CN114095188A - Processing method and device of virtual private network and electronic equipment - Google Patents
Processing method and device of virtual private network and electronic equipment Download PDFInfo
- Publication number
- CN114095188A CN114095188A CN202010756235.9A CN202010756235A CN114095188A CN 114095188 A CN114095188 A CN 114095188A CN 202010756235 A CN202010756235 A CN 202010756235A CN 114095188 A CN114095188 A CN 114095188A
- Authority
- CN
- China
- Prior art keywords
- vpn
- service
- client
- environment
- virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 23
- 238000000034 method Methods 0.000 claims abstract description 31
- 238000012545 processing Methods 0.000 claims abstract description 25
- 238000004891 communication Methods 0.000 claims description 29
- 230000004044 response Effects 0.000 claims description 4
- 101000652292 Homo sapiens Serotonin N-acetyltransferase Proteins 0.000 claims 2
- 102100030547 Serotonin N-acetyltransferase Human genes 0.000 claims 2
- 238000010586 diagram Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 4
- 238000013507 mapping Methods 0.000 description 4
- 230000005236 sound signal Effects 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- 238000012356 Product development Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a processing method and a processing device of a virtual private network and electronic equipment, wherein the method comprises the following steps: creating a VPN service in an island environment; according to the network and route configuration of the island environment, configuring a network segment of the VPN service and configuring a data forwarding rule between the VPN service and an internal service in the island environment; receiving a VPN channel connection request from a client, wherein the VPN service allocates a virtual IP address to the client and establishes a VPN channel between the client and the VPN service, and the virtual IP address is in a network segment corresponding to the VPN service.
Description
Technical Field
The application relates to a processing method and device of a virtual private network and electronic equipment, and belongs to the technical field of computers.
Background
For security reasons, some proprietary cloud environments need to be deployed in an islanding environment, isolated from external office networks or clients in the internet. Cloud products, on the other hand, generally do not exist in isolation and rely more or less on services provided by other products.
In the prior art, if a user develops a cloud product based on a proprietary cloud environment deployed in an island environment, a service on which the cloud product depends needs to be simulated locally (mock), for example, a database is built locally, an HTTP server is simulated locally, and the like. On one hand, the processing is time-consuming, and more importantly, some cloud products cannot rely on local simulation, which means that the part of functions cannot be fully self-tested in a development stage and can only be postponed to an integration test stage. In addition, a certain difference exists between the locally simulated service and the real service environment, which also easily causes some problems to be exposed in the integrated test environment, thereby bringing much inconvenience to the cloud product development.
Disclosure of Invention
The embodiment of the invention provides a processing method and device of a virtual private network and electronic equipment, which are used for calling a service in an island environment by a client.
In order to achieve the above object, an embodiment of the present invention provides a processing method for a virtual private network, including:
creating a VPN service in an island environment;
according to the network and route configuration of the island environment, configuring a network segment of the VPN service and configuring a data forwarding rule between the VPN service and an internal service in the island environment;
receiving a VPN channel connection request from a client, wherein the VPN service allocates a virtual IP address to the client and establishes a VPN channel between the client and the VPN service, and the virtual IP address is in a network segment corresponding to the VPN service.
The embodiment of the invention also provides a processing method of the virtual private network, which comprises the following steps:
acquiring a VPN authentication certificate corresponding to an island environment;
sending a VPN channel connection request with the VPN authentication certificate to a VPN service in the VPN server;
and receiving the virtual IP address distributed by the VPN service, creating a virtual network card locally according to the virtual IP address, and establishing a VPN channel between the VPN service and the virtual network card.
An embodiment of the present invention further provides a processing apparatus for a virtual private network, including:
the VPN service creation module is used for creating VPN services in an island environment;
a VPN service configuration module, which configures the network segment of the VPN service and configures the data forwarding rule between the VPN service and the internal service in the island environment according to the network and route configuration of the island environment;
and the VPN communication establishing module is used for receiving a VPN channel connection request from a client, triggering the VPN service to distribute a virtual IP address to the client, and establishing a VPN channel between the client and the VPN service, wherein the virtual IP address is positioned in a network segment corresponding to the VPN service.
An embodiment of the present invention further provides a processing apparatus for a virtual private network, including:
the system comprises an environment information acquisition module, a network side module and a network side module, wherein the environment information acquisition module is used for acquiring a VPN authentication certificate corresponding to an island environment;
and the VPN data communication module is used for sending a VPN channel connection request with the VPN authentication certificate to the VPN service in the VPN server, receiving a virtual IP address distributed by the VPN service, creating a virtual network card locally according to the virtual IP address, and establishing a VPN channel between the VPN data communication module and the VPN service through the virtual network card.
An embodiment of the present invention further provides an electronic device, including:
a memory for storing a program;
and the processor is used for operating the program stored in the memory so as to execute the processing method of the virtual private network.
