CN104869097A - Route limiting method based on virtual private network (VPN), and route limiting device based on VPN - Google Patents
Route limiting method based on virtual private network (VPN), and route limiting device based on VPN Download PDFInfo
- Publication number
- CN104869097A CN104869097A CN201410058265.7A CN201410058265A CN104869097A CN 104869097 A CN104869097 A CN 104869097A CN 201410058265 A CN201410058265 A CN 201410058265A CN 104869097 A CN104869097 A CN 104869097A
- Authority
- CN
- China
- Prior art keywords
- vpn
- computer
- route
- access
- default route
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a route limiting method based on a VPN and a route limiting device based on the VPN which are applied to a computer accessing the VPN via the internet. The method comprises the steps of accessing the computer in the VPN via a remote office place, adding a first route and a second default route to a VPN gateway, setting the gateway address of the second default route as a VPN IP which is distributed to the computer by the VPN gateway or an IP in the same network segment with the VPN IP, and roll polling the current all routes of the computer to enable the priorities of other default routes to be less than the priority of the second default route. According to the present invention, the safety problem of the remote access office of the VPN can be solved better.
Description
Technical field
The present invention relates to virtual private network VPN field, particularly relate to a kind of method and the device thereof that carry out route restriction based on VPN.
Background technology
VPN(Virtual Private Network, virtual private networks) be the private network utilizing Internet network (public network) to build enterprises.Computer can be linked on vpn gateway by telecommuting place, vpn gateway realizes authentication, and accesses Intranet by vpn gateway, and then realizes long-range or strange land office.Computer is provided with usually and is responsible for communicating with vpn gateway, realize the VPN access software of VPN access.Widely, correlation technique is comparative maturity also, such as MPLS VPN, IPSec VPN, L2VPN, SSL VPN etc. in current VPN application.All VPN access technologies all can simulate one piece of Microsoft Loopback Adapter on the remote computer, and this Microsoft Loopback Adapter is for receiving and dispatching computer and the mutual VPN message of Intranet.Computer is after telecommuting place access VPN, and vpn gateway can distribute VPN IP address to computer further, and described VPN IP address is configured on Microsoft Loopback Adapter usually.
Summary of the invention
In view of this, the invention provides a kind of method and the device thereof that carry out route restriction based on VPN, it can solve the safety issue of the long-range access office of VPN better.
The invention provides a kind of method of carrying out route restriction based on VPN, be applied to the computer by internet access virtual private network VPN, described method comprises:
When computer accesses described VPN by telecommuting place, the first via being increased to vpn gateway by and the second default route, and the VPN IP that the gateway address arranging described second default route is described vpn gateway to be distributed to computer or the IP with VPN IP same network segment;
All routes that poll is current, make the priority of other default route lower than the priority of the second default route.
Further, the method for the invention also comprises:
Disconnect described computer VPN access time, delete the described first via by and the second default route.
Further, the present invention, when the VPN access cut off computer, deletes the route of Intranet further.
Further, the present invention also comprises during described poll: other common route of deleting the increase of described computer non-access stage.
Further, of the present inventionly the poll carried out with predetermined period is polled as.
The present invention also provides a kind of device carrying out route restriction based on VPN, is applied to the computer by internet access virtual private network VPN, it is characterized in that, described device comprises:
Access module, for when computer accesses described VPN by telecommuting place, the first via being increased to vpn gateway by and the second default route, the gateway address that described second default route the is set VPN IP that to be described vpn gateway distribute to computer or the IP with VPN IP same network segment;
Poller module, for all routes that poll is current, makes the priority of other default route lower than the priority of the second default route.
Further, device of the present invention also comprises:
Disconnect module, access for disconnecting described VPN, delete the described first via by and the second default route.
Further, disconnection module of the present invention is also for deleting the route of Intranet.
Further, poller module of the present invention is also for deleting other common route that described computer increased in the non-access stage.
