Hermes Agent (from Nous Research) is one of the more interesting open-source agents out there. It is not a chatbot. It runs a learning loop that builds and refines its own skills, persists memory across sessions, searches past conversations, models the user, runs scheduled jobs, and plugs into messaging apps like Telegram.

If you are still picking between options, I covered Hermes alongside six other open-source agents in the 2026 open-source AI agent frameworks roundup. This guide assumes you have already decided on Hermes and want it running on a server.

You can run it on a laptop. It works. But the moment you close the lid, your "always on" agent stops being always on. A small VPS fixes that. You get 24/7 uptime, scheduled automations that actually fire, remote access from your phone over Telegram, and zero battery drain on your local machine.

A Hetzner CX22 or CPX21 box runs around $5 to $10 a month. No GPU required. The agent itself is a lightweight Python and Node process. Inference goes out to OpenRouter, Anthropic, or the Nous portal, so the VPS only needs to hold the agent, its memory store, and a few skills.

Step 1 of 7

3 min

Provision the Hetzner box

At a glance

Spec: CPX21 default · CX22 to start cheaper
OS: Ubuntu 24.04 LTS
Auth: SSH key at create time

OS: Ubuntu 24.04 LTS (or 22.04 if you have a reason).
Plan: CPX21 is a good default. CX22 if you want to start cheaper.
Add your SSH public key during creation. SSH key beats a root password every time.
Note the public IP after deploy.

First SSH in.

Terminal · laptop

ssh root@YOUR-HETZNER-IP

Patch the system before doing anything else.

Terminal · vps

apt update && apt upgrade -y
apt install -y curl git ufw

Minimum spec

2 vCPU, 4 GB RAM, 20 GB disk. Enough headroom for the agent process, its skill store, and a few background jobs without thrashing.

Step 2 of 7

4 min

Lock the server down

At a glance

User: Dedicated hermes account
Firewall: ufw default-deny + ssh allow
Optional: Tailscale for SSH

Running an always-on agent as root is asking for trouble. Make a dedicated user.

Terminal · vps

adduser hermes --disabled-password --gecos ""
usermod -aG sudo hermes
echo "hermes ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/hermes
chmod 440 /etc/sudoers.d/hermes

mkdir -p /home/hermes/.ssh
cp ~/.ssh/authorized_keys /home/hermes/.ssh/ 2>/dev/null || true
chown -R hermes:hermes /home/hermes/.ssh
chmod 700 /home/hermes/.ssh
chmod 600 /home/hermes/.ssh/authorized_keys

Test the new user before closing this session

From a second terminal on your laptop, run ssh hermes@YOUR-HETZNER-IP and confirm it works. If your SSH key was not attached to the root account at server-create time, the copy above silently does nothing and the new user has no keys.

Switch over.

Terminal · vps

su - hermes

Turn on a basic firewall. Default deny inbound, allow SSH.

Terminal · vps

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable

Optional and recommended

Install Tailscale and put SSH behind your tailnet. Then the public SSH port can go away entirely. Cuts most of the noise from drive-by scanners.

Step 3 of 7

3 min

Install Hermes Agent

At a glance

Installer: Single-line curl
Runtimes: Python 3.11+ and Node 22 auto-installed
Health check: hermes doctor

The official installer handles Python 3.11+, Node 22, ripgrep, ffmpeg, and the rest. Run it as the hermes user.

Terminal · vps

curl -fsSL https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.sh | bash

Reload the shell so the new binaries are on PATH.

Terminal · vps

source ~/.bashrc

Confirm it is alive.

Terminal · vps

hermes --version
hermes doctor

hermes doctor is your friend. Run it any time something feels off.

Step 4 of 7

3 min

Pick a model provider

At a glance

Recommended: OpenRouter (one key, many models)
Alternative: Anthropic direct
Safety: approval_mode=ask while learning

Hermes does not ship its own model. You point it at a provider.

Terminal · vps

hermes setup

The wizard asks for a provider, an API key, and a default model. OpenRouter is the most flexible option because one key gets you Claude, DeepSeek, Gemini, and most other models behind a single endpoint. Anthropic direct works too.

After the wizard, you can change models without rerunning it.

Terminal · vps

hermes model
hermes config set model.provider openrouter
hermes config set model.default anthropic/claude-sonnet-4

Set approval mode to ask while you are still feeling out what the agent does. This makes it pause for confirmation before anything destructive.

Terminal · vps

hermes config set approval_mode ask

Typical spend

A moderate daily workload runs $5 to $20 a month in API costs. The VPS itself is the smaller line item.

Step 5 of 7

5 min

Wire up Telegram

At a glance

Bot token: @BotFather on Telegram
Your ID: @userinfobot on Telegram
Access: Allow-list is mandatory

This is the part that turns Hermes from "interesting project" into "agent in my pocket."

Message @BotFather on Telegram. Send /newbot, follow the prompts, and copy the bot token.
Message @userinfobot and copy your numeric Telegram user ID.
Add both to ~/.hermes/.env.

~/.hermes/.env

TELEGRAM_BOT_TOKEN=your_token_here
TELEGRAM_ALLOWED_USERS=your_numeric_user_id

The allow-list is mandatory

TELEGRAM_ALLOWED_USERS is the access list. Only IDs in there can talk to the bot. A bot token without an allow-list is a public agent.

Quick smoke test.

Terminal · vps

hermes gateway

Send a message to the bot. If it replies, you are wired up. Stop the foreground process with Ctrl+C because the next step puts it under systemd properly.

Step 6 of 7

4 min

Run it as a systemd service

At a glance

Unit type: User-level systemd
Persistence: Survives reboots
Working dir: MESSAGING_CWD for coding tools

The built-in gateway tooling generates a user-level systemd unit. Use it.

Terminal · vps

hermes gateway setup
hermes gateway install

Enable and start.

Terminal · vps

systemctl --user enable --now hermes-gateway

Check status and tail logs.

Terminal · vps

systemctl --user status hermes-gateway
journalctl --user -u hermes-gateway -f

If you want the agent to operate on a specific working directory (useful when you give it shell or coding tools), set it explicitly.

Terminal · vps

echo 'MESSAGING_CWD=/home/hermes/projects' >> ~/.hermes/.env
mkdir -p ~/projects
systemctl --user restart hermes-gateway

That is the whole "always on" setup. Reboot the box and the agent comes back without you logging in.

Step 7 of 7

6 min

Backups, updates, and a few habits

At a glance

Secrets: chmod 600 the env file
Backups: Nightly via cron
Debugging: Journal first when stuck

Treat this like any other small server.

API keys

They live in ~/.hermes/.env. Make sure the file is chmod 600. The installer should already do this, but check.

Approval mode

Keep it on ask until you trust a given workflow. Once a skill is well-trodden you can relax it per-skill.

Backups

Hermes has a built-in backup command. Wire it into cron.

Terminal · vps

hermes backup
# crontab -e, then:
# 0 3 * * * /home/hermes/.local/bin/hermes backup

Updates

Back up first, then update, then run doctor.

Terminal · vps

hermes backup
hermes update
hermes config migrate
hermes doctor
systemctl --user restart hermes-gateway

Monitoring

When something feels stuck, the journal almost always has the answer.

Terminal · vps

journalctl --user -u hermes-gateway --since "1 hour ago"

Going further

A few directions worth knowing about once the basics are in place.

Skills. Hermes auto-creates and refines skills as it works. Point it at an Obsidian vault, a GitHub repo, or a folder of internal docs and it gets sharper over time.
Pairing with coding agents. A common setup is Hermes plus Claude Code or a similar coding agent on the same box, so the agent in your pocket can hand off long-running coding work. The free coding agent on Nemotron guide pairs nicely here.
Local inference. If you upgrade to a Hetzner GPU instance, Ollama at http://localhost:11434/v1 slots in as a provider and your data stops leaving the box.
Migrating from OpenClaw. If you were running OpenClaw, hermes claw migrate is the easy path. Memory and config carry over.

What it actually costs

Rough monthly numbers for moderate daily use.

VPS: $5 to $10.
Provider API: $5 to $20.

Under $30 a month for an always-on, self-improving agent that you chat with from your phone. Most managed equivalents are 3 to 5x that and you do not own the data.

Troubleshooting

hermes: command not found after install. Run source ~/.bashrc. If still missing, the installer log will say where it put the binary.
Gateway will not start. hermes doctor first, then journalctl --user -u hermes-gateway -n 100. Almost always a missing env var or a bad token.
Provider rate limits. Either drop to a cheaper model for routine work or top up credits. Hermes does not silently retry forever.
Telegram silent. Confirm TELEGRAM_ALLOWED_USERS includes your real numeric ID, not your @handle. The two are different.

If you hit something not on that list, hermes --help and the project README on GitHub usually have it.

You're set

You now have a small, cheap, persistent AI teammate living on a server in Falkenstein or Ashburn. Send it a first command and let it start building skills.

Curious how Hermes compares to ZeroClaw, NanoClaw, Agent Zero, and the rest? The open-source AI agent frameworks comparison breaks down where each one fits.

Disclaimer: I have no affiliation with Nous Research, Hetzner, or OpenRouter. This is informational. Test and review anything before deploying it on a server you care about.

Self-Host Hermes Agent on a Hetzner VPS: A Practical Guide

Provision the Hetzner box

Lock the server down

Install Hermes Agent

Pick a model provider

Wire up Telegram

Run it as a systemd service

Backups, updates, and a few habits

API keys

Approval mode

Backups

Updates

Monitoring

Going further

What it actually costs

Troubleshooting

You're set

Get the weekly recap