According to the processing method and device for the virtual private network and the electronic device, provided by the embodiment of the invention, the VPN service facing the client side is dynamically established in the island environment through the VPN server, and then the client side is connected with the VPN service to establish a VPN channel, so that the VPN service realizes the intermediary action between the client side and other internal services in the island environment, the client side can conveniently and safely call various services in the island environment, and the developed cloud product can be conveniently tested in the island environment.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
FIG. 1 is a schematic diagram of an embodiment of a VPN system architecture based on an island environment;
FIG. 2 is a second schematic diagram of an embodiment of a VPN system architecture based on an island environment;
fig. 3 is a flowchart illustrating a processing method of a virtual private network according to an embodiment of the present invention;
FIG. 4 is a second flowchart illustrating a processing method of a VPN according to an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of a processing device of a VPN according to an embodiment of the present invention;
fig. 6 is a second schematic structural diagram of a processing device of a virtual private network according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The embodiment of the invention provides a processing method for establishing a Virtual Private Network (VPN) channel between a client and an island environment, so that the client can conveniently and safely call various services in the island environment, and a developed cloud product can be conveniently tested in the island environment.
Fig. 1 and fig. 2 are schematic diagrams of an island environment-based VPN system architecture according to an embodiment of the present invention. The isolated island environment shown in the figure can be a proprietary cloud environment, a VPN server for processing VPN-related transactions is arranged in the isolated island environment, all accesses from the outside can reach the VPN server first, and it should be noted that the VPN server can be a physically independent server or a virtual server running on a certain physical server. In the example shown in fig. 2, a plurality of servers exist in an island environment, wherein the VPN server is used as an external server, and the VPN server is connected with other servers through a local area network. In the framework of the embodiment of the invention, a plurality of island environments can exist, each island environment is provided with a VPN server, and data communication is carried out between each island environment and a client through a springboard machine. The method is characterized in that a plurality of network ports are arranged on a board jumper, each network port can correspond to each island environment respectively, after the board jumper receives access data of a client, the corresponding port can be selected to access and forward the data according to a target island environment to be accessed by the client, so that the data distribution of the island environments is realized, and the corresponding relation between each port on the board jumper and each island environment can be realized by configuring the IPtables (which is an IP information packet filtering system based on a Linux kernel and manages the filtering and forwarding of network data packets by controlling a kernel Linux network filter module) of the board jumper.
In a specific island environment, the VPN server plays a role in establishing connection between internal services and clients in the island environment, and effectively isolates the internal and external network environments. The VPN server may specifically include: VPN management module, VPN service and Itables. The VPN management module is configured to establish a VPN service and perform various configurations on the VPN service, for example, configure a network segment corresponding to the VPN service and a data forwarding rule, and provide a VPN authentication certificate and Domain Name System (DNS) information of an isolated island environment and other related information for establishing a VPN channel and accessing the isolated island environment to a client. The VPN service is also one of the services running in an islanded environment and can be dynamically created and configured by the VPN management module as needed. After the VPN service is created, it may execute creating a VPN channel and receiving an access request of a client, and forward an access request of an internal service from the client to a corresponding internal service in an island environment based on a data forwarding rule configured by a VPN management module, where the internal service refers to other services except the VPN service operating in the island environment, the data forwarding rule is implemented by configuring an IPtables, the VPN management module may configure the data forwarding rule of the VPN service in the IPtables according to a Network and route configuration in the island environment, and may be implemented by configuring an SNAT (Source Network Address Translation), so that the client can access other services in the island environment. It should be noted that, since there may be a great difference in the deployment of the internal environments of the respective island environments, the configuration of the VPN service and the IPtables in each island environment may be different, which also embodies the flexibility in the configuration of the VPN channel of the embodiment of the present invention. In addition, in order to prevent the user from directly logging on the machine through SSH after connecting to the island environment to do some operations that may damage the environment, some restrictive configurations may be added through the filter function of the IPtables, for example, the VPN user is prohibited from directly logging on the service through SSH.
The VPN service may adopt an OpenVPN service, which is a technology for creating a VPN encryption channel, and allows the created VPN to perform authentication using a public key, an electronic certificate, or a user name/password, and uses an SSL/TLS (transport layer security protocol)/secure socket layer) protocol function library in an OpenSSL (security socket layer security over SSL/TLS protocol encryption tool) encryption library. Specifically, after receiving a VPN channel connection request from a client, the VPN service may allocate a virtual IP address to the client, thereby establishing a VPN channel between the client and the VPN service, where the virtual IP address is in a network segment corresponding to the VPN service. For example, if the VPN service is allocated 192.168.254.0/24 to the network segment by the VPN management module, the VPN service may select an unused virtual IP address from the network segment for allocation, and it should be noted that, in the embodiment of the present invention, after the VPN service is created, a service for establishing a VPN channel may be provided for a plurality of clients, where the VPN channel depends on an available IP address in the network segment. After receiving the virtual IP address distributed by the VPN service, the client establishes a virtual network card based on the virtual IP address locally, and sends access data and receives return data to the island environment through the virtual network card. After the isolated island environment is connected through the scheme, the client machine has the virtual IP with the same network segment as the VPN service, and is just as same as other services in the isolated island environment in the same local area network, so that remote debugging can be directly carried out. In the embodiment of the present invention, the VPN service may be created based on an HTTP (HyperText Transfer Protocol) and/or a UDP (User Datagram Protocol), where a VPN channel based on a UDP (User Datagram Protocol) Protocol may be created when the OpenVPN service is used, so as to obtain higher transmission efficiency.