Further, of the present inventionly the poll carried out with predetermined period is polled as.
The present invention when computer access VPN, the first via being increased to vpn gateway by with the second default route, and the gateway of the second default route is VPN IP or the IP with VPN IP same network segment.Further, the present invention makes the priority of other default route on computer lower than the priority of the second default route.Therefore, ensure during computer is linked into VPN, the VPN access software that computer is installed makes all outflow messages of computer send to vpn gateway through the gateway of the second default route.Like this, the message of computer can only arrive VPN, ensures that computer can not access external network.
Accompanying drawing explanation
Fig. 1 is existing VPN schematic diagram;
Fig. 2 the present invention is based on the flow chart that VPN carries out the method for route restriction;
Fig. 3 the present invention is based on the structure drawing of device that VPN carries out route restriction;
Fig. 4---Fig. 7 is the routing table schematic diagram of one embodiment of the invention;
Fig. 8---Figure 11 is the routing table schematic diagram of another embodiment of the present invention.
Embodiment
Referring to Fig. 1, computer passes enterprise firewall in telecommuting place by Internet, and accesses Intranet by vpn gateway, and usual this access exists safety issue.Because while the computer in telecommuting place carries out network office by vpn gateway access enterprises, computer is also linked in Internet network.Thus the capsule information of enterprise have the possibility be distributed in Internet network, and this is unacceptable for the exigent enterprise of information security.Settling mode conventional in prior art limits the access of route, namely computer in telecommuting place access Intranet time, by installing VPN access software on computers, route being limited, making computer can not access other external address beyond vpn gateway.
Existing the method that the access of route limits to be specially: when computer is by telecommuting place access VPN, the VPN access software backup current routing table that computer is installed, then delete all current routes, and be increased to the route of vpn gateway and the route to Intranet.When disconnecting VPN connection, VPN access software deletes the route of vpn gateway and the route to Intranet, then recovers the routing table backed up.
But, if the network environment in the telecommuting place of computer access VPN changes (such as, the computer of market department personnel is replaced by another telecommuting place access VPN from a telecommuting place), then computer may be caused not access Internet.Such as, certain computer is handled official business at telecommuting place A, produces default route { 0.0.0.0/0.0.0.0 by DHCP, 80.80.80.1}, after described computer access Intranet, VPN access software backs up and deletes route { 0.0.0.0/0.0.0.0,80.80.80.1}.Described computer, when VPN access does not disconnect, carries out telecommuting instead by telecommuting place B, then produces new default route { 0.0.0.0/0.0.0.0, a 80.80.81.1} by DHCP.Because the network environment in the telecommuting place of computer access VPN changes (computer becomes telecommuting place B from telecommuting place A and accesses VPN), the route to vpn gateway that on computer, VPN access software originally added still exists, now access VPN, still need to be accessed by original vpn gateway according to such scheme, but what the non-VPN access software of vpn gateway in fact now originally added arrives vpn gateway, corresponding vpn gateway IP address changes already, so obviously now VPN access is obstructed.According to such scheme, this computer re-establishes current VPN access after must disconnecting VPN access.But after VPN access disconnects, the VPN access software on this computer is according to route backup reduction route { 0.0.0.0/0.0.0.0,80.80.80.1} before.Now this computer certainly will have two default routes, this still will cause this computer not access Internet, so, certainly also cannot be linked into VPN and realize telecommuting.
In order to solve the problem, illustrate the present invention below in conjunction with accompanying drawing and realizing.
The present invention when computer access VPN, the first via being increased to vpn gateway by with the second default route, and the gateway address of the second default route is vpn gateway is the VPN IP that distributes of computer or the IP with the same network segment of VPN IP.Further, the present invention makes the priority of other default route on computer lower than the priority of the second default route.Therefore, during computer is linked into VPN, the VPN access software that computer is installed makes all outflow messages of computer send to vpn gateway through the gateway of the second default route.Like this, the message of computer can only arrive VPN, ensures that computer can not access external network.
