Orthanc servers on different networks

General
1

Hi, I’m trying to setup two different instances of Orthanc (localhost on different computers and they are connected to different networks so they have different IPs) and set them up as peers. However, I am unable to get the two of them to connect (unless obviously they’re on the same network). I have disabled firewalls on both setups and correctly configured them as peers but I just cannot get them to connect. Am I missing something? Is there a different way to connect Orthanc servers on different networks?

Could you please guide me to the solution? Any help is appreciated.

2

From machine A:

  • Are you able to ping machine B?
  • Are you able to use telnet B 8042?

Then:

  • If you cannot even ping the machine, you need to troubleshoot at the routing level.
  • If you can ping but cannot connect to port 8042, you probably need to add an allow rule in your firewall
  • If both ping and telnet work but you’re unable to reach the Orthanc HTTP API (you need to test with http://machineB:8042 from a browser on machine A, or with curl) , then check inside the Orhanc configuration if RemoteAccessAllowed is set to true (pay attention to the credentials, too)

Some more information on your specific setup wouldn’t hurt, either.

HTH

3

So I’m new to any sort of networking/routing. I guess my question is inherently a networking question. If I have a local orthanc server on machine A in city A and another local server on machine B in city B, can these two servers exchange information simply through IP addresses? I followed the basic OrthancPeer setup.

I tried two things -

  1. I tried pinging machine B - it said request timed out.
  2. I tried pinging a machine at my home (I am currently elsewhere) and it said destination host unreachable. From this, I can gather that these two machines cannot interact.

My end goal is to host an Orthanc server on cloud as a main data store and have local Orthanc setups be able to transfer studies to this cloud server. Could you guide me to some resources that I can use to better understand networking/routing (specifically in the context of Orthanc) and to be able to implement this?

Thank you so much.

4

That’s indeed more of a networking problem.

Since you can’t even ping the machines, you need to go back to basics.

The first question to ask : does your ISP provide you with an actual Internet IP?

Even though you might have 100 machines at home, you usually only receive 0 or 1 public IP and all traffic must go through it. Your router uses a technique called NAT to allow multiple PCs to perform outbound connections to the internet, but from the point of view of the outside Internet, you have a single IP, which is the one your ISP provides you with (if they provide you with one at all) : many ISP provide you with IP addresses behind Carrier Grade NATs (CGNATs), which means that, even though you can reach other machines on the internet, other machines cannot reach you (they can only reach your ISP router, which is not useful). It’s a second-level NAT in a way (read about Network Address Translation to find out more)

To find out if you have a public IP, you can check what your IP is with www.whatismyip.com, for instance, then you need to visit your router home page (such as 192.168.0.1 or 10.10.10.1) and check what its WAN (Internet) address is. If they are the same, you have a public IP.

If not, you need to contact your ISP and find out what your options are (maybe don’t tell them you are going to run a server but complain about online gaming issues, for instance :laughing:).

Once you have an Internet IP, the next step is to make sure that your PC (not merely your router) can be reached from the outside on the port that Orthanc uses.

You need to read more about port redirection, and you need to configure your router so that, when someone reaches your public IP on port 8042 (if you have left the default Orthanc HTTP port), the traffic goes to your machine.

It is highly recommended not to do that, because doing so will expose your Orthanc server on the wild Internet without any sort of encryption.

If you understand the risks, you may proceed, but I would urge you to read more about HTTPS vs HTTP and understand how you can secure Orthanc with it (this is far beyond the scope of a single forum reply)

If you’re 100% sure you can afford the whole Internet to come visit your Orthanc instance and try all sorts of exploit and password cracking techniques, you may proceed in enabling port forwarding to your A and B machines on their respective routers.

Once this is done, you should be able to set them as Orthanc peers.

(NOTE I don’t know much about IP v6 but it’s supposed to fix this problem and allow for every device in everyone’s home to get a specific address… I don’t think we’re there yet)

HTH and be careful!

2 Likes
5

Thank you so much for such a detailed response!! I’m new to Orthanc and any sort of networking so this is really helpful. I checked and it turns out our ISP does not provide a public IP. I had a few follow-up questions (please forgive me if they’re already answered in the documentation or FAQs, I’m just trying to wrap my head around all this)

  1. Is port forwarding only required in the scenario I first described? (two localhost orthanc servers on different machines which are different networks)

  2. If I host an Orthanc server on cloud, how does it work there? Can I do any sort of configuration where a localhost orthanc server can become a peer of this orthanc server on cloud? Is port forwarding something that happens in this scenario as well?

  3. In regards to HTTPS/HTTP, supposing I had a public IP and did the required port forwarding to interact with a remote machine from my machine. The security (SSH or something else) will come after all the required port forwarding right? Essentially, I necessarily need to expose that port for two remote Orthanc peers to be able to communicate, right?

  4. If my main Orthanc server is on cloud and i need to interact with it via a localhost orthanc server, how does secure communication work there? I read somewhere that a reverse proxy takes care of all of the encryption but I am not too sure about it.

Once again, thank you so much for all your help and apologies for such broad and long questions.

6

Hi Jyotirmay,

No need for apologies, these are all valid questions, albeit not related to Orthanc: you’ll probably get far better answers on a discussion forum specifically tailored for beginner networking questions, but I’ll do my best (I still advise you to post the same question, for instance on Reddit r/HomeNetworking or r/networking)

Is port forwarding only required in the scenario I first described? (two localhost orthanc servers on different machines which are different networks)

Port forwarding is required when two machines are not on the same network and, for instance, the destination IP to reach Orthanc A is not really the machine it runs on, but a router nearby that owns the IP.