According to the embodiment of the invention, the board jumper exists as an intermediate agent between a Network where the client is located and an island environment, the board jumper can perform traffic forwarding management by means of IPtables arranged on the board jumper, a corresponding port is arranged for each island environment, and Address conversion is performed by using SNAT and DNAT (Destination Network Address Translation) functions of the IPtables, so that the board jumper can efficiently transfer traffic in the client and the island environment. And distributing a port for each set of island environment on the board tripping machine for flow forwarding. The port configuration on the board-hopping machine can be configured and modified through a VPN management module in an island environment.
On the client side, the establishment of VPN channels and data transmission can be realized by installing a VPN application for connecting an island environment. The VPN application of the client may include an environment information acquisition module and a VPN data communication module, wherein the environment information acquisition module is configured to interact with the VPN management module and acquire a VPN authentication certificate, environment data, and the like, and the VPN data communication module is configured to interact with a VPN service in an island environment to establish a VPN channel and perform data communication based on the VPN channel. After acquiring the VPN authentication certificate, the environment information acquisition module provides the VPN data communication module with subsequent access to VPN services, and in addition, obtains DNS information of an isolated island environment from the VPN management module, and writes the DNS information into a local hosts table file for domain name resolution of subsequent access. In the case of OpenVPN, the VPN data communication module may be created based on tunelblick (a graphical user interface for OpenVPN, which may provide connection control processing for OpenVPN).
According to the processing method of the virtual private network provided by the embodiment of the invention, the VPN service facing the client is dynamically established through the VPN server in the island environment, and then the VPN service is used for butting the client to establish a VPN channel, so that the VPN service realizes the mediation between the client and other internal services in the island environment, the client can conveniently and safely call various services in the island environment, and the developed cloud product can be conveniently tested in the island environment. In addition, all access requests from the outside of the island environment are directed to the VPN service, and then the VPN service forwards the access requests to other internal services, so that the VPN service has the functions of safety isolation and monitoring, and the safety of the island environment can be effectively protected.
In addition, because the VPN management module is arranged on the VPN server, environmental information such as DNS data of an island environment and metadata of internal services can be conveniently provided for the client, and therefore a user can conveniently call the internal services of the island environment. Moreover, the VPN channel creation process does not need manual configuration by a user, and a VPN management module in an island environment can flexibly configure VPN services and IPtables according to the environment configuration of the island environment, so that the complexity of creating the VPN channel is reduced. In addition, on the board jumper, by establishing the corresponding relation between each network port and each island environment on the board jumper, access data aiming at the island environment can be effectively shunted, so that the management of a plurality of island environments is facilitated. The technical solution of the present invention is further illustrated by some specific examples.
Example one
Fig. 3 is a schematic flowchart of a processing method of a virtual private network according to an embodiment of the present invention, where the processing method can be applied to a VPN server in an island environment to establish a VPN tunnel with a client, and the method includes:
s101: VPN services are created in an islanded environment. In an embodiment of the invention, an island environment is provided with a VPN server for processing VPN related transactions, and all accesses from the outside will arrive at the VPN server first. A VPN service can be created and run on the VPN server, which is also one of the services running in an islanded environment, and can be dynamically created and configured as needed. The VPN service may adopt an OpenVPN service, so that a VPN channel based on a UDP protocol may be established to obtain higher transmission efficiency. The creation and configuration of the VPN service can be completed through a VPN management module arranged on a VPN server, when a client needs to establish a VPN channel with an island environment, the VPN service is created and configured, and when the client does not need the VPN channel, the VPN service can be cancelled through the VPN management module and relevant resources are released. It should be noted that, when the VPN service creation process is triggered by the client initiating a connection request of a VPN tunnel to the VPN service, a VPN authentication certificate corresponding to the VPN service may be generated for subsequent access by the client when the VPN service is created. After the VPN service is started, the VPN tunnel connection request is sent to the VPN service, and the VPN service establishes a VPN tunnel. After the VPN service is established, after a subsequent new client initiates a connection request of the VPN channel, the VPN service can directly perform processing, that is, the subsequent step S103 is directly performed.
