Access Your Hermes Agent From Anywhere — Tailscale + Termius + tmux

Source: raw/Access_Your_Hermes_Agent_From_Anywhere_Tailscale_+Termius+_tmux.md

A YouTube tutorial walking through a three-tool stack that lets you reach a self-hosted Hermes agent from any device — phone, laptop, or another PC — without exposing a single port to the public internet. The framework (credited to a post by Pseudo Sue on X) pairs Tailscale (private mesh network, solves reach), Termius (phone-grade SSH client, solves control), and tmux (persistent terminal sessions, solves persistence). The pattern targets the common situation where Hermes is pinned to the one strong machine you own — a GPU desktop, Mac mini, or old laptop — and you want secure 24/7 access to it from anywhere.

Key Takeaways

• Three tools, three problems. Tailscale = reach (devices talk by name over a private mesh); Termius = control (usable mobile SSH); tmux = persistence (sessions survive dropped SSH / closed laptop / bad Wi-Fi).
• Zero public exposure. Tailscale is peer-to-peer over WireGuard — no public IP, no port forwarding, no firewall config. The creator rejects all four common alternatives: port-forwarding (a public agent with shell access — “very not secure”), ngrok/localtunnel (fine for a 10-minute dev server, not a long-running agent), Cloudflare Tunnel (solid but more setup than Tailscale), and VPS + reverse-SSH (paying monthly for what Tailscale gives free, with limited dev capability on a VPS).
• Free for personal use. Tailscale’s personal plan covers up to 6 users / unlimited user devices — enough for most single-operator setups. Termius’s free starter tier covers everything in the walkthrough (the $10/mo Pro tier adds snippets + cross-device sync, both optional).
• Install Tailscale on the same system that runs Hermes. The creator runs Hermes on a Windows PC via WSL, so Tailscale must go inside the WSL environment, not on the Windows host — it has to live on whatever system the agent itself runs on.
• tmux is what makes the session portable. Start a task on the PC, detach, walk away, then reattach the same live session from your phone via Termius — the agent keeps working the whole time. The creator demos reattaching to a running Telegram-research task mid-execution from an iPhone.
• This secures reach, not the agent itself. Honest caveat from the creator: the stack gives you no public IP, no open ports, an encrypted path, SSH-key-gated access, and disconnect-surviving sessions — but it does not sandbox the agent or stop prompt injection. The agent still has free run once reached; scope its access carefully. Tailscale ACLs can limit which devices talk to which for a tighter setup.

Setup

The walkthrough installs everything on the machine that runs Hermes (here, a Windows PC running Hermes through WSL — so all server-side commands run inside WSL), then adds the phone and a laptop to the same network.

Part 1 — Tailscale (the mesh network / “reach”)

Tailscale is a private mesh network built on WireGuard. Every device signed into your “tailnet” gets a private IP and a memorable name, talks peer-to-peer when possible (relaying through Tailscale’s DERP servers only under strict NAT, end-to-end encrypted either way), and gets MagicDNS so you can SSH to a name like Hermes-PC instead of a numeric IP.

1. Install Tailscale on the Hermes host (inside WSL in this setup). The creator notes it’s “just two lines” from the official install docs at tailscale.com; installation completes in a couple of seconds.

2. Authenticate / bring the node up:

   sudo tailscale up --hostname Hermes-PC

   This registers the machine under a memorable hostname (the creator uses Hermes-PC). It prints an auth URL — open it, sign in (the creator uses a Gmail account), and the login completes. ^[inferred: the transcript shows sudo tailscale up with a hostname tag; the exact --hostname flag spelling is reconstructed from standard Tailscale usage]

3. Verify the node is connected:

   tailscale status

   Output shows the private IP, the hostname (Hermes-PC), the device owner, and the OS (Linux, since it’s WSL).

4. Install Tailscale on your phone — get the Tailscale app from the App Store (iOS shown), sign in with the same account used on the PC, and connect.

5. Repeat on any other device (the creator also installs it on a laptop, again inside WSL). Re-run tailscale status and all three devices — PC, laptop, iPhone — now appear on the same tailnet under one account, reachable by name from anywhere. Setup takes “literally a couple minutes.”

Part 2 — OpenSSH server on the Hermes host

SSH (secure shell) is how you log into the host’s command line over an encrypted connection. The server runs on the remote machine (the Hermes PC); the client is whatever you connect from (Termius on the phone, or a laptop terminal). You must install and enable the SSH server on the Hermes host:

sudo apt install openssh-server
sudo systemctl enable ssh

Confirm it’s running:

sudo systemctl status ssh

Output should read active (running). ^[inferred: the transcript dictates “pseudoapt install open SSH server” and an enable line; package name openssh-server and service name ssh are the standard Debian/Ubuntu/WSL spellings]

Part 3 — Termius (mobile SSH client / “control”)

The default SSH apps on iOS/Android are “miserable” — no escape/control/tab keys on screen, connections drop on every Wi-Fi change, no file browser, no port forwarding. Termius fixes this with a command-keyboard add-on bar, mosh (survives network changes), port forwarding, a file browser, a phone dashboard, and AI autocomplete — all in the free starter tier.