The invention provides a kind of method of carrying out route restriction based on VPN, be applied to the computer by internet access virtual private network VPN, further, described computer is provided with VPN access software.
Referring to Fig. 2, described method comprises the steps:
S1, computer access described VPN by telecommuting place, the first via being increased to vpn gateway by and the second default route, the gateway address arranging described second default route is vpn gateway is the VPN IP of computer distribution or the IP with VPN IP same network segment, will mail to the message repeating of described second default route gateway to vpn gateway.
All routes that S2, polling computer are current, make the priority of other default route lower than the priority of the second default route.
The present invention compared with the existing technology, the first via all adding vpn gateway by, prior art increases the first via by being delete after all current routes (comprising default route) to ensure, computer still can access vpn gateway, and the present invention increases the first via by being that computer still can access vpn gateway in order to after ensureing that the priority of other default route is adjusted.
And the present invention is with prior art difference, the present invention does not delete all current routes (comprising default route), but on the basis of existing scheme, to increase a gateway address be again vpn gateway is second default route of the VPN IP that distributes of computer or the IP with VPN IP same network segment, and the priority adjusting other default route is lower than the second default route.Because the IP of the same network segment carries out access to netwoks by same network interface card, therefore, in realization of the present invention, the gateway address of the second default route should select vpn gateway to be the VPN IP of computer distribution or the IP with VPN IP same network segment.Wherein, in preferred implementation, be good to arrange VPN IP be the gateway address of the second default route.
By above-mentioned setting, computer of the present invention is during being linked into VPN, because the default route in routing table is the highest with the priority of the second default route, thus can guarantee that all message repeatings mailing to the second default route gateway of computer are to vpn gateway, so just ensure that computer can not access external network.
Meanwhile, because the present invention does not delete all current routes (comprising default route), also without the need to backing up deletion route and recover.Therefore, even if the network environment in the telecommuting place of computer access VPN changes, the present invention also will cause route chaotic due to route backup and recovery, and computer can not be caused not access Internet.
Further, step S2 of the present invention also comprises: other common route of deleting the increase of computer non-access stage.
In the polling procedure of described step S2, if VPN access software finds the common route increased in the computer non-access stage, then judge that this common route is the route that user manually adds.For the situation avoiding user privately to configure route occurs, improve the fail safe of Intranet information, need in the present invention automatically this common route to be deleted.Be implemented as, if in the process of poll, described computer access software find this newly-increased common route be not the first via that increases of access phase by, then show that this route is the route that user manually adds, automatically this common route deleted.
Further, of the present inventionly the poll carried out with predetermined period is polled as.Predetermined period by those skilled in the art according to demand and experience be set as the enough little time cycle, such as 0.5s.
Further, the inventive method also comprises the steps:
S3, when disconnecting the VPN access of described computer, delete the described first via by, the second default route and the route to Intranet.
When the present invention disconnects the VPN access of described computer, in order to ensure that computer normally can access Internet, then need to delete the described first via by, the second default route and the route to Intranet.
Referring to Fig. 3, corresponding to said method, the present invention also provides a kind of device carrying out route restriction based on VPN, is applied to the computer by internet access virtual private network VPN, and described computer is provided with VPN access software.Described computer at least includes CPU, internal memory, nonvolatile memory and other hardware on hardware, and described device logically comprises:
Access module, for when computer accesses described VPN by telecommuting place, the first via being increased to vpn gateway by and the second default route, and the gateway address arranging described second default route is vpn gateway is the VPN IP that distributes of computer or IP with VPN IP same network segment, and will the message repeating of described second default route gateway be mail to vpn gateway.
Poller module, for all routes that poll is current, makes the priority of other default route lower than the priority of the second default route.
Further, poller module of the present invention is also for deleting other common route that described computer increased in the non-access stage.
Further, of the present inventionly the poll carried out with predetermined period is polled as.
Further, apparatus of the present invention also comprise: disconnect module, access for disconnecting described VPN, delete the described first via by and the second default route.
Further, disconnection module of the present invention is also for deleting the route of Intranet.
In order to make this area art personnel clearly with clear.Below further for Windows environment, illustrate specific implementation process of the present invention.
Suppose under certain application scenarios, computer current IP address of the present invention is 10.153.129.142, and the existing route table of computer as shown in Figure 4.It should be noted that, in Windows environment, the metric of routing table represents the maximum hop count arriving target, and metric is larger, and routing priority is lower.
Under this application scene, further the IP address of hypothesis vpn gateway is 203.215.251.200, after computer is linked into VPN, supposes that the VPN IP address that vpn gateway distributes to computer is 192.168.0.2.
According to implementation method of the present invention, on described computer when being linked into VPN, described VPN access software increases the first via to vpn gateway by { 203.215.251.200/255.255.255.255,10.153.128.1}; Meanwhile, according to the present invention, described VPN access software is also by increase by second default route, and wherein said second default route is using VPN IP as gateway, and described second default route is { 0.0.0.0/0.0.0.0,192.168.0.2}.
Increase the first via by the computer with the second default route routing table as shown in Figure 5.
Then, VPN access software, found for the cycle carries out poll with 0.5 second 0.0.0.0/0.0.0.0,10.153.128.1} are default routes, but gateway ip address is not VPN IP(192.168.0.2), then this default route is not the second default route.And the metric of this default route is identical with the metric of the second default route using VPN IP as gateway, so the metric adjusting this default route is 21.After overpolling process, the routing table of computer as shown in Figure 6.
Due in routing table shown in Fig. 5, except the first via is by { outside 203.215.251.200/255.255.255.255,10.153.128.1}, other route is all default route, and the second default route { 0.0.0.0/0.0.0.0,192.168.0.2} have limit priority.Therefore computer message is when carrying out default route, will preferential flow to the gateway 192.168.0.2 of the second default route, like this, the VPN access software that computer is installed can will be sent to the message of described second default route gateway 192.168.0.2 by being transmitted to vpn gateway 203.215.251.200, thus avoids user to access external network.
Further hypothesis afterwards user oneself adds a route { 10.153.89.0/255.255.255.0 by manual, 10.153.129.128}, in above-mentioned polling procedure, VPN access software will find this common route, and when not being access VPN the first via that configures by, so automatically by { 10.153.89.0/255.255.255.0,10.153.129.128} delete, thus the situation avoiding user privately to configure route occurs.
When described computer disconnects VPN connection, according to the present invention, when now VPN access software will delete computer access VPN the first via that configures by with the second default route, under this exemplary application scene, be specially deletion { 203.215.251.200/255.255.255.255,10.153.128.1} and { 0.0.0.0/0.0.0.0,192.168.0.2}, the routing table of computer becomes shown in Fig. 7, and computer normally can access Internet.
In another Illustrative embodiments of the present invention, (such as, being still replaced by access VPN in another telecommuting place for the computer of market department personnel from a telecommuting place) illustrates the present invention to suppose that the network environment in telecommuting place of computer access VPN changes.Computer carries out telecommuting at telecommuting place A, produces default route { 0.0.0.0/0.0.0.0,80.80.80.1} by DHCP.The IP address supposing vpn gateway is 203.215.251.200, and the VPN IP address be assigned to is 192.168.0.2, according to the present invention, VPN access software increase the first via by with the second default route after routing table as shown in Figure 8.Through overpolling, { priority of 0.0.0.0/0.0.0.0,80.80.80.1}, lower than the second default route, is specially metric and is adjusted to 21 adjustment default route, and routing table as shown in Figure 9.
Suppose that described computer is not when the VPN access of telecommuting place A disconnects, telecommuting is carried out instead by telecommuting place B, DHCP will apply for IP address again, { 0.0.0.0/0.0.0.0,80.80.80.1} will delete the route that produces of DHCP automatically, and automatically produce a new route { 0.0.0.0/0.0.0.0 before, 80.80.81.1}, now, according to implementation method of the present invention, the routing table of computer will become as shown in Figure 10.
After overpolling, { priority of 0.0.0.0/0.0.0.0,80.80.81.1} is adjusted to lower than the second default route route, is specially metric and becomes 21.Because now VPN and local network all cannot be accessed, VPN must be disconnected connect, VPN access software delete telecommuting place A increase the second default route using VPN IP as gateway and point to vpn gateway the first via by, routing table finally becomes shown in Figure 11.Therefore network recovery is normal, and computer normally can access Internet again.Based on above-mentioned identical description, when user accesses VPN again, also again can complete the access of VPN.
Therefore, because the present invention does not delete all current routes (comprising default route), also without the need to backing up deletion route and recover.Even if the network environment in the telecommuting place of the present invention's computer access VPN changes, the present invention also will cause route chaotic due to route backup and recovery, and computer can not be caused not access Internet.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (10)
1. carry out a method for route restriction based on VPN, be applied to the computer by internet access virtual private network VPN, it is characterized in that, described method comprises:
When computer accesses described VPN by telecommuting place, the first via being increased to vpn gateway by and the second default route, and the VPN IP that the gateway address arranging described second default route is described vpn gateway to be distributed to computer or the IP with VPN IP same network segment;
All routes that poll is current, make the priority of other default route lower than the priority of the second default route.
2. the method for claim 1, is characterized in that, described method also comprises:
Disconnect described computer VPN access time, delete the described first via by and the second default route.
3. method as claimed in claim 2, is characterized in that, when the VPN access cut off computer, deletes the route of Intranet further.
4. the method for claim 1, is characterized in that, also comprises during described poll: other common route of deleting the increase of described computer non-access stage.
5. method as claimed in claim 4, is characterized in that, described in be polled as the poll carried out with predetermined period.
6. carry out a device for route restriction based on VPN, be applied to the computer by internet access virtual private network VPN, it is characterized in that, described device comprises:
Access module, for when computer accesses described VPN by telecommuting place, the first via being increased to vpn gateway by and the second default route, the gateway address that described second default route the is set VPN IP that to be described vpn gateway distribute to computer or the IP with VPN IP same network segment;
Poller module, for all routes that poll is current, makes the priority of other default route lower than the priority of the second default route.
7. method as claimed in claim 6, it is characterized in that, described device also comprises:
Disconnect module, access for disconnecting described VPN, delete the described first via by and the second default route.
8. method as claimed in claim 7, it is characterized in that, described disconnection module is also for deleting the route of Intranet.
9. method as claimed in claim 6, it is characterized in that, described poller module is also for deleting other common route that described computer increased in the non-access stage.
10. method as claimed in claim 6, is characterized in that, described in be polled as the poll carried out with predetermined period.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410058265.7A CN104869097A (en) | 2014-02-20 | 2014-02-20 | Route limiting method based on virtual private network (VPN), and route limiting device based on VPN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410058265.7A CN104869097A (en) | 2014-02-20 | 2014-02-20 | Route limiting method based on virtual private network (VPN), and route limiting device based on VPN |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104869097A true CN104869097A (en) | 2015-08-26 |
Family
ID=53914624
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410058265.7A Pending CN104869097A (en) | 2014-02-20 | 2014-02-20 | Route limiting method based on virtual private network (VPN), and route limiting device based on VPN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104869097A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109639554A (en) * | 2018-12-26 | 2019-04-16 | 山东有人信息技术有限公司 | A kind of long-range VLAN implementation method |
| CN113691545A (en) * | 2021-08-26 | 2021-11-23 | 中国电信股份有限公司 | Routing control method and device, electronic equipment and computer readable medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101005454A (en) * | 2006-01-04 | 2007-07-25 | 阿尔卡特朗讯公司 | System and method for prioritization of traffic through internet access network |
| CN101133612A (en) * | 2005-04-05 | 2008-02-27 | 思科技术公司 | IP addressing in joined private networks |
| US20100175125A1 (en) * | 2001-03-20 | 2010-07-08 | Verizon Business Global Llc | System, method and apparatus that isolate virtual private networks (vpn) and best effort to resist denial of service attacks |
-
2014
- 2014-02-20 CN CN201410058265.7A patent/CN104869097A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100175125A1 (en) * | 2001-03-20 | 2010-07-08 | Verizon Business Global Llc | System, method and apparatus that isolate virtual private networks (vpn) and best effort to resist denial of service attacks |
| CN101133612A (en) * | 2005-04-05 | 2008-02-27 | 思科技术公司 | IP addressing in joined private networks |
| CN101005454A (en) * | 2006-01-04 | 2007-07-25 | 阿尔卡特朗讯公司 | System and method for prioritization of traffic through internet access network |
Non-Patent Citations (1)
| Title |
|---|
| 未知: "一个VPN客户端的路由故障解决及深入探讨", 《百度文库》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109639554A (en) * | 2018-12-26 | 2019-04-16 | 山东有人信息技术有限公司 | A kind of long-range VLAN implementation method |
| CN109639554B (en) * | 2018-12-26 | 2022-01-21 | 山东有人物联网股份有限公司 | Remote VLAN implementation method |
| CN113691545A (en) * | 2021-08-26 | 2021-11-23 | 中国电信股份有限公司 | Routing control method and device, electronic equipment and computer readable medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104301142B (en) | A kind of backup method and equipment of configuration file | |
| EP2426827B1 (en) | Method and network system for implementing user port orientation in multi-machine backup scenario of broadband remote access server | |
| CN104301321B (en) | A kind of method and system for realizing distributed network security protection | |
| CN105745883B (en) | Forwarding table synchronous method, the network equipment and system | |
| EP2753022A1 (en) | Virtual private network implementation method and system based on traffic engineering tunnel | |
| EP2760174A1 (en) | Virtual private cloud access authentication method and related apparatus | |
| US20080276294A1 (en) | Legal intercept of communication traffic particularly useful in a mobile environment | |
| EP2458782A1 (en) | Method for multiplexing hot backup ports and network system thereof | |
| CN102752209B (en) | Realize address fast switch over method and the routing forwarding equipment of backup services | |
| WO2017186122A1 (en) | Traffic scheduling | |
| US10795912B2 (en) | Synchronizing a forwarding database within a high-availability cluster | |
| EP3420687B1 (en) | Addressing for customer premises lan expansion | |
| EP3217608A1 (en) | Switchback delay method, device, and system | |
| CN103795630A (en) | Message transmitting method and device of label switching network | |
| CN103227773A (en) | Method and system for establishing virtual private dial-up network connection | |
| CN104301449A (en) | Method and device for modifying IP address | |
| CN108259295B (en) | MAC address synchronization method and device | |
| CN108833272A (en) | A kind of route management method and device | |
| CN104869097A (en) | Route limiting method based on virtual private network (VPN), and route limiting device based on VPN | |
| CN105591811A (en) | Mapping server restart recovery method and device in LISP | |
| CN110445708A (en) | Communication means and system in a kind of Convergence gateway | |
| CN105391565A (en) | Method for achieving synchronization of backup business configuration | |
| CN106131091B (en) | One kind being based on STARTTLS/SSL/TLS mail protocol Mail Contents also original system and content reduction method | |
| CN105407095B (en) | Secure communication device and its communication means between heterogeneous networks | |
| CN103563305A (en) | System and method for providing push service to reduce network load |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Applicant before: Huasan Communication Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150826 |
|
| WD01 | Invention patent application deemed withdrawn after publication |