S102: and according to the network and route configuration of the island environment, configuring a network segment of the VPN service and configuring a data forwarding rule between the VPN service and the internal service in the island environment. The configuration process in this step may be performed by the VPN management module described above. The network segment resources allocated to the VPN service are used for allocating virtual addresses to the client when the VNP channel is established by the VPN service, the IP address of the VPN service is in the network segment, and the network segment is an internal network segment of an island environment. The configuration of the data forwarding rules may be implemented by configuring Iptables in an islanding environment, and in particular, by performing SNAT configuration in Itables in an island environment, establishing data forwarding rules between VPN services and internal services in the island environment, so as to forward the access request from the client to the server where other internal services are located, it should be noted here that, the VPN server may be a stand-alone server or may be a virtual server or module running on a host, and therefore, other internal services may run on the same server as the VPN service, on other servers, the access request of the client can be forwarded to the server where the corresponding internal service is located through the forwarding rule in the Iptables, and the returned data can be received from the server where other services are located in the same way. When the OpenVPN service is used, a virtual network card is established on a VPN server, data communication with other internal services is performed through the virtual network card, external access data are directed to the virtual network card, and data forwarding processing is performed through the virtual network card according to the Iptables configuration.
S103: receiving a VPN channel connection request from a client, distributing a virtual IP address to the client by the VPN service, and establishing a VPN channel between the client and the VPN service, wherein the virtual IP address is positioned in a network segment corresponding to the VPN service. As described above, the VPN service is assigned an internal network segment in an isolated island environment, when a VPN channel is established, an IP address is selected from the network segment as a virtual IP address assigned to the client, the client establishes a virtual network card locally at the client after receiving the virtual IP address, and uses the assigned virtual IP address, because the virtual IP address and the VPN service are in the same network segment, access data sent by the virtual network card can be directly directed to the VPN service, and because the network segment corresponding to the VPN service is the internal network segment of the isolated island environment, the client is equivalent to being in the same local area network as other servers in the isolated island environment, so that remote debugging can be performed.
Further, the above method may further include a process of generating a VPN authentication certificate corresponding to the VPN service, and transmitting the VPN authentication certificate to the client in response to a VPN authentication certificate download request of the client. After receiving the certificate, the client may initiate a VPN channel establishment request based on the VPN authentication certificate, and accordingly, the VPN channel establishment request received by the VPN service includes the VPN authentication certificate, and after the VPN channel establishment request passes the verification, the client performs a subsequent operation of allocating a virtual IP address. In addition, the method can further include sending environment information such as DNS information of the island environment to the client, so that the client can access the island environment. These operations may be performed by a VPN management module on a VPN server.
In this embodiment of the present invention, an islanding environment may perform data communication with a client through a board jumper, and there may be multiple islanding environments, where the board jumper is provided with multiple network ports, and splits data accessing the islanding environment by establishing a mapping relationship between each network port and each islanding environment, and accordingly, the method may further include: and carrying out routing configuration on the board jumper, and distributing a designated port for the island environment on the board jumper for data forwarding, so that the access data accessing the island environment from the client can be forwarded to the VPN server in the island environment through the designated port.
After the VPN channel is established, the VPN service may receive a service invocation request from the client, and forward the service invocation request to the corresponding internal service for processing according to the data forwarding rule. In practical application, a product to be tested can run on a client, then internal services in an island environment are called through the VPN channel, a calling request for the internal services in the island environment is sent to a local virtual network card, then the internal services reach the VPN service through the VPN channel, and then the VPN service forwards the internal services to other internal services according to a data forwarding rule set on IPtables. The client side can not bypass the VPN service for the access of an island environment, so that the VPN service is effectively isolated, illegal access and login operation can be effectively avoided by using the IPtables on the VPN server, and for other internal services, the internal services and the VPN service are in the same local area network environment, so that the calling of the other internal services can be conveniently realized.
According to the processing method of the virtual private network provided by the embodiment of the invention, the VPN service facing the client is dynamically established through the VPN server in the island environment, and then the VPN service is used for butting the client to establish a VPN channel, so that the VPN service realizes the mediation between the client and other internal services in the island environment, the client can conveniently and safely call various services in the island environment, and the developed cloud product can be conveniently tested in the island environment.
Example two
Fig. 4 is a second flowchart of a processing method of a virtual private network according to an embodiment of the present invention, where the processing method can be applied to a client that needs to access an island environment, and the method includes:
s201: and acquiring a VPN authentication certificate corresponding to the island environment. The VPN authentication certificate is used for security verification when the client is connected to the island environment, the VPN authentication certificate can be downloaded from a VPN server in the island environment, and the VPN authentication certificate is not limited to be downloaded from the VPN server in the island environment, and can also be provided to the client in other manners. In the embodiment of the present invention, a VPN application for connecting to an island environment may be pre-installed on a client, and the application is used for establishing a VPN channel and transmitting data. The VPN authentication certificate may be generated by a VPN management module on the VPN server and provided to the client.
S202: and sending the VPN channel connection request with the VPN authentication certificate to a VPN service in the VPN server. As mentioned above, the islanding environment may perform data communication with the client through the trigger, and the trigger may be provided with a plurality of network ports, and the data for accessing the islanding environment is shunted by establishing a mapping relationship between each network port and each islanding environment, so in this step, the VPN channel connection request may be sent to the VPN server through a port corresponding to the islanding environment to be accessed on the trigger.
