Skip to main content

VPS hosting

This hub links to the supported VPS/hosting guides and explains the current hosted Fased posture at a high level.

Local vs VPS security

PathBest forSecurity postureAccess dependency
Local installPersonal laptop, desktop, dev box, WSL2Lowest setup risk. Gateway stays on your machine; a home router usually does not expose it to the public internet. Tailscale is optional.Your local OS login.
VPS HostingAlways-on cloud nodeHigher exposure by default because a VPS is internet-reachable. Hosted setup closes public admin ports and requires Tailscale for private dashboard/SSH access.Your Tailscale account plus the VPS provider console for emergency recovery.
If you lose access to the Tailscale account used for a hosted VPS, normal dashboard and SSH access can be lost. Recovery then depends on the VPS provider’s web console/rescue mode/rebuild tools. Keep your Tailscale account recovery options and VPS provider console access working.

VPS in 3 steps

For most users, the hosted path is:
  1. On your own computer, install/sign into Tailscale and keep it online.
  2. SSH into the fresh VPS using the login your VPS provider gives you.
  3. Join the VPS to the same tailnet, install Fased, and choose the Hosting profile.
Hosted setup uses two machines:
  • Your own computer: opens the dashboard and runs SSH checks.
  • The VPS: runs Fased Agent.
Start on your own computer:
Your computerUse this terminalTailscale requirement
WindowsPowerShell or Windows TerminalInstall/sign into the Windows Tailscale app from tailscale.com/download. PowerShell can SSH into the Linux VPS.
macOSTerminalInstall/sign into the macOS Tailscale app.
LinuxTerminalInstall/start Tailscale on that Linux machine.
WSLAdvanced onlyEither use PowerShell instead, or install/start Tailscale inside WSL too. Windows Tailscale does not automatically make WSL a Tailscale node.
Installing Tailscale from PowerShell is fine, but it still installs the Windows Tailscale app/service. PowerShell uses that Windows Tailscale connection. Other private-access systems are custom deployments. The standard hosted installer does not configure or verify WireGuard, Headscale, ZeroTier, bastion hosts, or manual SSH tunnels. If you replace Tailscale, you own dashboard exposure, SSH policy, TLS, firewall rules, and recovery. Do not paste the Linux install commands into PowerShell unless PowerShell is already connected to the VPS over SSH. The commands below run inside the VPS SSH session. First SSH into the fresh VPS, often as root: 
ssh root@YOUR_PUBLIC_VPS_IP
Then run this on the VPS: 
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --ssh

git clone https://github.com/fased-ai/fased.git fased
cd fased
./install.sh --hosting
Fased can install on a 1 vCPU / 1 GB RAM VPS, but that is the minimum floor and onboarding will be slow. For a smoother first install, use at least:
VPS sizeUse it forExpectation
1 vCPU / 1 GB RAMCheapest test nodeWorks with swap, but install/onboarding can take a long time.
1-2 vCPU / 2 GB RAMRecommended minimumMuch better first install and normal hosted operation.
2 vCPU / 4 GB RAMComfortable public nodeFaster builds, smoother Control UI, and more room for channels/tasks.
Use a 25 GB disk or larger. Keep the raw Gateway port private; use Tailscale for operator access. Current installers try a clean fast-forward update from Git before building. If you already started from an older installer and it stopped, update the checkout once and rerun: 
cd ~/fased
git pull --ff-only origin main
./install.sh --hosting
If you SSH into a fresh VPS as root, the installer creates a non-root app user, prepares /home/app/fased, and re-runs the installer as app. That is expected. After successful hosted onboarding, the temporary root checkout is removed. Do not move the repo back to /root. When sudo tailscale up --ssh prints a login URL in the SSH terminal, copy that URL into your own device’s browser. The VPS does not need a desktop browser. Before SSH/firewall lock-down, setup pauses and asks you to test terminal access from your own computer: 
tailscale ping YOUR_VPS_TAILSCALE_NAME
ssh app@YOUR_VPS_TAILSCALE_NAME
If tailscale ping says no matching peer, your computer and the VPS are not in the same Tailscale network. Sign your computer into the same Tailscale account, or re-authenticate Tailscale on the VPS, then rerun the check. Only confirm after that command connects through Tailscale and opens /home/app/fased. If it does not connect, setup stops before disabling root or password SSH. If the original VPS login was password-only and no SSH public key is available, setup stops before hardening; add your public key and rerun. After onboarding completes, use both access paths:
  • Web dashboard: open the printed https://...ts.net/ URL in a browser on your own computer. That computer must be signed into the same Tailscale account. Save the gateway token in case the browser asks for it.
  • SSH terminal: use regular SSH over Tailscale as app for CLI commands, updates, logs, and repairs. Run it from a computer signed into the same Tailscale network.
Then leave the original root@...:~/fased bootstrap shell. Normal operation uses the app user over Tailscale from your own computer: 
ssh app@YOUR_VPS_TAILSCALE_NAME
fased health
fased status
fased dashboard
The app shell is a full Linux shell on the VPS and is configured to start in /home/app/fased. Use fased health as the single pass/fail check after hosting install. It should start with Gateway: online. Use fased health --verbose only when you want optional channel details. If health fails, inspect the service: 
sudo systemctl status fased-gateway --no-pager
sudo journalctl -u fased-gateway -n 120 --no-pager
Root SSH is only for first bootstrap or emergency repair after the hosting profile hardens SSH/UFW. Keep the raw Gateway port closed to the public internet. http://localhost:18789 is only the advanced SSH tunnel fallback: it works on your local computer after you start the tunnel shown by onboarding and leave that tunnel running.
Small VPS installs size swap automatically when possible and run onboarding with a larger Node heap. If an older checkout already failed with JavaScript heap out of memory, update the checkout and rerun ./install.sh --hosting.