Port forwarding is not always required : for instance, if you use a VPN connection on both Orthanc, then they will belong to the same network and they’ll be able to directly talk to each other. A VPN is interesting in your case because it would provide you with far better security than directly exposing Orthanc on the Internet (HTTPS makes it better, of course, but opening a machine on the public Internet always comes with risks)

If I host an Orthanc server on cloud, how does it work there? Can I do any sort of configuration where a localhost orthanc server can become a peer of this orthanc server on cloud? Is port forwarding something that happens in this scenario as well?

The same occurs when Orthanc is hosted on cloud: depending on the cloud provider, you can either get its public IP, where it’ll be directly reachable (provided the firewall lets you in) or you can configure your cloud firewall/routing parameters so that the right ports are forwarded.

In regards to HTTPS/HTTP, supposing I had a public IP and did the required port forwarding to interact with a remote machine from my machine. The security (SSH or something else) will come after all the required port forwarding right? Essentially, I necessarily need to expose that port for two remote Orthanc peers to be able to communicate, right?

You are correct. Making sure the right ports are exposed on the Internet and protecting them with HTTPS are distinct matters. Both are required. Securing Orthanc with HTTPS is explained here: HTTPS encryption with Orthanc.

If my main Orthanc server is on cloud and i need to interact with it via a localhost orthanc server, how does secure communication work there? I read somewhere that a reverse proxy takes care of all of the encryption but I am not too sure about it.

The same applies: from each Orthanc, there needs to be an IP address (on the public internet or a shared network) where this Orthanc is able to reach the other Orthanc on its HTTP(S) port (usually 8042). The fact that one Orthanc runs in the cloud or in your home network do not make it any different.

Since your ISP does not supply you with a public IP, I would say that your best bet is either to use two cloud machines, either on the internet or a private network.

Another option, if you’re only running a single cloud Orthanc is to use SSH that allows to create a secure “tunnel” to allows for bidirectional communication.

Let’s assume you have home-pc (not an internet IP) with Orthanc running on port 8042 and cloud-server (with an internet IP) with Orthanc also running on port 8042. Provided cloud-server runs sshd (the SSH server), as all Linux (and some Windows) boxes do, and that you’re able to change its configuration, you can do the following (I am assuming cloud-server runs Linux and home-pc runs either Linux or macOS or a recent Windows with an ssh client:

Edit the SSH configuration file on cloud-machine (/etc/ssh/sshd_config) and
ensure the following lines are present and uncommented:

AllowTcpForwarding yes
GatewayPorts yes

Restart the SSH service on cloud-machine:

sudo systemctl restart sshd

Execute the following command on home-pc:

ssh -L 8043:localhost:8042 -R 8042:localhost:8043 myuser@cloud-server

Once you’ve done that:

  • on home-pc, the local Orthanc will (obviously) be reachable on localhost:8042 and the cloud Orthanc will be reachable on localhost:8043 (that’s the magic of SSH tunnels)

  • on cloud-server, the local Orthanc will (also obviously) be reachable on localhost:8042 and the Orthanc running on your home PC will also be reachable on localhost:8043

Set the configuration of both Orthancs accordingly and you should be good to go.

Please note that, if the 8042 ports are not exposed on the Internet (configure the cloud firewall accordingly), you don’t even need HTTPS since all communication will take place inside the secure SSH tunnel.

Hope this helps!

7

Thank you for all your help! This is just what I needed for my setup. Really appreciate it!

1 Like
8

When I’m configuring the Orthancs to set up peers, in the local Orthanc’s config file, do I add the cloud server as cloudIP:8042? or localIP:8043?

and in the cloud server’s config file, do I add the local server as localIP:8042? or cloudIP:8043?

9

If you choose to use the SSH route, with a cloud machine an a local PC, every PC sees itself as localhost:8042 and the other as localhost:8043

So, the peer is always localhost:8043.

  • In the local Orthanc’s config file, the cloud server as is localhost:8043
  • In the cloud server’s config file, the local server is localhost:8043

(I know this looks strange, but this is how SSH tunnels work)

As soon as the tunnel is created, you do not have to use the cloud IP anywhere.

10

I managed to set it all up and it’s working perfectly! Thank you for all the help.

1 Like
11

Kudos, I am glad you succeeded !

You’re welcome.

12

I’m trying to set up a reverse proxy (nginx) to enable CORS. Firstly, am I supposed to create a new nginx config file to write the server block? Where else am I supposed to put -

image
image991×413 7.97 KB

I’ve allowed traffic through port 80 on my EC2 instance. In the nginx config file, do i need to put the IP address of my EC2 instance in front of server_name? and in proxy pass, do i put 127.0.0.1:8042 or EC2IP:8042?

13

Hi Jyotirmay,

I seem to recall that, when running nginx directly (not with a container), the proper way is not to overwrite the main nginx config file, but to put your configuration file somewhere and to create a symlink in /etc/nginx/sites-enabled so that it’s picked by nginx. Make sure you disable the default one that already uses port 80.

If you are running orthanc and nginx directly on the EC2 instance, localhost will be OK.

This setup uses orthanc instead because both Orthanc and nginx are running as containers in a separate network (by default, docker-compose creates a separate network and you only pick the ports that you want to map on the host.

Another option would be for you to disable the system nginx and instead run such a docker-compose setup. I personally think it’s far easier to work that way, since you don’t change any system-level files and can easily restart from scratch.

14

When I try wadouri:http://EC2IP:80/instances/identifier/file, it gives me a bad request.

My nginx config file looks likes this.

image
image919×185 5.95 KB

15

Never mind, I figured it out.