S203: and receiving a virtual IP address distributed by the VPN service, creating a virtual network card locally according to the virtual IP address, and establishing a VPN channel between the virtual network card and the VPN service. The virtual IP address allocated to the client by the VPN service is in a network segment corresponding to the VPN service, so that the client can be in the same network segment with the VPN service, namely the same local area network with other servers in an island environment, and remote debugging can be performed.
After the VPN tunnel is established, it may be called by service initiation in an island environment, and therefore, the method may further include:
s204: sending a service invocation request to a VPN service in an island environment through a VPN channel and receiving return data from the VPN service. The method comprises the steps that a product to be tested on a client can initiate calling to an internal service in an island environment, a calling request can be sent to a local virtual network card of the client, then the calling request is directed to a VPN service through the established VPN channel, namely the routing relation between the virtual network card on the client and the virtual network card on a VPN server, and then the calling request is forwarded to other internal services in the island environment through the VPN service, so that calling of the internal service in the island environment is achieved.
EXAMPLE III
As shown in fig. 5, which is a schematic structural diagram of a processing device of a virtual private network according to an embodiment of the present invention, the processing device may be disposed on a VPN server in an islanding environment to establish a VPN tunnel with a client, and the processing device includes:
and a VPN service creation module 11, configured to create a VPN service in an islanding environment. A VPN service can be created and run on the VPN server, which is also one of the services running in an islanded environment, and can be dynamically created and configured as needed. The VPN service may adopt an OpenVPN service, so that a VPN channel based on a UDP protocol may be established to obtain higher transmission efficiency.
The VPN service configuration module 12 configures a network segment of a VPN service according to network and route configuration in an island environment, and configures a data forwarding rule between the VPN service and an internal service in the island environment. The network segment resources allocated to the VPN service are used for allocating virtual addresses to the client when the VNP channel is established by the VPN service, the IP address of the VPN service is in the network segment, and the network segment is an internal network segment of an island environment. The configuration of the data forwarding rule may be implemented by configuring an Iptables in an islanding environment, and specifically, the data forwarding rule between the VPN service and an internal service in the islanding environment is established by performing SNAT configuration in the Iptables in the islanding environment, so that an access request from a client is forwarded to a server where other internal services are located.
The VPN channel establishing module 13 is configured to receive a VPN channel connection request from the client, trigger the VPN service to allocate a virtual IP address to the client, and establish a VPN channel between the client and the VPN service, where the virtual IP address is located in a network segment corresponding to the VPN service. As described above, the VPN service is assigned an internal network segment in an isolated island environment, when a VPN channel is established, an IP address is selected from the network segment as a virtual IP address assigned to the client, the client establishes a virtual network card locally at the client after receiving the virtual IP address, and uses the assigned virtual IP address, because the virtual IP address and the VPN service are in the same network segment, access data sent by the virtual network card can be directly directed to the VPN service, and because the network segment corresponding to the VPN service is the internal network segment of the isolated island environment, the client is equivalent to being in the same local area network as other servers in the isolated island environment, so that remote debugging can be performed.
In addition, the apparatus may further include: the VPN certificate processing module 14 is configured to generate a VPN authentication certificate corresponding to the VPN service, and send the VPN authentication certificate to the client in response to a VPN authentication certificate download request from the client. After receiving the certificate, the client may initiate a VPN channel establishment request based on the VPN authentication certificate, and accordingly, the VPN channel establishment request received by the VPN service includes the VPN authentication certificate, and after the VPN channel establishment request passes the verification, the client performs a subsequent operation of allocating a virtual IP address.
In addition, the islanding environment may perform data communication with the client through the board jumper, and there may be a plurality of islanding environments, the board jumper is provided with a plurality of network ports, and shunts data accessing the islanding environment by establishing a mapping relationship between each network port and each islanding environment, and accordingly, the apparatus may further include: and the trigger tripping device setting module is used for carrying out routing configuration on the trigger tripping device and distributing a specified port for the island environment on the trigger tripping device to carry out data forwarding, so that the access data accessing the island environment from the client can be forwarded to the VPN server in the island environment through the specified port.
The detailed description of the above processing procedure, the detailed description of the technical principle, and the detailed analysis of the technical effect are described in the foregoing embodiments, and are not repeated herein.
According to the processing device of the virtual private network provided by the embodiment of the invention, the VPN service facing the client is dynamically established through the VPN server in the island environment, and then the VPN service is used for butting the client to establish a VPN channel, so that the VPN service realizes the mediation between the client and other internal services in the island environment, the client can conveniently and safely call various services in the island environment, and the cloud product developed in the island environment can be conveniently tested.