Update later

For normal updates, log in as app through Tailscale: 
ssh app@YOUR_VPS_TAILSCALE_NAME
fased update status
fased update
If the browser Control UI is reachable, Update & Restart uses the same gateway update path. Rerun ./install.sh --hosting only for repair/reinstall behavior; current installers fast-forward a clean Git checkout before building.
You do not need a Tailscale API key for the normal manual VPS flow. The Tailscale CLI prints a URL you open from your own computer. Use a Tailscale auth key only for non-interactive automation, cloud-init, Terraform, or scripted installs.
Run this on the VPS, not from a laptop trying to configure another machine. Hosting onboarding needs permission to apply host security and verify Tailscale before it closes public management paths.

Pick a provider

  • Oracle Cloud (Always Free): Oracle — $0/month (Always Free, ARM; capacity/signup can be finicky)
  • Fly.io: Fly.io
  • Hetzner (Docker): Hetzner
  • GCP (Compute Engine): GCP
  • Other VPS providers: a clean Ubuntu LTS box usually works fine if you follow the same hosting/onboarding and Tailscale guidance.
Fased docs only list hosted install methods backed by files in this repository, for example deploy/hosting/fly.toml, deploy/hosting/render.yaml, Docker, or the repo installer. External hosted presets are intentionally not listed because we cannot verify or maintain them from this repo.

How cloud setups work

  • The runtime and gateway run on the VPS and own state + workspace.
  • Root installs are bootstrapped into /home/app/fased and run as the app user. The root checkout is temporary bootstrap state.
  • Treat the VPS as the source of truth and back up the state + workspace.
  • Create or sign into Tailscale before onboarding that host. If you skip this, Hosting onboarding will stop to install/login Tailscale before it locks down SSH/firewall rules.
  • Use fased onboard --host-profile hosting for the hosted path.
  • Keep the gateway on loopback and access it via the private Tailscale HTTPS dashboard URL or SSH over the Tailscale network.
  • Do not expose the raw gateway port publicly just to reach the dashboard or WS.
  • If you bind to lan/tailnet, require gateway.auth.token or gateway.auth.password.
Remote access: Gateway remote
Platforms hub: Platforms

Shared company agent on a VPS

This is a valid setup when the users are in one trust boundary (for example one company team), and the runtime is business-only.
  • Keep it on a dedicated runtime (VPS/VM/container + dedicated OS user/accounts).
  • Do not sign that runtime into personal Apple/Google accounts or personal browser/password-manager profiles.
  • If users are adversarial to each other, split by gateway/host/OS user.
Security model details: Security

Using nodes with a VPS

You can keep the Gateway in the cloud and pair nodes on your local devices (Mac/iOS/Android/headless). Nodes provide local screen/camera/canvas and system.run capabilities while the Gateway stays in the cloud. Docs: Nodes, Nodes CLI