convenience. SSH/tmux has the highest ceiling: reattach the exact live session mid-task from the phone, keep typing instructions, port-forward the web dashboard — but nothing pushes to you; you connect to look. ^[inferred — the source demonstrates reattaching to a still-running task and describes no push mechanism] Chat channels are the opposite: the agent’s replies and even tool-permission prompts land in your chat app, but the interface is conversation, not a shell. The companion app sits between: a cockpit UI (streaming chat, sessions, scheduling, skills, workspace files, memory and usage analytics, attachments) that you open like any app.
  • The security surfaces differ in kind, not just degree. The SSH pattern is network-layer security: no public IP, no open ports, peer-to-peer WireGuard, SSH-key-gated, optional tailnet ACLs — with the explicit caveat that it “secures reach, not the agent itself.” Channels are identity-layer security: sender gating on identity (not chat room) is mandatory because an ungated channel is a direct prompt-injection vector, and permission relay may only be declared on channels that authenticate the sender. Hermex inherits whatever security posture exposes your hermes-webui server.
  • Both ecosystems gate the chat pattern on sender identity. Claude Code uses pairing codes plus an allowlist policy; Hermes Desktop’s GUI Telegram setup takes a bot token plus allowed user IDs “so the agent only answers you.” Same discipline, two vendors. ^[inferred parallel — each half is documented in its own source]
  • Permission relay is the chat pattern’s unique capability. A two-way authenticated Claude Code channel can forward tool-approval prompts to your phone (5-letter request ID, reply yes abcde / no abcde, first answer between terminal and remote wins). Neither the SSH nor the companion-app sources document an equivalent remote-approval mechanism — over SSH you’d answer the prompt in the reattached terminal itself. ^[inferred — absence noted from the sources, not a tested comparison]
  • Terminal surfaces are the token-efficient ones. Hermes v0.16 creator guides flag that the desktop GUI “bleeds tokens on heavy UI schemas” while terminal/CLI use passes raw, filtered text — an operational reason to keep the SSH path around even after installing prettier surfaces.

The three patterns

Pattern 1 — Raw transport: SSH + tmux over a tailnet

  • Stack: Tailscale (reach — private WireGuard mesh, devices addressed by name via MagicDNS), Termius (control — phone-grade SSH client with mosh, port forwarding, file browser), tmux (persistence — the session survives dropped SSH; tmux owns the shell, SSH is just a window into it).
  • Setup cost: install Tailscale on the agent host (inside WSL/container if that’s where the agent runs) and on the phone, enable OpenSSH server, create a Termius host + SSH key, wrap the agent in a named tmux session. Tailscale’s personal plan (up to 6 users) and Termius’s free tier cover the whole walkthrough — $0.
  • From the phone: everything you could do at the desk — tmux attach -t hermes resumes the live session (the source demos rejoining a running Telegram-research task from an iPhone), plus the Hermes web dashboard via local port forwarding.
  • Trade-off: pull-only, terminal-native, and deliberately agent-agnostic — nothing in the transport stack is Hermes-specific, so the same rig fronts any CLI agent pinned to one strong machine. ^[inferred — the walkthrough is Hermes-specific; the tools themselves are generic]

Pattern 2 — Native companion app: Hermex (and the thin-client direction)

  • Hermex is a native SwiftUI iPhone app (iOS 18+, MIT, open-sourced 2026-07-02) that is a pure client pointing at a hermes-webui server you already run — “a mobile cockpit for an AI agent that lives on a machine you control.” No server component of its own; unofficial and early (39 stars at ingest), but with contract tests against upstream hermes-webui, a security policy, and TestFlight ops docs.
  • Setup cost: highest builder friction of the three — clone the repo, build in Xcode 26+, and have hermes-webui already running and reachable. No confirmed App Store or open TestFlight distribution.
  • From the phone: real-time streaming chat, session management, model/provider switching, task scheduling, skill browsing, workspace file exploration, memory and usage analytics, file/image attachments — the widest structured feature surface of the three patterns.
  • The first-party echo: Nous’s official Hermes Desktop ships the same architecture at laptop scale — run the actual agent on your main machine or homelab, connect the desktop app as a thin client over a secure WebSocket with OAuth, one remote host per profile. The vendor and the community are converging on “agent on the strong box, thin surfaces everywhere.” ^[inferred framing]

Pattern 3 — Chat-channel bridge: the agent inside your messaging apps

  • Claude Code channels are MCP servers that push external events into an already-running local session (research preview, v2.1.80+; permission relay v2.1.81+; Team/Enterprise orgs must enable channelsEnabled). Telegram, Discord, and iMessage ship as official plugins; two-way channels expose a reply tool, so your DM to the bot reaches the session and Claude’s answer lands back in the chat app.
  • Setup cost: minutes, no new client software — e.g. Telegram: create a bot via BotFather, /plugin install telegram@claude-plugins-official, /telegram:configure <token>, restart with --channels, pair via DM code, set the allowlist policy.
  • From the phone: converse with the running session, receive event-driven pushes (webhooks, CI alerts routed through a channel), and — uniquely — approve or deny tool-permission prompts remotely. Project-trust and MCP-consent dialogs stay terminal-only.
  • The Hermes equivalent is built into the official desktop app’s Connect pillar: one agent, one memory across Telegram, Discord, Slack, WhatsApp, Signal, Email, and CLI, configured from a GUI pane with no config-file editing.

Chooser

DimensionSSH/tmux over tailnetNative companion app (Hermex)Chat-channel bridge
EcosystemAny CLI agent on a box you own ^[inferred]Hermes (hermes-webui) onlyClaude Code (official plugins); Hermes (desktop messaging pillar)
Setup cost~30 min of commodity tools, $0Xcode 26+ build + running webuiBot token + plugin install + pairing
From the phoneFull live terminal + forwarded dashboardCockpit UI: chat, sessions, schedules, files, analyticsConversation + event pushes + permission approvals
Notification modelPull-only — connect to see ^[inferred]Open-the-app streaming; push not documentedReplies and permission prompts land in the chat app
Security surfaceNo public IP/ports, SSH keys, tailnet ACLs; doesn’t sandbox the agentWhatever exposes hermes-webui + repo security policyMandatory sender-identity gating; ungated = prompt-injection vector
MaturityStable commodity toolsEarly, unofficial, unverified hands-onResearch preview, flag-gated
  • Pick SSH/tmux if you’re terminal-native, want the full ceiling (including fixing the agent when it breaks), or run a non-Hermes/non-Claude agent. It’s also the fallback every other pattern quietly depends on when things go wrong. ^[inferred]
  • Pick the companion app if you’re a phone-first Hermes operator who wants sessions, schedules, files, and analytics as tappable UI rather than shell commands — and you accept early-project risk.
  • Pick the chat bridge if you mostly need to hear from the agent and answer its questions — status pings, webhook events, remote permission approvals — inside apps you already check all day.
  • Compose them. Hermex requires hermes-webui to be “reachable”; putting the webui host on the same tailnet as your phone gets reachability with zero public exposure — pattern 1 as the transport under pattern 2. ^[inferred — neither source describes this combination, but the requirements slot together]

Try It

  1. Terminal path (any agent): install Tailscale on the agent host, sudo tailscale up --hostname <name>, enable OpenSSH, add your phone to the tailnet, create a Termius host with a generated key, then tmux new -s agent and confirm you can tmux attach -t agent from the phone.
  2. Claude Code path: smoke-test the channel system with fakechat (/plugin install fakechat@claude-plugins-official, restart with --channels, open localhost:8787), then wire the Telegram bot and set /telegram:access policy allowlist. Only add permission relay after sender gating is in place.
  3. Hermes iPhone path: clone uzairansaruzi/hermex, build in Xcode 26+, point it at your hermes-webui address, and check the repo’s contract tests against your installed webui version before trusting it with scheduling.
  4. Compose: if you build Hermex, put the webui host behind the tailnet from step 1 instead of exposing it publicly. ^[inferred]
  5. Whichever pattern you pick, read the Hermes security model (or the channels sender-gating docs for Claude Code): all three patterns govern who can reach the agent, none of them constrain what the agent can do once reached.

Open Questions

  • Does Hermex deliver background push notifications, or only in-app streaming? The source documents “real-time streaming chat” but no push mechanism, and the wiki has no hands-on verification of the app.
  • Do Hermes’ chat-channel surfaces support anything like Claude Code’s permission relay (approving privileged actions from the phone), or is remote approval a Claude-Code-only capability today? Not established by any source here.