1. Download Termius from the App Store and sign in.
2. Create a host — name it (the creator uses Hermes-PC). This is the SSH host entry for the agent machine.
3. Generate an SSH key — under the host’s Credentials, choose Generate key.
4. Export the public key back to the Hermes host. Go to Keychain (which holds your keys) and export the key so the host trusts this client. Keep these keys secure.
5. Connect. Termius opens a shell on the PC’s WSL environment. The creator runs hermes status over the connection to confirm the full Hermes agent state shows up — confirming the phone is properly connected to the agent on the PC.
6. Port-forward the Hermes dashboard (optional). To see the Hermes web dashboard (the localhost UI you normally view on the PC) on your phone, set up local port forwarding in Termius — match the port(s) Hermes serves the dashboard on. The creator then opens the forwarded localhost and the familiar Hermes web dashboard (models, skills, sessions) renders right on the phone. ^[inferred: transcript describes matching “the ports that you need” for local forwarding but does not state the specific Hermes dashboard port number]

Part 4 — tmux (persistent sessions / “persistence”)

Without tmux, SSH owns the shell: SSH connects, spawns a shell, you run Hermes — and if you close the laptop, lose Wi-Fi, or drop the session, the shell dies and the agent stops. With tmux, tmux owns the shell and SSH is just a window into it — detach and SSH can die while tmux keeps running, so the agent keeps working and you can reattach later from any device. Install on whatever device actually runs Hermes:

1. Check if tmux is already installed:

   which tmux

   If there’s no output, install it:

   sudo apt install tmux

2. Start a named tmux session (the creator names it hermes):

   tmux new -s hermes

   A green status bar at the bottom means you’re inside tmux. Run the agent here — e.g. hermes status, then hermes chat to bring up the TUI. Everything now lives inside the persistent session.

3. Walk away. The session keeps running on the PC even after you disconnect (the creator leaves a Telegram-research task running and goes for coffee).

4. From the phone (via Termius), list the running sessions:

   tmux ls

   The hermes session started on the PC shows up here.

5. Reattach the same live session:

   tmux attach -t hermes

   You’re back in the exact session — in the demo, the Telegram-research task is still running, never disconnected, still streaming its answer. From the phone keyboard you can keep giving it instructions (the creator types a follow-up about Telegram setup and gets an answer plus a newly self-created skill). The same reattach works from a laptop in the tailnet, or any other device — one agent across all of them.

Optional hardening — Tailscale ACLs

By default all devices on a tailnet can reach each other (what most people want). For a tighter setup, configure ACLs (access control lists) to limit which devices can talk to which — so if one device is compromised, you’re not exposed across all of them.

Try It

1. Install Tailscale on your Hermes host (inside WSL/the container/VM if that’s where the agent runs, not the outer host OS), run sudo tailscale up --hostname <name>, authenticate, and confirm with tailscale status.
2. Add your phone to the same tailnet (Tailscale app, same login account).
3. Enable the SSH server on the host (sudo apt install openssh-server && sudo systemctl enable ssh) and verify with sudo systemctl status ssh.
4. Install Termius on your phone, create a host for the agent machine, generate an SSH key, and export the public key to the host.
5. Wrap your agent in tmux — tmux new -s hermes, start Hermes inside it, detach, then tmux ls + tmux attach -t hermes from the phone to confirm the session survives.
6. Port-forward the dashboard in Termius if you want the Hermes web UI in your pocket.
7. Pair this with the seven-layer security model — this stack secures who can reach the agent; the security model governs what the agent can do once reached. Apply both, and scope the agent’s API keys / tool access with least privilege since the network path alone does not sandbox it.

Related

• Hermes Agent — User Stories and Use Cases — the Privacy & Self-Hosted category catalogs the tailscale serve zero-port-forwarding pattern (the HTTPS-proxy variant); this article is the full mesh + SSH + tmux walkthrough
• Hermes Agent — Security Model (Defense-in-Depth) — the platform-side defenses that pair with this network-access layer; the creator’s “secures reach, not the agent” caveat maps directly to it
• Hermes Desktop — Native macOS SSH Client — the native-Mac counterpart for managing a Hermes host over pure SSH (“no gateways, no exposed ports”); same SSH-direct philosophy, GUI instead of terminal+tmux
• Hermes Agent — Zero to Personal AI Assistant (Nate Herk 1-Hour Course) — operator-side VPS deployment walkthrough; this remote-access stack is what you’d layer on top to reach a self-hosted box from your phone

Open Questions

• The transcript dictates several commands via auto-captioned narration rather than showing exact text for every one (e.g., the precise tailscale up flags, the OpenSSH package/service names, the dashboard port number for forwarding). The commands above use the standard spellings, marked ^[inferred] where reconstructed — verify against Tailscale / OpenSSH / tmux docs before relying on them verbatim.
• The framework is credited to a post by “Pseudo Sue” on X, which the creator says also described a private git repo + scripting layer deferred to “a later video.” Those two additional components are not covered here.
• No specifics on Android-side Termius or non-WSL hosts (native Linux, macOS, Mac mini) — the walkthrough is Windows+WSL throughout, though the creator states the same approach works for “phone, laptop, PC, any other device.”