Example four
Fig. 6 is a schematic structural diagram of a second processing device of a virtual private network according to an embodiment of the present invention, where the processing device may be installed on a client that needs to access an island environment, and the device includes:
and the environment information obtaining module 21 is configured to obtain a VPN authentication certificate corresponding to the islanding environment. The VPN authentication certificate is used for security verification when the client is connected to the island environment, the VPN authentication certificate can be downloaded from a VPN server in the island environment, and the VPN authentication certificate is not limited to be downloaded from the VPN server in the island environment, and can also be provided to the client in other manners. The environment information acquisition module 21 may also acquire metadata information of an island environment such as DNS information from a VPN server of the island environment.
The VPN data communication module 22 is configured to send a VPN channel connection request with a VPN authentication certificate to a VPN service in the VPN server, receive a virtual IP address assigned by the VPN service, create a virtual network card locally according to the virtual IP address, send a service invocation request to the VPN service in the islanding environment based on the virtual network card, and receive return data from the VPN service. The virtual IP address allocated to the client by the VPN service is in a network segment corresponding to the VPN service, so that the client can be in the same network segment with the VPN service, namely the same local area network with other servers in an island environment, and remote debugging can be performed. The method comprises the steps that a product to be tested on a client can initiate calling to an internal service in an island environment, a calling request can be sent to a local virtual network card of the client, then the calling request is directed to a VPN service through the established VPN channel, namely the routing relation between the virtual network card on the client and the virtual network card on a VPN server, and then the calling request is forwarded to other internal services in the island environment through the VPN service, so that calling of the internal service in the island environment is achieved.
The island environment can be in data communication with the client through the board jump machine, the board jump machine can be provided with a plurality of network ports, and data for accessing the island environment is shunted by establishing a mapping relation between each network port and each island environment, so that the VPN channel connection request can be sent to the VPN server through a port corresponding to the island environment to be accessed on the board jump machine.
EXAMPLE five
The foregoing embodiment describes a flow process and an apparatus structure of a processing method of a virtual private network, and functions of the method and the apparatus can be implemented by an electronic device, as shown in fig. 7, which is a schematic structural diagram of the electronic device according to an embodiment of the present invention, and specifically includes: a memory 110 and a processor 120.
And a memory 110 for storing a program.
In addition to the programs described above, the memory 110 may also be configured to store other various data to support operations on the electronic device. Examples of such data include instructions for any application or method operating on the electronic device, contact data, phonebook data, messages, pictures, videos, and so forth.
The memory 110 may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
The processor 120, coupled to the memory 110, is used for executing the program in the memory 110 to perform the operation steps of the processing method of the virtual private network described in the foregoing embodiments.
Further, the processor 120 may also include various modules described in the foregoing embodiments to perform processes related to the virtual private network, and the memory 110 may be used, for example, to store data required for the modules to perform operations and/or output data.
The detailed description of the above processing procedure, the detailed description of the technical principle, and the detailed analysis of the technical effect are described in the foregoing embodiments, and are not repeated herein.
Further, as shown, the electronic device may further include: communication components 130, power components 140, audio components 150, display 160, and other components. Only some of the components are schematically shown in the figure and it is not meant that the electronic device comprises only the components shown in the figure.
The communication component 130 is configured to facilitate wired or wireless communication between the electronic device and other devices. The electronic device may access a wireless network based on a communication standard, such as WiFi, a mobile communication network, such as 2G, 3G, 4G/LTE, 5G, or a combination thereof. In an exemplary embodiment, the communication component 130 receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component 130 further includes a Near Field Communication (NFC) module to facilitate short-range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, Ultra Wideband (UWB) technology, Bluetooth (BT) technology, and other technologies.
The power supply component 140 provides power to the various components of the electronic device. The power components 140 may include a power management system, one or more power sources, and other components associated with generating, managing, and distributing power for an electronic device.
The audio component 150 is configured to output and/or input audio signals. For example, the audio component 150 includes a Microphone (MIC) configured to receive external audio signals when the electronic device is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signal may further be stored in the memory 110 or transmitted via the communication component 130. In some embodiments, audio assembly 150 also includes a speaker for outputting audio signals.
The display 160 includes a screen, which may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation.
Those of ordinary skill in the art will understand that: all or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with program instructions. The aforementioned program may be stored in a computer-readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (16)
1. A processing method of a virtual private network comprises the following steps:
creating a VPN service in an island environment;
according to the network and route configuration of the island environment, configuring a network segment of the VPN service and configuring a data forwarding rule between the VPN service and an internal service in the island environment;
receiving a VPN channel connection request from a client, wherein the VPN service allocates a virtual IP address to the client and establishes a VPN channel between the client and the VPN service, and the virtual IP address is in a network segment corresponding to the VPN service.
2. The method of claim 1, further comprising: generating a VPN authentication certificate corresponding to the VPN service, and transmitting the VPN authentication certificate to the client in response to a VPN authentication certificate download request of the client,
receiving a VPN tunnel establishment request from a client includes: receiving a VPN channel establishment request containing the VPN authentication certificate from a client.
3. The method of claim 1, wherein the islanding environment is in data communication with the client through a trigger, the method further comprising:
and carrying out route configuration on the board jump machine, and distributing a designated port for the island environment on the board jump machine to carry out data forwarding.
4. The method of claim 1, further comprising:
and receiving a service calling request from the client, and forwarding the service calling request to the corresponding internal service for processing by the VPN service according to the data forwarding rule.
5. The method of claim 1, wherein configuring data forwarding rules between the VPN services and internal services in the islanded environment comprises:
and carrying out SNAT configuration in an Itables in the island environment, and establishing a data forwarding rule between VPN service and internal service in the island environment.
6. The method of claim 1, wherein the VPN service is an OpenVPN service, and wherein establishing a VPN tunnel between the client and the VPN service comprises:
and establishing a VPN channel based on a UDP protocol between the client and the VPN service.
7. The method of claim 1, wherein said creating VPN services in an islanded environment comprises:
creating a VPN service in an islanding environment in response to a VPN service request of the client, and generating a VPN authentication certificate corresponding to the VPN service.
8. The method of claim 1, further comprising: and sending DNS information of the island environment to the client.
9. A processing method of a virtual private network comprises the following steps:
acquiring a VPN authentication certificate corresponding to an island environment;
sending a VPN channel connection request with the VPN authentication certificate to a VPN service in the VPN server;
and receiving the virtual IP address distributed by the VPN service, creating a virtual network card locally according to the virtual IP address, and establishing a VPN channel between the VPN service and the virtual network card.
10. The method of claim 9, further comprising:
and sending a service calling request to a VPN service in the island environment and receiving return data from the VPN service through the VPN channel.
11. A processing apparatus of a virtual private network, comprising:
the VPN service creation module is used for creating VPN services in an island environment;
a VPN service configuration module, which configures the network segment of the VPN service and configures the data forwarding rule between the VPN service and the internal service in the island environment according to the network and route configuration of the island environment;
and the VPN communication establishing module is used for receiving a VPN channel connection request from a client, triggering the VPN service to distribute a virtual IP address to the client, and establishing a VPN channel between the client and the VPN service, wherein the virtual IP address is positioned in a network segment corresponding to the VPN service.
12. The apparatus of claim 11, further comprising:
and the VPN certificate processing module is used for generating a VPN authentication certificate corresponding to the VPN service and responding to a VPN authentication certificate downloading request of the client and sending the VPN authentication certificate to the client.
13. The apparatus of claim 11, wherein configuring data forwarding rules between the VPN service and internal services in the islanded environment comprises:
and carrying out SNAT configuration in an Itables in the island environment, and establishing a data forwarding rule between VPN service and internal service in the island environment.
14. A processing apparatus of a virtual private network, comprising:
the system comprises an environment information acquisition module, a network side module and a network side module, wherein the environment information acquisition module is used for acquiring a VPN authentication certificate corresponding to an island environment;
and the VPN data communication module is used for sending a VPN channel connection request with the VPN authentication certificate to the VPN service in the VPN server, receiving a virtual IP address distributed by the VPN service, creating a virtual network card locally according to the virtual IP address, and establishing a VPN channel between the VPN data communication module and the VPN service through the virtual network card.
15. The apparatus of claim 14, wherein the VPN data communication module is further configured to: and sending a service calling request to a VPN service in the island environment and receiving return data from the VPN service through the VPN channel.
16. An electronic device, comprising:
a memory for storing a program;
a processor for executing the program stored in the memory to perform the processing method of the virtual private network according to any one of claims 1 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010756235.9A CN114095188A (en) | 2020-07-31 | 2020-07-31 | Processing method and device of virtual private network and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010756235.9A CN114095188A (en) | 2020-07-31 | 2020-07-31 | Processing method and device of virtual private network and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114095188A true CN114095188A (en) | 2022-02-25 |
Family
ID=80295069
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010756235.9A Pending CN114095188A (en) | 2020-07-31 | 2020-07-31 | Processing method and device of virtual private network and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114095188A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115834529A (en) * | 2022-11-23 | 2023-03-21 | 浪潮智慧科技有限公司 | Remote monitoring method and system for edge equipment |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212374A (en) * | 2006-12-29 | 2008-07-02 | 北大方正集团有限公司 | Method and system for remote access to campus network resources |
| CN103023898A (en) * | 2012-12-03 | 2013-04-03 | 杭州迪普科技有限公司 | Method and device for accessing intranet resource of virtual private network (VPN) server |
| CN104486346A (en) * | 2014-12-19 | 2015-04-01 | 北京奇艺世纪科技有限公司 | Stepping stone system |
| US20160142374A1 (en) * | 2014-11-13 | 2016-05-19 | D. Scott CLARK | Private and secure communication systems and methods |
| CN108737540A (en) * | 2018-05-18 | 2018-11-02 | 北京车和家信息技术有限公司 | The unified login method and device of server |
| CN109923838A (en) * | 2017-05-22 | 2019-06-21 | 华为技术有限公司 | Bridge the elastic VPN of long-range isolated island |
| CN111049721A (en) * | 2019-12-12 | 2020-04-21 | 广州鲁邦通物联网科技有限公司 | OpenVPN cluster, construction method thereof, communication method and system |
| CN111193737A (en) * | 2019-12-30 | 2020-05-22 | 四川虹美智能科技有限公司 | Cloud server access method and system, OpenVPN server and LDAP authentication system |
| CN111404801A (en) * | 2020-03-27 | 2020-07-10 | 四川虹美智能科技有限公司 | Data processing method, device and system for cross-cloud manufacturer |
-
2020
- 2020-07-31 CN CN202010756235.9A patent/CN114095188A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212374A (en) * | 2006-12-29 | 2008-07-02 | 北大方正集团有限公司 | Method and system for remote access to campus network resources |
| CN103023898A (en) * | 2012-12-03 | 2013-04-03 | 杭州迪普科技有限公司 | Method and device for accessing intranet resource of virtual private network (VPN) server |
| US20160142374A1 (en) * | 2014-11-13 | 2016-05-19 | D. Scott CLARK | Private and secure communication systems and methods |
| CN104486346A (en) * | 2014-12-19 | 2015-04-01 | 北京奇艺世纪科技有限公司 | Stepping stone system |
| CN109923838A (en) * | 2017-05-22 | 2019-06-21 | 华为技术有限公司 | Bridge the elastic VPN of long-range isolated island |
| CN108737540A (en) * | 2018-05-18 | 2018-11-02 | 北京车和家信息技术有限公司 | The unified login method and device of server |
| CN111049721A (en) * | 2019-12-12 | 2020-04-21 | 广州鲁邦通物联网科技有限公司 | OpenVPN cluster, construction method thereof, communication method and system |
| CN111193737A (en) * | 2019-12-30 | 2020-05-22 | 四川虹美智能科技有限公司 | Cloud server access method and system, OpenVPN server and LDAP authentication system |
| CN111404801A (en) * | 2020-03-27 | 2020-07-10 | 四川虹美智能科技有限公司 | Data processing method, device and system for cross-cloud manufacturer |
Non-Patent Citations (1)
| Title |
|---|
| 刘景林: "Linux 环境下基于 LDAP 验证的高校校园网OpenVPN 应用方案设计", 上饶师范学院学报, 31 December 2014 (2014-12-31) * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115834529A (en) * | 2022-11-23 | 2023-03-21 | 浪潮智慧科技有限公司 | Remote monitoring method and system for edge equipment |
| CN115834529B (en) * | 2022-11-23 | 2023-08-08 | 浪潮智慧科技有限公司 | Remote monitoring method and system for edge equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11777901B2 (en) | Systems and methods for dynamic firewall policy configuration | |
| US10686568B2 (en) | Active flow diagnostics for cloud-hosted networks | |
| CN109474687B (en) | Method, device and system for communication between different private networks | |
| US11546444B2 (en) | Traffic forwarding and disambiguation by using local proxies and addresses | |
| US20160241509A1 (en) | Method and System for Integrating On-Premise and Cloud Domain Name Systems | |
| CN109617932B (en) | Method and apparatus for processing data | |
| US20180062908A1 (en) | Allocation of virtual interfaces to containers | |
| US20150288651A1 (en) | Ip packet processing method and apparatus, and network system | |
| US20180048588A1 (en) | Automated instantiation of wireless virtual private networks | |
| CN113905030B (en) | Intranet and extranet communication method and device, intranet terminal, proxy server and storage medium | |
| CN110177128B (en) | Data transmission system and method for establishing VPN connection, terminal and VPN proxy thereof | |
| US11226883B2 (en) | Secure method for managing a virtual test platform | |
| WO2016008379A1 (en) | Automatic configuration method and device for storage array, and storage system | |
| US9503392B2 (en) | Enhance private cloud system provisioning security | |
| CN108139936A (en) | The methods, devices and systems of access to the serial port from the virtual machine in the virtual application of deployment are provided | |
| US11689388B2 (en) | Virtual network function enabled secure communication systems and methods | |
| CN114124944A (en) | Data processing method and device of hybrid cloud and electronic equipment | |
| CN114501593A (en) | Network slice access method, device, system and storage medium | |
| CN111130820B (en) | Cluster management method and device and computer system | |
| CN114095188A (en) | Processing method and device of virtual private network and electronic equipment | |
| CN112994909B (en) | Method, device, equipment and storage medium for managing Kubernets cluster | |
| CN112667293B (en) | Method, device and storage medium for deploying operating system | |
| CN114884771B (en) | Identity network construction method, device and system based on zero trust concept | |
| EP3176986A1 (en) | Method, device and system for remote desktop protocol gateway to conduct routing and switching | |
| CN112328318B (en) | Method, device and storage medium for automatic planning of proprietary cloud platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |