CN107659482B - Method and device for transmitting data based on virtual private network - Google Patents

Method and device for transmitting data based on virtual private network Download PDF

Info

Publication number
CN107659482B
CN107659482B CN201710923022.9A CN201710923022A CN107659482B CN 107659482 B CN107659482 B CN 107659482B CN 201710923022 A CN201710923022 A CN 201710923022A CN 107659482 B CN107659482 B CN 107659482B
Authority
CN
China
Prior art keywords
program
interface
vpn
encryption
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710923022.9A
Other languages
Chinese (zh)
Other versions
CN107659482A (en
Inventor
陈川
唐青昊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201710923022.9A priority Critical patent/CN107659482B/en
Publication of CN107659482A publication Critical patent/CN107659482A/en
Application granted granted Critical
Publication of CN107659482B publication Critical patent/CN107659482B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Abstract

The invention discloses a method and a device for transmitting data based on a virtual private network, relates to the technical field of data transmission, and can solve the problem that the existing virtual VPN gateway cannot meet the encryption and decryption requirements of users. The method of the invention comprises the following steps: after a VPN program in a virtual machine receives data to be transmitted sent by first equipment through a VPN channel, the VPN program sends a data processing request carrying a virtual machine identifier and the data to be transmitted to a host machine through a semi-virtualization interface; the VPN program receives a processing result sent by the host machine through the semi-virtual interface, the processing result is obtained by calling an encryption and decryption program through an intermediate interface by a physical machine storing the encryption and decryption program corresponding to the virtual machine identifier and encrypting or decrypting data to be transmitted by using the encryption and decryption program, and the intermediate interface is an interface packaged based on the encryption and decryption program; and sending the processing result to the second equipment through the VPN channel. The method and the device are mainly suitable for a scene of data transmission based on the VPN network.

Description

Method and device for transmitting data based on virtual private network
Technical Field
The present invention relates to the field of data transmission technologies, and in particular, to a method and an apparatus for transmitting data based on a virtual private network.
Background
Virtual Private Network (VPN) refers to a technology for establishing a Private Network on a public Network. That is, the VPN is a virtual internal dedicated line, which does not need to really lay a physical line such as an optical cable, thereby saving the cost of erection and maintenance and being safe. Therefore, VPNs are gradually being incorporated into people's lives.
With the continuous development of virtualization and cloud computing technologies, more and more cloud service vendors start to provide public and private clouds, allow enterprise users to create their own virtual data centers, help enterprises save construction costs, and enable communication using VPN networks for network security and network speed. Therefore, when the whole network is composed of a plurality of subnets, each subnet needs to set a virtual VPN gateway to realize mutual communication. The current way to create a virtual VPN gateway is: a specific virtual machine is created by the virtual machine management platform and a virtual VPN gateway is generated by installing a VPN software on the virtual machine. For private cloud users, in order to meet their own security requirements, data is often encrypted and decrypted by using their own encryption and decryption algorithms. The virtual VPN gateway generated by the VPN software cannot integrate the encryption and decryption algorithms set by the user, so that the user requirements cannot be met.
Disclosure of Invention
In view of this, the method and the device for transmitting data based on the virtual private network provided by the invention can solve the problem that the existing virtual VPN gateway cannot meet the encryption and decryption requirements of the user.
The purpose of the invention is realized by adopting the following technical scheme:
in a first aspect, the present invention provides a method for transmitting data based on a virtual private network, where the method includes:
after a Virtual Private Network (VPN) program in a virtual machine receives data to be transmitted sent by first equipment through a VPN channel, the VPN program sends a data processing request carrying a virtual machine identifier and the data to be transmitted to a host machine through a semi-virtualization interface;
the VPN program receives a processing result sent by the host machine through the para-virtualization interface, wherein the processing result is obtained by calling an encryption and decryption program through an intermediate interface by a physical machine storing the encryption and decryption program corresponding to the virtual machine identifier and encrypting or decrypting the data to be transmitted by using the encryption and decryption program, and the intermediate interface is an interface packaged based on the encryption and decryption program;
and sending the processing result to the second equipment through the VPN channel.
In a second aspect, the present invention provides a method for transmitting data based on a virtual private network, the method comprising:
a host machine receives a data processing request sent by a Virtual Private Network (VPN) program in a virtual machine through a paravirtualized interface, wherein the data processing request carries a virtual machine identifier of the virtual machine and data to be transmitted, which is received by the virtual machine from a first equipment side through a VPN channel;
acquiring a processing result obtained after a physical machine storing an encryption and decryption program corresponding to the virtual machine identifier calls the encryption and decryption program through an intermediate interface and encrypts or decrypts the data to be transmitted by using the encryption and decryption program, wherein the intermediate interface is an interface packaged based on the encryption and decryption program;
and sending the processing result to the VPN program through the paravirtualized interface so that the VPN program sends the processing result to the second device through the VPN channel.
In a third aspect, the present invention provides a virtual machine, including:
the device comprises a sending unit, a host computer and a Virtual Private Network (VPN) unit, wherein the sending unit is used for sending a data processing request carrying a virtual machine identifier and data to be transmitted to the host computer through a semi-virtualization interface after a VPN program in a virtual machine receives the data to be transmitted sent by first equipment through a VPN channel;
a receiving unit, configured to receive, by the VPN program, a processing result sent by the host through the paravirtualized interface, where the processing result is obtained by a physical machine storing an encryption/decryption program corresponding to the virtual machine identifier calling the encryption/decryption program through an intermediate interface and encrypting or decrypting the data to be transmitted by using the encryption/decryption program, and the intermediate interface is an interface encapsulated based on the encryption/decryption program;
the sending unit is further configured to send the processing result to the second device through the VPN channel.
In a fourth aspect, the present invention provides a host, comprising:
a receiving unit, configured to receive a data processing request sent by a VPN program in a virtual machine through a paravirtualized interface, where the data processing request carries a virtual machine identifier of the virtual machine and data to be transmitted, which is received by the virtual machine from a first device side through a VPN channel;
an obtaining unit, configured to obtain a processing result obtained after a physical machine storing an encryption/decryption program corresponding to the virtual machine identifier calls the encryption/decryption program through an intermediate interface and encrypts or decrypts the to-be-transmitted data by using the encryption/decryption program, where the intermediate interface is an interface encapsulated based on the encryption/decryption program;
a sending unit, configured to send the processing result to the VPN program through the paravirtualized interface, so that the VPN program sends the processing result to a second device through the VPN channel.
In a fifth aspect, the present invention provides a storage medium storing a plurality of instructions adapted to be loaded by a processor and to perform the method for transmitting data based on a virtual private network according to the first aspect; or to load and execute the method for transmitting data based on a virtual private network according to the second aspect.
In a sixth aspect, the present invention provides an electronic device comprising a storage medium and a processor;
the processor is suitable for realizing instructions;
the storage medium adapted to store a plurality of instructions;
the instructions are adapted to be loaded by the processor and to perform the method of transmitting data based on a virtual private network according to the first aspect; or to load and execute the method for transmitting data based on a virtual private network according to the second aspect.
In a seventh aspect, the present invention provides an electronic device, including: a virtual machine and a host machine;
wherein the virtual machine comprises the virtual machine of the third aspect; the host comprises a host as described in the fourth aspect.
By means of the technical scheme, the method and the device for transmitting data based on the virtual private network, provided by the invention, can be used for sending a data processing request carrying a virtual machine identifier and the data to be transmitted to the host machine through the semi-virtualization interface after the VPN program in the virtual machine receives the data to be transmitted sent by the first device, so that the host machine sends the data processing request to the physical machine storing the encryption and decryption program corresponding to the virtual machine identifier through the intermediate interface to call the encryption and decryption program, the encryption and decryption processing is carried out on the data to be transmitted by executing the encryption and decryption program to obtain a processing result, then the host machine forwards the processing result to the VPN program through the semi-virtualization interface, and the VPN program sends the processing result to the second device through the VPN channel. Therefore, the invention creates a virtual VPN gateway meeting the user requirements in a mode of indirectly calling the encryption and decryption program through the virtual machine, and realizes a data transmission mode meeting the user requirements through the virtual VPN gateway.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a flowchart illustrating a method for transmitting data based on a virtual private network according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating a system architecture for transmitting data based on a virtual private network according to an embodiment of the present invention;
fig. 3 is a block diagram illustrating components of a virtual VPN gateway according to an embodiment of the present invention;
fig. 4 is a block diagram illustrating another virtual VPN gateway according to an embodiment of the present invention;
fig. 5 is a block diagram illustrating another virtual VPN gateway according to an embodiment of the present invention;
fig. 6 is a flowchart illustrating another method for transmitting data based on a virtual private network according to an embodiment of the present invention;
FIG. 7 is a block diagram illustrating components of a virtual machine according to an embodiment of the present invention;
FIG. 8 is a block diagram illustrating another virtual machine provided by embodiments of the invention;
FIG. 9 is a block diagram illustrating components of a host provided by an embodiment of the invention;
fig. 10 is a block diagram illustrating another host according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
An embodiment of the present invention provides a method for transmitting data based on a virtual private network, where the method is mainly applied to a virtual machine side, and as shown in fig. 1, the method mainly includes:
101. after a VPN program in a virtual machine receives data to be transmitted sent by first equipment through a VPN channel, the VPN program sends a data processing request carrying a virtual machine identifier and the data to be transmitted to a host machine through a semi-virtualization interface.
When the first device wants to send data to the second device through the virtual private network, and the first device and the second device are located in different subnetworks, the first device may send the data to be transmitted to a virtual VPN gateway (that is, a VPN gateway formed by interaction between a virtual machine and a host in the embodiment of the present invention) through a VPN channel, after encrypting the data to be transmitted, the encrypted data may be sent to the virtual VPN gateway that manages the second device through the VPN channel, and the encrypted data is decrypted by the virtual VPN gateway corresponding to the second device, so as to obtain original data sent by the first device, and send the original data to the second device through the VPN channel. The embodiment of the invention mainly explains the specific process of encrypting/decrypting the data to be transmitted by the virtual VPN gateway.
Optionally, in order to further ensure the security of the connection established between the virtual machine and the host, a Secure Socket Layer (SSL) program (i.e., SSL software) may be installed in the virtual machine, so as to maintain the security between the virtual machine and the host based on the SSL program. In this case, the specific implementation manner of this step 101 may be: the VPN program sends the data processing request to a Secure Socket Layer (SSL) program in the virtual machine, and then the SSL program sends the data processing request to the host machine through the paravirtualization interface.
Specifically, in order to successfully start the paravirtualization interface, before the SSL program sends the data processing request to the host through the paravirtualization interface, the SSL program needs to call a driver of the paravirtualization interface to drive the paravirtualization interface, and after the paravirtualization interface is successfully driven, the SSL program can send the data processing request to the host through the paravirtualization interface.
When the virtual VPN gateway and the first device belong to the same subnet, the embodiment of the present invention mainly explains a process in which the virtual VPN gateway encrypts data to be transmitted, which is sent by the first device, wherein the data processing request in step 101 is an encryption request; when the virtual VPN gateway and the second device belong to the same subnet in the embodiment of the present invention, the embodiment of the present invention mainly describes a process in which the virtual VPN gateway decrypts encrypted data sent by the virtual VPN gateway corresponding to the first device, where the data processing request in step 101 is a decryption request. The architecture of the whole network can be as shown in fig. 2. The meaning of the intermediate interface in the figure can be seen in detail in step 102 described below.
Specifically, the encryption and decryption operations of the present invention are executed by a physical machine storing an encryption and decryption program, where one encryption and decryption program may be stored in the physical machine, and multiple encryption and decryption programs may also be stored for different virtual machines with different encryption and decryption requirements, so that when sending a data processing request to a host through a paravirtualized interface, a virtual machine identifier of the virtual machine needs to be sent, so that after the host submits the virtual machine identifier to the physical machine, the physical machine may search for the encryption and decryption program corresponding to the virtual machine identifier to process data. The para-virtualization interface is an interface for realizing communication between the virtual machine and the host machine, and the communication does not need a network. The physical machine storing the encryption and decryption program can be a host machine or other external equipment independent of the host machine.
In addition, the virtual machine identifier may specifically be a Universal Unique Identifier (UUID), and may also be other types of identifiers capable of uniquely identifying the virtual machine. The paravirtualized interface may be generated based on virtio mechanisms, as well as other mechanisms.
102. And the VPN program receives a processing result sent by the host machine through the paravirtualization interface.
The processing result is obtained by calling the encryption and decryption program through an intermediate interface by a physical machine storing the encryption and decryption program corresponding to the virtual machine identifier, and encrypting or decrypting the data to be transmitted by using the encryption and decryption program, wherein the intermediate interface is an interface packaged based on the encryption and decryption program. Different encryption and decryption programs may correspond to different intermediate interfaces.
When the virtual machine contains the SSL program, the specific implementation manner of this step may be: firstly, the SSL program receives the processing result sent by the host machine through the paravirtualization interface; and receiving the processing result sent by the SSL program by the VPN program.
When the physical machine storing the encryption and decryption program is the current host machine, the host machine receives the data processing request through the para-virtualization interface, then the encryption and decryption program corresponding to the virtual machine identifier can be called through the intermediate interface, then the encryption and decryption program is executed to perform encryption/decryption processing on data to be transmitted, a processing result is obtained, and the processing result is sent to a VPN program in the virtual machine through the para-virtualization interface, or the processing result is sent to the SSL program first and then sent to the VPN program through the SSL program. When the physical machine storing the encryption and decryption program is a host, a block diagram of a structure related to the virtual VPN gateway formed in the embodiment of the present invention may be as shown in fig. 3.
When the physical machine storing the encryption and decryption program is an external device independent of the host machine, after receiving the data processing request through the paravirtualized interface, the host machine can forward the data processing request to the physical machine storing the encryption and decryption program, so that the physical machine calls the encryption and decryption program corresponding to the virtual machine identifier through the intermediate interface, executes the encryption and decryption program to obtain a processing result, and then returns the processing result to the host machine, so that the host machine feeds the processing result back to the VPN program in the virtual machine through the paravirtualized interface, or feeds the processing result back to the SSL program first and then sends the processing result to the VPN program through the SSL program. When the physical machine storing the encryption/decryption program is an external device, a block diagram of the structure related to the virtual VPN gateway formed according to the embodiment of the present invention may be as shown in fig. 4. And when the external device stores different encryption and decryption programs for use by virtual machines in different hosts, a block diagram of a structure related to a plurality of virtual VPN gateways formed in the embodiment of the present invention may be as shown in fig. 5.
103. And sending the processing result to the second equipment through the VPN channel.
When the first device and the virtual VPN gateway are located in the same subnet, the processing result is encrypted data, the virtual machine needs to send the processing result to the virtual VPN gateway corresponding to the second device through a VPN channel, the virtual VPN gateway decrypts the processing result, and then the decrypted data is sent to the second device; when the second device and the virtual VPN gateway are located in the same subnet, the processing result is decrypted data, and the virtual machine may directly send the processing result to the second device through the VPN channel.
The method for transmitting data based on a virtual private network provided by the embodiment of the invention can send a data processing request carrying a virtual machine identifier and the data to be transmitted to a host machine through a semi-virtualization interface after a VPN program in a virtual machine receives the data to be transmitted sent by first equipment, so that the host machine sends the data processing request to a physical machine storing an encryption and decryption program corresponding to the virtual machine identifier to call the encryption and decryption program through an intermediate interface, the encryption and decryption program is executed to encrypt/decrypt the data to be transmitted to obtain a processing result, the host machine forwards the processing result to the VPN program through the semi-virtualization interface, and the VPN program sends the processing result to second equipment through a VPN channel. Therefore, the invention creates a virtual VPN gateway meeting the user requirements in a mode of indirectly calling the encryption and decryption program through the virtual machine, and realizes a data transmission mode meeting the user requirements through the virtual VPN gateway. And the virtual machine identification corresponds to the encryption and decryption program, so that different virtual machines can respectively carry out encryption and decryption processing based on different encryption and decryption programs, and the functions of different virtual VPN gateways are realized according to different requirements of users.
Further, according to the method of the virtual machine side, another embodiment of the present invention provides a method for transmitting data based on a virtual private network, which is performed on the host side, as shown in fig. 6, where the method mainly includes:
201. and the host machine receives a data processing request sent by a VPN program in the virtual machine through the paravirtualization interface.
The data processing request carries a virtual machine identifier of the virtual machine and data to be transmitted, which is received by the virtual machine from the first equipment side through the VPN channel, and the paravirtualization interface is used for realizing communication between the virtual machine and the host machine, and the communication does not need a network.
Because the encryption and decryption program set by the user is located outside the virtual machine, when the virtual machine needs to encrypt and decrypt data, the data processing request needs to be sent to the host machine, so that the host machine can correspondingly process the data processing request according to the storage position of the encryption and decryption program after receiving the data processing request.
In addition, when the virtual machine and the first device are located in the same subnet, the data to be transmitted, which is received by the virtual machine from the first device side through the VPN channel, is the data directly sent by the first device; and when the virtual machine and the second device are located in the same subnet, the data to be transmitted, which is received by the virtual machine from the first device side through the VPN channel, is encrypted and transmitted by the virtual VPN gateway corresponding to the first device. The specific process can be detailed in the embodiment of the virtual machine side about the detailed description of step 101.
202. And acquiring a processing result obtained after a physical machine storing the encryption and decryption program corresponding to the virtual machine identifier calls the encryption and decryption program through an intermediate interface and encrypts or decrypts the data to be transmitted by using the encryption and decryption program.
Wherein the intermediate interface is an interface encapsulated based on the encryption and decryption program. The physical of the encryption and decryption program corresponding to the storage virtual machine identifier may be a host machine, or may be an external device independent of the host machine. When the physical machine is the host machine, the specific implementation manner of this step may be: the host machine calls the encryption and decryption program through the intermediate interface, and encrypts or decrypts the data to be transmitted by using the encryption and decryption program to obtain the processing result; when the physical machine is an external device, the host machine sends the data processing request to the external device through a network, and receives the processing result sent by the external device, wherein the processing result is obtained by the external device calling the encryption and decryption program based on the intermediate interface and encrypting or decrypting the data to be transmitted by using the encryption and decryption program.
In order to successfully call the encryption and decryption program using the intermediate interface, the intermediate interface needs to be driven by a driver of the intermediate interface, that is, the specific implementation manner of the step "call the encryption and decryption program through the intermediate interface" may be: the intermediate interface is driven by calling a driving program of the intermediate interface, and after the intermediate interface is successfully driven, the encryption and decryption program is called by the intermediate interface.
203. And sending the processing result to the VPN program through the paravirtualized interface so that the VPN program sends the processing result to the second device through a VPN channel.
After the host obtains the processing result, in order to enable the VPN program to send the processing result to the second device through the VPN channel, the processing result needs to be sent to the VPN program through the paravirtualized interface. The interaction between the virtual machine and the host machine in the embodiment of the invention can realize the function of a virtual VPN gateway, when the first equipment and the virtual VPN gateway are positioned in the same subnet, the processing result is encrypted data, the virtual machine needs to send the processing result to the virtual VPN gateway corresponding to the second equipment through a VPN channel, the virtual VPN gateway decrypts the processing result and then sends the decrypted data to the second equipment; when the second device and the virtual VPN gateway are located in the same subnet, the processing result is decrypted data, and the virtual machine may directly send the processing result to the second device through the VPN channel.
The method for transmitting data based on a virtual private network provided by the embodiment of the invention can send a data processing request carrying a virtual machine identifier and the data to be transmitted to a host machine through a semi-virtualization interface after a VPN program in a virtual machine receives the data to be transmitted sent by first equipment, so that the host machine sends the data processing request to a physical machine storing an encryption and decryption program corresponding to the virtual machine identifier to call the encryption and decryption program through an intermediate interface, the encryption and decryption program is executed to encrypt/decrypt the data to be transmitted to obtain a processing result, the host machine forwards the processing result to the VPN program through the semi-virtualization interface, and the VPN program sends the processing result to second equipment through a VPN channel. Therefore, the invention creates a virtual VPN gateway meeting the user requirements in a mode of indirectly calling the encryption and decryption program through the virtual machine, and realizes a data transmission mode meeting the user requirements through the virtual VPN gateway. And the virtual machine identification corresponds to the encryption and decryption program, so that different virtual machines can respectively carry out encryption and decryption processing based on different encryption and decryption programs, and the functions of different virtual VPN gateways are realized according to different requirements of users.
Optionally, in the embodiment of the method at the virtual machine side, in order to ensure the security of the communication between the virtual machine and the host, an SSL program may be installed in the virtual machine. In this case, the specific implementation manner of the step 201 may be: and after the SSL program in the virtual machine receives the data processing request sent by the VPN program, receiving the data processing request sent by the SSL program through the paravirtualization interface.
Specifically, since the para-virtualized interface needs to be driven by a driver to be started, the data processing request sent by the SSL through the para-virtualized interface is received after the para-virtualized interface is successfully driven by the SSL through calling the driver of the para-virtualized interface.
Further, in the method on the virtual machine side, another embodiment of the present invention provides a virtual machine, as shown in fig. 7, where the virtual machine includes:
a sending unit 31, configured to send, after a virtual private network VPN program in a virtual machine receives data to be transmitted, which is sent by a first device, through a VPN channel, a data processing request carrying a virtual machine identifier and the data to be transmitted to a host through a paravirtualized interface by the VPN program;
a receiving unit 32, configured to receive, by the VPN program, a processing result sent by the host through the paravirtualized interface, where the processing result is obtained by a physical machine storing an encryption/decryption program corresponding to the virtual machine identifier calling the encryption/decryption program through an intermediate interface, and encrypting or decrypting the data to be transmitted by using the encryption/decryption program, where the intermediate interface is an interface encapsulated based on the encryption/decryption program;
the sending unit 31 is further configured to send the processing result to the second device through the VPN channel.
Optionally, as shown in fig. 8, the sending unit 31 includes:
a first sending module 311, configured to send, by the VPN program, the data processing request to a secure socket layer SSL program in the virtual machine;
a second sending module 312, configured to send, by the SSL program, the data processing request to the host through the paravirtualized interface;
the receiving unit 32 includes:
a first receiving module 321, configured to receive, by the SSL program, the processing result sent by the host through the paravirtualization interface;
a second receiving module 322, configured to receive, by the VPN program, the processing result sent by the SSL program.
Optionally, the second sending module 322 is configured to invoke, by the SSL program, a driver of the paravirtualization interface to drive the paravirtualization interface; and after the para-virtualization interface is driven successfully, the SSL program sends the data processing request to the host machine through the para-virtualization interface.
The device for transmitting data based on a virtual private network provided by the embodiment of the invention can send a data processing request carrying a virtual machine identifier and the data to be transmitted to a host machine through a semi-virtualization interface after a VPN program in a virtual machine receives the data to be transmitted sent by a first device, so that the host machine transfers the data processing request to a physical machine storing an encryption and decryption program corresponding to the virtual machine identifier through an intermediate interface to call the encryption and decryption program, performs encryption/decryption processing on the data to be transmitted by executing the encryption and decryption program to obtain a processing result, forwards the processing result to the VPN program through the semi-virtualization interface by the host machine, and sends the VPN program to a second device through a VPN channel. Therefore, the invention creates a virtual VPN gateway meeting the user requirements in a mode of indirectly calling the encryption and decryption program through the virtual machine, and realizes a data transmission mode meeting the user requirements through the virtual VPN gateway. And the virtual machine identification corresponds to the encryption and decryption program, so that different virtual machines can respectively carry out encryption and decryption processing based on different encryption and decryption programs, and the functions of different virtual VPN gateways are realized according to different requirements of users.
Further, in the method on the host side, another embodiment of the present invention provides a host, as shown in fig. 9, where the host includes:
a receiving unit 41, configured to receive a data processing request sent by a VPN program in a virtual machine through a paravirtualized interface, where the data processing request carries a virtual machine identifier of the virtual machine and data to be transmitted, which is received by the virtual machine from a first device side through a VPN channel;
an obtaining unit 42, configured to obtain a processing result obtained after a physical machine storing an encryption/decryption program corresponding to the virtual machine identifier calls the encryption/decryption program through an intermediate interface and encrypts or decrypts the to-be-transmitted data by using the encryption/decryption program, where the intermediate interface is an interface encapsulated based on the encryption/decryption program;
a sending unit 43, configured to send the processing result to the VPN program through the para-virtualization interface, so that the VPN program sends the processing result to a second device through a VPN channel.
Optionally, the receiving unit 41 is configured to receive the data processing request sent by the SSL program through the paravirtualization interface after the SSL program in the virtual machine receives the data processing request sent by the VPN program.
Optionally, the receiving unit 41 is configured to receive the data processing request sent by the SSL program through the paravirtualization interface after the paravirtualization interface is successfully driven by the SSL program through invoking a driver of the paravirtualization interface.
Optionally, as shown in fig. 10, the obtaining unit 42 includes:
a calling module 421, configured to call the encryption and decryption program through the intermediate interface when the physical machine is the host machine, and encrypt or decrypt the data to be transmitted by using the encryption and decryption program to obtain the processing result;
a sending module 422, configured to send the data processing request to an external device through a network when the physical machine is the external device;
a receiving module 423, configured to receive the processing result sent by the external device, where the processing result is obtained by the external device calling the encryption/decryption program based on the intermediate interface and encrypting or decrypting the to-be-transmitted data by using the encryption/decryption program.
Optionally, the calling module 421 is configured to drive the intermediate interface by calling a driver of the intermediate interface; and after the intermediate interface is successfully driven, calling the encryption and decryption program through the intermediate interface.
The device for transmitting data based on a virtual private network provided by the embodiment of the invention can send a data processing request carrying a virtual machine identifier and the data to be transmitted to a host machine through a semi-virtualization interface after a VPN program in a virtual machine receives the data to be transmitted sent by a first device, so that the host machine transfers the data processing request to a physical machine storing an encryption and decryption program corresponding to the virtual machine identifier through an intermediate interface to call the encryption and decryption program, performs encryption/decryption processing on the data to be transmitted by executing the encryption and decryption program to obtain a processing result, forwards the processing result to the VPN program through the semi-virtualization interface by the host machine, and sends the VPN program to a second device through a VPN channel. Therefore, the invention creates a virtual VPN gateway meeting the user requirements in a mode of indirectly calling the encryption and decryption program through the virtual machine, and realizes a data transmission mode meeting the user requirements through the virtual VPN gateway. And the virtual machine identification corresponds to the encryption and decryption program, so that different virtual machines can respectively carry out encryption and decryption processing based on different encryption and decryption programs, and the functions of different virtual VPN gateways are realized according to different requirements of users.
Further, according to the above method embodiment, another embodiment of the present invention further provides a storage medium storing a plurality of instructions, the instructions being adapted to be loaded by a processor and to execute the method for transmitting data based on a virtual private network according to the above virtual machine side embodiment; or load and execute the method for transmitting data based on the virtual private network as described in the above host side embodiment.
Further, according to the above method embodiment, another embodiment of the present invention also provides an electronic device, which includes a storage medium and a processor;
the processor is suitable for realizing instructions;
the storage medium adapted to store a plurality of instructions;
the instructions are adapted to be loaded by the processor and to perform a method of transmitting data based on a virtual private network as described in the above-described virtual machine side embodiment; or load and execute the method for transmitting data based on the virtual private network as described in the above host side embodiment.
Further, according to the above embodiment, another embodiment of the present invention also provides an electronic device, including: a virtual machine and a host machine;
wherein the virtual machine comprises a virtual machine as described above; the host machine comprises a host machine as described above.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
It will be appreciated that the relevant features of the method and apparatus described above are referred to one another. In addition, "first", "second", and the like in the above embodiments are for distinguishing the embodiments, and do not represent merits of the embodiments.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components of the virtual private network-based data transmission method and apparatus according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.

Claims (19)

1. A method for transmitting data based on a virtual private network, the method comprising:
after a Virtual Private Network (VPN) program in a virtual machine receives data to be transmitted sent by first equipment through a VPN channel, the VPN program sends a data processing request carrying a virtual machine identifier and the data to be transmitted to a host machine through a semi-virtualization interface;
the VPN program receives a processing result sent by the host machine through the para-virtualization interface, wherein the processing result is obtained by calling an encryption and decryption program through an intermediate interface by a physical machine storing the encryption and decryption program corresponding to the virtual machine identifier and encrypting or decrypting the data to be transmitted by using the encryption and decryption program, and the intermediate interface is an interface packaged based on the encryption and decryption program;
and sending the processing result to the second equipment through the VPN channel.
2. The method according to claim 1, wherein the VPN program sends a data processing request carrying a virtual machine identifier and the data to be transmitted to a host through a paravirtualized interface, comprising:
the VPN program sends the data processing request to a Secure Socket Layer (SSL) program in the virtual machine;
the SSL program sends the data processing request to the host machine through the paravirtualized interface;
the receiving, by the VPN program, the processing result sent by the host through the paravirtualized interface includes:
the SSL program receives the processing result sent by the host machine through the para-virtualization interface;
and the VPN program receives the processing result sent by the SSL program.
3. The method of claim 2, wherein the SSL program sending the data processing request to the host through the para-virtualized interface comprises:
the SSL program calls a driver of the paravirtualization interface to drive the paravirtualization interface;
and after the para-virtualization interface is driven successfully, the SSL program sends the data processing request to the host machine through the para-virtualization interface.
4. A method for transmitting data based on a virtual private network, the method comprising:
a host machine receives a data processing request sent by a Virtual Private Network (VPN) program in a virtual machine through a paravirtualized interface, wherein the data processing request carries a virtual machine identifier of the virtual machine and data to be transmitted, which is received by the virtual machine from a first equipment side through a VPN channel;
acquiring a processing result, wherein the processing result is obtained by calling an encryption and decryption program through an intermediate interface by a physical machine storing the encryption and decryption program corresponding to the virtual machine identifier, and encrypting or decrypting the data to be transmitted by using the encryption and decryption program, and the intermediate interface is an interface packaged based on the encryption and decryption program;
and sending the processing result to the VPN program through the paravirtualized interface so that the VPN program sends the processing result to the second device through the VPN channel.
5. The method of claim 4, wherein receiving a data processing request sent by a Virtual Private Network (VPN) program in a virtual machine through a paravirtualized interface comprises:
and after a Secure Socket Layer (SSL) program in the virtual machine receives the data processing request sent by the VPN program, receiving the data processing request sent by the SSL program through the paravirtualization interface.
6. The method of claim 5, wherein receiving the data processing request sent by the SSL program through the para-virtualized interface comprises:
and after the para-virtualization interface is successfully driven by the SSL program by calling a driver of the para-virtualization interface, receiving the data processing request sent by the SSL program through the para-virtualization interface.
7. The method of any of claims 4 to 6, wherein obtaining a processing result comprises:
when the physical machine is the host machine, the host machine calls the encryption and decryption program through the intermediate interface, and the encryption and decryption program is used for encrypting or decrypting the data to be transmitted to obtain the processing result;
when the physical machine is an external device, the host machine sends the data processing request to the external device through a network, and receives the processing result sent by the external device, wherein the processing result is obtained by the external device calling the encryption and decryption program based on the intermediate interface and encrypting or decrypting the data to be transmitted by using the encryption and decryption program.
8. The method of claim 7, wherein invoking the encryption and decryption program through the intermediate interface comprises:
driving the intermediate interface by calling a driver of the intermediate interface;
and after the intermediate interface is successfully driven, calling the encryption and decryption program through the intermediate interface.
9. A virtual machine, comprising:
the device comprises a sending unit, a host computer and a Virtual Private Network (VPN) unit, wherein the sending unit is used for sending a data processing request carrying a virtual machine identifier and data to be transmitted to the host computer through a semi-virtualization interface after a VPN program in a virtual machine receives the data to be transmitted sent by first equipment through a VPN channel;
a receiving unit, configured to receive, by the VPN program, a processing result sent by the host through the paravirtualized interface, where the processing result is obtained by a physical machine storing an encryption/decryption program corresponding to the virtual machine identifier calling the encryption/decryption program through an intermediate interface and encrypting or decrypting the data to be transmitted by using the encryption/decryption program, and the intermediate interface is an interface encapsulated based on the encryption/decryption program;
the sending unit is further configured to send the processing result to the second device through the VPN channel.
10. The virtual machine according to claim 9, wherein the sending unit includes:
a first sending module, configured to send, by the VPN program, the data processing request to a secure socket layer SSL program in the virtual machine;
the second sending module is used for sending the data processing request to the host machine by the SSL program through the paravirtualized interface;
the receiving unit includes:
a first receiving module, configured to receive, by the SSL program, the processing result sent by the host through the para-virtualization interface;
and the second receiving module is used for receiving the processing result sent by the SSL program by the VPN program.
11. The virtual machine according to claim 10, wherein the second sending module is configured to call a driver of the paravirtualization interface by the SSL program to drive the paravirtualization interface; and after the para-virtualization interface is driven successfully, the SSL program sends the data processing request to the host machine through the para-virtualization interface.
12. A host machine, the host machine comprising:
a receiving unit, configured to receive a data processing request sent by a VPN program in a virtual machine through a paravirtualized interface, where the data processing request carries a virtual machine identifier of the virtual machine and data to be transmitted, which is received by the virtual machine from a first device side through a VPN channel;
the acquisition unit is used for acquiring a processing result, the processing result is obtained by calling an encryption and decryption program through an intermediate interface by a physical machine storing the encryption and decryption program corresponding to the virtual machine identifier and encrypting or decrypting the data to be transmitted by using the encryption and decryption program, and the intermediate interface is an interface packaged based on the encryption and decryption program;
a sending unit, configured to send the processing result to the VPN program through the paravirtualized interface, so that the VPN program sends the processing result to a second device through the VPN channel.
13. The host machine according to claim 12, wherein the receiving unit is configured to receive the data processing request sent by the SSL program through the paravirtualization interface after a secure socket layer SSL program in a virtual machine receives the data processing request sent by the VPN program.
14. The host machine according to claim 13, wherein the receiving unit is configured to receive the data processing request sent by the SSL program through the paravirtualization interface after the paravirtualization interface is successfully driven by the SSL program by calling a driver of the paravirtualization interface.
15. Host according to any one of claims 12 to 14, characterized in that the acquisition unit comprises:
the calling module is used for calling the encryption and decryption program through the intermediate interface when the physical machine is the host machine, and encrypting or decrypting the data to be transmitted by using the encryption and decryption program to obtain the processing result;
a sending module, configured to send the data processing request to an external device through a network when the physical machine is the external device;
and the receiving module is used for receiving the processing result sent by the external equipment, wherein the processing result is obtained by calling the encryption and decryption program by the external equipment based on the intermediate interface and encrypting or decrypting the data to be transmitted by using the encryption and decryption program.
16. The host machine of claim 15, wherein the calling module is configured to drive the intermediate interface by calling a driver of the intermediate interface; and after the intermediate interface is successfully driven, calling the encryption and decryption program through the intermediate interface.
17. A storage medium storing a plurality of instructions adapted to be loaded by a processor and to perform a method of transmitting data based on a virtual private network according to any one of claims 1 to 3; or to load and execute the method of transmitting data based on a virtual private network according to any of claims 4-8.
18. An electronic device, comprising a storage medium and a processor;
the processor is suitable for realizing instructions;
the storage medium adapted to store a plurality of instructions;
the instructions are adapted to be loaded by the processor and to perform the method of transmitting data based on a virtual private network according to any one of claims 1 to 3; or to load and execute the method of transmitting data based on a virtual private network according to any of claims 4-8.
19. An electronic device, characterized in that the electronic device comprises: a virtual machine and a host machine;
wherein the virtual machine comprises the virtual machine of any one of claims 9-11; the host machine comprising a host machine according to any one of claims 12-16.
CN201710923022.9A 2017-09-30 2017-09-30 Method and device for transmitting data based on virtual private network Active CN107659482B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710923022.9A CN107659482B (en) 2017-09-30 2017-09-30 Method and device for transmitting data based on virtual private network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710923022.9A CN107659482B (en) 2017-09-30 2017-09-30 Method and device for transmitting data based on virtual private network

Publications (2)

Publication Number Publication Date
CN107659482A CN107659482A (en) 2018-02-02
CN107659482B true CN107659482B (en) 2020-11-06

Family

ID=61116439

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710923022.9A Active CN107659482B (en) 2017-09-30 2017-09-30 Method and device for transmitting data based on virtual private network

Country Status (1)

Country Link
CN (1) CN107659482B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108418713A (en) * 2018-02-24 2018-08-17 北京百悟科技有限公司 The device and method of VPN is provided
CN113448677B (en) * 2020-03-24 2024-01-23 阿里巴巴集团控股有限公司 Data processing method and system of virtual machine

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101557337A (en) * 2009-05-04 2009-10-14 成都市华为赛门铁克科技有限公司 Network tunnel establishing method, data transmission method, communication system and relevant equipment
CN101599901A (en) * 2009-07-15 2009-12-09 杭州华三通信技术有限公司 The method of remotely accessing MPLS VPN, system and gateway
CN107094137A (en) * 2017-04-07 2017-08-25 山东超越数控电子有限公司 A kind of VPN security gateways

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10567347B2 (en) * 2015-07-31 2020-02-18 Nicira, Inc. Distributed tunneling for VPN

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101557337A (en) * 2009-05-04 2009-10-14 成都市华为赛门铁克科技有限公司 Network tunnel establishing method, data transmission method, communication system and relevant equipment
CN101599901A (en) * 2009-07-15 2009-12-09 杭州华三通信技术有限公司 The method of remotely accessing MPLS VPN, system and gateway
CN107094137A (en) * 2017-04-07 2017-08-25 山东超越数控电子有限公司 A kind of VPN security gateways

Also Published As

Publication number Publication date
CN107659482A (en) 2018-02-02

Similar Documents

Publication Publication Date Title
US9756018B2 (en) Establishing secure remote access to private computer networks
CN107577516B (en) Virtual machine password resetting method, device and system
EP3489824B1 (en) Providing access to configurable private computer networks
EP2761426B1 (en) Implementation of secure communications in a support system
EP3367276B1 (en) Providing devices as a service
EP2374242B1 (en) Providing local secure network access to remote services
CN103621046A (en) Network communication method and device
WO2013174437A1 (en) Enhanced secure virtual machine provisioning
CN103747020B (en) Safety controllable method for accessing virtual resources by public network
US10560433B2 (en) Vertical cloud service
US11659058B2 (en) Provider network connectivity management for provider network substrate extensions
CN107070931B (en) Cloud application data uploading/accessing method and system and cloud proxy server
CN107222545B (en) Data transmission method and device
CN103020543B (en) A kind of virtual disk reflection encryption handling system and method
CN101621527B (en) Method, system and device for realizing safety certificate based on Portal in VPN
CN107659482B (en) Method and device for transmitting data based on virtual private network
JP5799399B1 (en) Virtual communication system
CN106789008B (en) Method, device and system for decrypting sharable encrypted data
CN106339623B (en) Login method and device
CN103034811B (en) A kind of method, system and device of file process
CN104811507A (en) IP address acquiring method and IP address acquiring device
CN114026826B (en) Provider network connection management for provider network underlying extensions
US11374789B2 (en) Provider network connectivity to provider network substrate extensions
US20150334115A1 (en) Dynamic provisioning of virtual systems
CN116743850A (en) Equipment self-discovery system based on Internet of things platform and implementation method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant