CN109587028B - Method and device for controlling flow of client - Google Patents

Method and device for controlling flow of client Download PDF

Info

Publication number
CN109587028B
CN109587028B CN201811444737.7A CN201811444737A CN109587028B CN 109587028 B CN109587028 B CN 109587028B CN 201811444737 A CN201811444737 A CN 201811444737A CN 109587028 B CN109587028 B CN 109587028B
Authority
CN
China
Prior art keywords
address
client
data packet
server
vpn
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811444737.7A
Other languages
Chinese (zh)
Other versions
CN109587028A (en
Inventor
陈功磊
赵春伟
李涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qilin Hesheng Network Technology Inc
Original Assignee
Qilin Hesheng Network Technology Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qilin Hesheng Network Technology Inc filed Critical Qilin Hesheng Network Technology Inc
Priority to CN201811444737.7A priority Critical patent/CN109587028B/en
Publication of CN109587028A publication Critical patent/CN109587028A/en
Application granted granted Critical
Publication of CN109587028B publication Critical patent/CN109587028B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides a method and a device for controlling client flow, comprising the following steps: establishing a virtual private network (vpn) connection between a client and a server; issuing a virtual private network Internet protocol (vpn) ip address to the client; acquiring a data packet transmitted based on the vpn connection, wherein the data packet carries the vpn ip address; and establishing a virtual switch, and carrying out flow control on the data packet according to a preset flow control strategy based on the vpn ip address in the data packet. The method and the device for controlling the client traffic can control the traffic of each client in a simple, convenient and easy-to-implement and low-cost manner to save traffic resources and server resources on the premise of not changing a network architecture in a large range.

Description

Method and device for controlling flow of client
Technical Field
The present application relates to the field of computers, and in particular, to a method and an apparatus for controlling client traffic.
Background
In a traditional scheme that an open source virtual private network (english: openvpn) is adopted to solve the mobile office requirement, an openvpn client transmits a request to an openvpn server through a public network, and then the client obtains a service response of the server, so that the client can access internal resources of an organization like a local area network user.
Based on this, the inventor of the present invention finds that, although this approach solves the most basic connectivity requirement, it is unable to effectively control the traffic of each client, and when there are many clients, if the traffic of each client cannot be reasonably and effectively controlled, the traffic resource and the server resource will be wasted.
Disclosure of Invention
The embodiment of the application aims to provide a method and a device for controlling client traffic, which can effectively control the traffic of each client.
To solve the above technical problem, embodiments of the present application are achieved by the following aspects.
In a first aspect, an embodiment of the present application provides a method for controlling a client traffic, including:
establishing a virtual private network (abbreviated as vpn) connection between a client and a server;
issuing a virtual private network Internet protocol (vpn) ip address to the client;
acquiring a data packet transmitted based on the vpn connection, wherein the data packet carries the vpn ip address;
and establishing a virtual switch, and carrying out flow control on the data packet according to a preset flow control strategy based on the vpn ip address in the data packet.
In a second aspect, an embodiment of the present application provides an apparatus for controlling client traffic, including:
the connection module is used for establishing virtual private network vpn connection between the client and the server;
the transmission module is used for issuing a virtual private network internet protocol (vpn ip) address to the client;
an obtaining module, configured to obtain a data packet transmitted based on the vpn connection, where the data packet carries the vpn ip address;
and the control module is used for establishing a virtual switch and controlling the flow of the data packet according to a preset flow control strategy based on the vpn ip address in the data packet.
In a third aspect, an embodiment of the present application provides an electronic device, including: memory, a processor and computer executable instructions stored on the memory and executable on the processor, which when executed by the processor implement the steps of a method of controlling client traffic as described in the first aspect above.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium for storing computer-executable instructions, which when executed by a processor implement the steps of a method for controlling client traffic as described in the first aspect above.
In the embodiment of the application, a virtual private network vpn connection between a client and a server is established, a virtual private network internet protocol vpn ip address is issued to the client, a data packet transmitted based on the vpn connection is obtained, the data packet carries the vpn ip address, a virtual switch is established, flow control is performed on the data packet according to a preset flow control strategy based on the vpn ip address in the data packet, and the flow of each client can be controlled in a simple, convenient, easy-to-implement and low-cost mode on the premise that a network architecture is not changed in a large range so as to save flow resources and server resources.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without any creative effort.
Fig. 1 is a first flowchart illustrating a method for controlling client traffic according to an embodiment of the present disclosure;
fig. 2 is a second flowchart illustrating a method for controlling client traffic according to an embodiment of the present disclosure;
fig. 3 is a third flowchart illustrating a method for controlling client traffic according to an embodiment of the present application;
fig. 4 is a fourth flowchart illustrating a method for controlling client traffic according to an embodiment of the present application;
fig. 5 is a schematic block diagram illustrating a first module of an apparatus for controlling client traffic according to an embodiment of the present disclosure;
fig. 6 is a schematic block diagram illustrating a second exemplary module of an apparatus for controlling client traffic according to an embodiment of the present disclosure;
fig. 7 is a schematic hardware structure diagram of an electronic device for executing a method for controlling client traffic according to an embodiment of the present application.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Fig. 1 shows a first flowchart of a method for controlling client traffic according to an embodiment of the present application, where the method may be performed by an electronic device, such as a terminal device or a server device. In other words, the method may be performed by software or hardware installed in the terminal device or the server device. The server includes but is not limited to: a single server, a server cluster, a cloud server or a cloud server cluster, and the like. As shown, the method may include the following steps.
S10: and establishing a virtual private network (vpn) connection between the client and the server.
The vpn connection is a remote access technology that involves establishing a private network over a public network for encrypted communication. An application such as an enterprise network is a typical application scenario for vpn, e.g. a company employee can establish a vpn connection between a personal computer client and a company server to access internal resources of the company server at home.
S20: and issuing a virtual private network Internet protocol (vpn ip) address to the client.
The server responds to the establishment of the vpn connection and issues a vpn ip address to the client.
S30: and acquiring a data packet transmitted based on the vpn connection, wherein the data packet carries a vpn ip address.
In other words, acquiring the data packet transmitted based on the vpn connection may include that the server receives the data packet transmitted by the client based on the vpn connection, and may also include intercepting the data packet transmitted by the server to the client based on the vpn connection.
S40: and establishing a virtual switch, and carrying out flow control on the data packet according to a preset flow control strategy based on the vpn ip address in the data packet. Establishing a virtual switch, determining a client corresponding to the vpn ip address based on the vpn ip address in the data packet, and controlling the flow of the data packet through the virtual switch according to a flow control strategy preset for the client.
Therefore, the method for controlling the client traffic provided by the embodiment of the application can control the traffic of each client in a simple, convenient and easy-to-implement and low-cost manner to save traffic resources and server resources on the premise of not changing a network architecture in a large range.
Fig. 2 shows a second flowchart of a method for controlling client traffic according to an embodiment of the present application, where the method may be performed by an electronic device, such as a terminal device or a server device. In other words, the method may be performed by software or hardware installed in the terminal device or the server device. The server includes but is not limited to: a single server, a server cluster, a cloud server or a cloud server cluster, and the like. As shown, the method may include the following steps.
S10: and establishing a virtual private network (vpn) connection between the client and the server.
The vpn connection is a remote access technology that involves establishing a private network over a public network for encrypted communication. An application such as an enterprise network is a typical application scenario for vpn, e.g. a company employee can establish a vpn connection between a personal computer client and a company server to access internal resources of the company server at home.
In one possible implementation, step S10 may specifically include the following steps.
Step S11: and receiving a virtual private network (vpn) request sent by the client through a vyos network operating system.
For example, the client may send the vpn request to the vyos network operating system, and forward the vpn request to the server through the vyos network operating system.
Step S12: and sending the vpn request to the client through the vyos network operating system.
And the service end transmits the vpn request back to the client end through the vyos network operating system.
Therefore, the embodiment of the application can efficiently establish the vpn connection between the client and the server through the steps.
S20: and issuing a virtual private network Internet protocol (vpn ip) address to the client.
The server responds to the establishment of the vpn connection and issues a vpn ip address to the client.
S30: and acquiring a data packet transmitted based on the vpn connection, wherein the data packet carries the vpn ip address.
The embodiment of the application can include the situation that the client sends the data packet to the server and the server sends the data packet to the client, so that the obtaining of the data packet transmitted based on the vpn connection can include the server receiving the data packet sent by the client based on the vpn connection, and can also include the interception of the data packet sent by the server to the client based on the vpn connection.
Specifically, when the data packet is sent from the client to the server, the data packet may include: the server comprises an outer layer packet and an inner layer packet, wherein the packet head of the outer layer packet comprises a local public network ip address of a client, the target ip address of the outer layer packet comprises a public network ip address of a server, the packet head of the inner layer packet comprises a vpn ip address, and the target ip address of the inner layer packet comprises an ip address of internal resources of the server.
When the server side sends the data packet to the client side, the data packet comprises: the server comprises an outer layer bag and an inner layer bag, wherein the packet header of the inner layer bag comprises a public network ip address of the server side, the destination ip address of the inner layer bag comprises a local public network ip address of the client side, the packet header of the outer layer bag comprises an ip address of internal resources of the server, and the destination ip address of the outer layer bag comprises a vpn ip address.
Therefore, the embodiment of the application can be applied to the situation that the client sends the data packet to the server actively, and can also be applied to the situation that the server sends the data packet to the client actively.
S40: and establishing a virtual switch, and carrying out flow control on the data packet according to a preset flow control strategy based on the vpn ip address in the data packet.
Establishing a virtual switch, determining a client corresponding to the vpn ip address based on the vpn ip address in the data packet, and controlling the flow of the data packet through the virtual switch according to a flow control strategy preset for the client.
In a possible implementation manner, the preset flow control policy may further include: one or more of bandwidth control, ip address, port, and protocol.
Therefore, the method for controlling the client traffic provided by the embodiment of the application can efficiently establish the vpn connection between the client and the server, and can control the traffic of each client in a simple, convenient and easy-to-implement and low-cost manner on the premise of not changing a network architecture to a large extent so as to save traffic resources and server resources.
In addition, the embodiment of the application can efficiently establish the vpn connection between the client and the server. In addition, the embodiment of the application can be applied to the situation that the client actively sends the data packet to the server, and can also be applied to the situation that the server actively sends the data packet to the client.
Fig. 3 shows a third flowchart of a method for controlling client traffic according to an embodiment of the present application, where the method may be performed by an electronic device, such as a terminal device or a server device. In other words, the method may be performed by software or hardware installed in the terminal device or the server device. The server includes but is not limited to: a single server, a server cluster, a cloud server or a cloud server cluster, and the like. As shown, the method may include the following steps.
S10: and establishing a virtual private network (vpn) connection between the client and the server.
The vpn connection is a remote access technology that involves establishing a private network over a public network for encrypted communication. An application such as an enterprise network is a typical application scenario for vpn, e.g. a company employee can establish a vpn connection between a personal computer client and a company server to access internal resources of the company server at home.
In a possible implementation manner, the step S10 may further include the following steps.
Step S110: and deploying network address translation nat through a vyos network operating system, and exposing the server to a public network.
Network Address Translation (nat) requires nat software to be installed, and a router with the nat software has at least one valid external IP Address, so that all hosts using local addresses can convert the local addresses into external IP addresses on the router when communicating with the outside, and are exposed to the public Network.
Step S111: verifying the identity of the client.
In a possible implementation manner, the server may verify an account name and a password of the client through a background Authenticator (english: Authenticator) to verify the identity of the client.
For example, a user accesses internal resources of a server, such as an Office Automation System (OA System) through a client such as a mobile phone in a non-intranet environment, the internet environment of the mobile phone of the user may be 4G, an openvpn application is installed, and after the openvpn application is run, information such as an account name/password may be input. The openvpn server can be exposed to a public network through a one-to-one nat mapping of a vyos network operating system to provide a vpn Service to the outside, and after receiving a request from a client, the server verifies the identity of the client, and specifically, the server can verify information such as account name/password with a Remote User Dial-up Authentication system (RADIUS) In the background.
In one possible implementation, the step S10 may include the following specific steps.
Step S11: and receiving a virtual private network (vpn) request sent by the client through a vyos network operating system.
For example, the client may send the vpn request to the vyos network operating system, and forward the vpn request to the server through the vyos network operating system.
Step S12: and sending the vpn request to the client through the vyos network operating system.
And the service end transmits the vpn request back to the client end through the vyos network operating system.
Therefore, the embodiment of the application can efficiently establish the vpn connection between the client and the server.
S20: and issuing a virtual private network Internet protocol (vpn ip) address to the client.
The server responds to the establishment of the vpn connection and issues a vpn ip address to the client.
S30: and acquiring a data packet transmitted based on the vpn connection, wherein the data packet carries the vpn ip address.
The embodiment of the application can include the situation that the client sends the data packet to the server and the server sends the data packet to the client, so that the obtaining of the data packet transmitted based on the vpn connection can include the server receiving the data packet sent by the client based on the vpn connection, and can also include the interception of the data packet sent by the server to the client based on the vpn connection.
Specifically, when the data packet is sent from the client to the server, the data packet may include: the server comprises an outer layer packet and an inner layer packet, wherein the packet head of the outer layer packet comprises a local public network ip address of a client, the target ip address of the outer layer packet comprises a public network ip address of a server, the packet head of the inner layer packet comprises a vpn ip address, and the target ip address of the inner layer packet comprises an ip address of internal resources of the server.
For example, the VPN IP obtained by the client is 192.168.10.100/24, the public network IP of the 4G network is 202.108.2.10, the public network IP of the openvpn server providing the service to the outside is 61.4.176.10, and the OA system IP is 172.16.10.100.
After the vpn connection is established, the client initiates a request for accessing the OA system, where the request needs to undergo a special packet processing before entering the vpn connection, and the request includes: an outer layer packet header IP-202.108.2.10 and an outer layer destination IP-61.4.176.10; inner layer header IP-192.168.10.100 inner layer destination IP-172.16.10.100. The server analyzes the packet to obtain the packet of the inner layer source IP-192.168.10.100 inner layer destination IP-172.16.10.100.
When the server side sends the data packet to the client side, the data packet comprises: the server comprises an outer layer bag and an inner layer bag, wherein the packet header of the inner layer bag comprises a public network ip address of the server side, the destination ip address of the inner layer bag comprises a local public network ip address of the client side, the packet header of the outer layer bag comprises an ip address of internal resources of the server, and the destination ip address of the outer layer bag comprises a vpn ip address.
S40: and establishing a virtual switch, and carrying out flow control on the data packet according to a preset flow control strategy based on the vpn ip address in the data packet.
Establishing a virtual switch, determining a client corresponding to the vpn ip address based on the vpn ip address in the data packet, and controlling the flow of the data packet through the virtual switch according to a flow control strategy preset for the client.
In a possible implementation manner, the virtual switch may be established by a vyos network operating system in the embodiment of the present application. And determining a client corresponding to the vpn ip address based on the vpn ip address in the data packet, and performing flow control on the data packet through a vpn network operating system according to a flow control strategy preset for the client, wherein the vpn network operating system is a network operating system based on a general operating system Debian and can provide a vpn function.
In a possible implementation manner, the preset flow control policy may further include: one or more of bandwidth control, ip address, port, and protocol.
For example, the policy pre-deployed by the vyos network operating system is: srjip 192.168.10.100DST IP172.16.10.100 PROTOCOL HTTPS & HTTP BANDWITH 2 Mbps; specifically, the bandwidth of the data packet of the source IP192.168.10.100, the destination IP172.16.10.100, accessing the HTTP/HTTPs service is limited to 2M. And (4) carrying out operations such as speed limiting and the like according to the pre-deployed strategy, and then correctly transmitting the request to the OA system.
In one possible implementation, the vyos network operating system may implement different speed limiting strategies for classified packets, such as: and matching a certain section of source IP _ SUBNET, a certain section of destination IP _ SUBNET, certain protocols such as BT (English: Bit Torque) communication protocol and the like, and performing independent speed limit limitation.
Therefore, the method for controlling the flow of the client can efficiently establish the vpn connection between the client and the server, can identify the characteristics of the data packet, enables the vyos network operating system to have the flow control function similar to that of physical network equipment through later-stage optimization and network function reinforcement, can well meet the practical requirements in terms of control granularity and flexibility, and can control the flow of each client in a simple, convenient, easy-to-implement and low-cost manner on the premise of not changing a network architecture to save flow resources and server resources.
Fig. 4 shows a fourth flowchart of a method for controlling client traffic according to an embodiment of the present application, where the method may be performed by an electronic device, for example, a terminal device or a server device. In other words, the method may be performed by software or hardware installed in the terminal device or the server device. The server includes but is not limited to: a single server, a server cluster, a cloud server or a cloud server cluster, and the like. As shown, the method may include the following steps.
S10: and establishing a virtual private network (vpn) connection between the client and the server.
The vpn connection is a remote access technology that involves establishing a private network over a public network for encrypted communication. An application such as an enterprise network is a typical application scenario for vpn, e.g. a company employee can establish a vpn connection between a personal computer client and a company server to access internal resources of the company server at home.
In a possible implementation manner, the step S10 may further include the following steps.
Step S110: and deploying network address translation nat through a vyos network operating system, and exposing the server to a public network.
Network Address Translation (nat) requires nat software to be installed, and a router with the nat software has at least one valid external IP Address, so that all hosts using local addresses can convert the local addresses into external IP addresses on the router when communicating with the outside, and are exposed to the public Network.
Step S111: verifying the identity of the client.
In a possible implementation manner, the server may verify an account name and a password of the client through an Authenticator in the background to verify the identity of the client.
For example, a user accesses internal resources of a server in a non-intranet environment through a client such as a mobile phone, for example, an Office Automation System (OA System), the internet environment of the mobile phone of the user is 4G, an openvpn application is installed, and after the openvpn application is run, information such as an account name/password can be input. The openvpn server can be exposed to a public network through a one-to-one nat mapping of a vyos network operating system to provide a vpn Service to the outside, and after receiving a request from a client, the server verifies the identity of the client, and specifically, the server can verify information such as account name/password with a Remote User Dial-up Authentication system (RADIUS) In the background.
In one possible implementation, the step S10 may include the following specific steps.
Step S11: and receiving a virtual private network (vpn) request sent by the client through a vyos network operating system.
For example, the client may send the vpn request to the vyos network operating system, and forward the vpn request to the server through the vyos network operating system.
Step S12: and sending the vpn request to the client through the vyos network operating system.
And the service end transmits the vpn request back to the client end through the vyos network operating system.
Therefore, the embodiment of the application can efficiently establish the vpn connection between the client and the server.
S20: and issuing a virtual private network Internet protocol (vpn ip) address to the client.
The server responds to the establishment of the vpn connection and issues a vpn ip address to the client.
S30: and acquiring a data packet transmitted based on the vpn connection, wherein the data packet carries the vpn ip address.
The embodiment of the application can include the situation that the client sends the data packet to the server and the server sends the data packet to the client, so that the obtaining of the data packet transmitted based on the vpn connection can include the server receiving the data packet sent by the client based on the vpn connection, and can also include the interception of the data packet sent by the server to the client based on the vpn connection.
Specifically, when the data packet is sent from the client to the server, the data packet may include: the server comprises an outer layer packet and an inner layer packet, wherein the packet head of the outer layer packet comprises a local public network ip address of a client, the target ip address of the outer layer packet comprises a public network ip address of a server, the packet head of the inner layer packet comprises a vpn ip address, and the target ip address of the inner layer packet comprises an ip address of internal resources of the server.
For example, the VPN IP obtained by the client is 192.168.10.100/24, the public network IP of the 4G network is 202.108.2.10, the public network IP of the openvpn server providing the service to the outside is 61.4.176.10, and the OA system IP is 172.16.10.100.
After the vpn connection is established, the client initiates a request for accessing the OA system, where the request needs to undergo a special packet processing before entering the vpn connection, and the request includes: an outer layer packet header IP-202.108.2.10 and an outer layer destination IP-61.4.176.10; inner layer header IP-192.168.10.100 inner layer destination IP-172.16.10.100. The server analyzes the packet to obtain the packet of the inner layer source IP-192.168.10.100 inner layer destination IP-172.16.10.100.
When the server side sends the data packet to the client side, the data packet comprises: the server comprises an outer layer bag and an inner layer bag, wherein the packet header of the inner layer bag comprises a public network ip address of the server side, the destination ip address of the inner layer bag comprises a local public network ip address of the client side, the packet header of the outer layer bag comprises an ip address of internal resources of the server, and the destination ip address of the outer layer bag comprises a vpn ip address.
S40: and establishing a virtual switch, and carrying out flow control on the data packet according to a preset flow control strategy based on the vpn ip address in the data packet.
Establishing a virtual switch, determining a client corresponding to the vpn ip address based on the vpn ip address in the data packet, and controlling the flow of the data packet through the virtual switch according to a flow control strategy preset for the client.
In a possible implementation manner, the virtual switch may be established by a vyos network operating system in the embodiment of the present application. And determining a client corresponding to the vpn ip address based on the vpn ip address in the data packet, and performing flow control on the data packet through a vpn network operating system according to a flow control strategy preset for the client, wherein the vpn network operating system is a network operating system based on a general operating system Debian and can provide a vpn function.
In a possible implementation manner, the preset flow control policy may further include: one or more of bandwidth control, ip address, port, and protocol.
For example, the policy pre-deployed by the vyos network operating system is: srjip 192.168.10.100DST IP172.16.10.100 PROTOCOL HTTPS & HTTP BANDWITH 2 Mbps; specifically, the bandwidth of the data packet of the source IP192.168.10.100, the destination IP172.16.10.100, accessing the HTTP/HTTPs service is limited to 2M.
In one possible implementation, the vyos network operating system may implement different speed limiting strategies for classified packets, such as: and matching a certain section of source IP _ SUBNET, a certain section of destination IP _ SUBNET, certain protocols such as BT (bit Torque) communication protocol and the like, and performing independent speed limit limitation.
In a possible implementation manner, after the step S40, a step S50 may be further included.
Step S50: and recording the flow used by the client, which is reported by the vyos network operating system.
Specifically, the vyos network operating system may report the client traffic to the server and record the traffic by the server, and in a possible implementation manner, the server may further perform operations such as charging based on the traffic.
In a possible implementation manner, the client may also report the local traffic to the server for traffic statistics through the vyos network operating system.
Therefore, the method for controlling the flow of the client can efficiently establish the vpn connection between the client and the server, can identify the characteristics of the data packet, enables the vyos network operating system to have the flow control function similar to that of physical network equipment through later-stage optimization and network function reinforcement, can well meet the practical requirements in terms of control granularity and flexibility, and can control the flow of each client in a simple, convenient, easy-to-implement and low-cost manner on the premise of not changing a network architecture to save flow resources and server resources. Further, the method for controlling the client traffic provided by the embodiment of the application can perform traffic statistics of the client.
Fig. 5 shows a first module schematic diagram of an apparatus for controlling client traffic according to an embodiment of the present application, and as shown in the figure, the apparatus 1 for controlling client traffic includes: a connection module 10, a transmission module 20, an acquisition module 30 and a control module 40.
In particular, the connection module 10 is used to establish a virtual private network vpn connection between the client and the server. The transmission module 20 is connected to the connection module 10, and configured to issue a vpn ip address to the client. The obtaining module 30 is connected to the transmission module 20, and configured to obtain a data packet transmitted based on the vpn connection, where the data packet carries the vpn ip address. The control module 40 is connected to the obtaining module 30, and is configured to establish a virtual switch, and perform flow control on the data packet according to a preset flow control policy based on a vpn ip address in the data packet.
The working method of each module in the device 1 for controlling client traffic provided in the embodiment of the present application is similar to the steps described in the foregoing method embodiment, and is not described here again.
Therefore, the device for controlling the flow of the client, provided by the embodiment of the application, can control the flow of each client in a simple, convenient and easy-to-implement and low-cost manner to save flow resources and server resources on the premise of not changing a network architecture in a large range.
Fig. 6 shows a second module schematic diagram of an apparatus for controlling client traffic according to an embodiment of the present application, and as shown in the figure, the apparatus 1 for controlling client traffic includes: a connection module 10, a transmission module 20, an acquisition module 30, a control module 40, a deployment module 110, an authentication module 111 and a statistics module 50.
In particular, the connection module 10 is used to establish a virtual private network vpn connection between the client and the server. In a possible implementation manner, the connection module 10 may be specifically configured to receive, through the vyos network operating system, a virtual private network vpn request sent by the client, and send, through the vyos network operating system, the vpn request to the client.
The transmission module 20 is configured to issue a vpn ip address to the client.
The obtaining module 30 is configured to obtain a data packet transmitted based on the vpn connection, where the data packet carries the vpn ip address. In a possible implementation manner, the data packet acquired by the acquiring module includes: the server comprises an outer layer packet and an inner layer packet, wherein the packet head of the outer layer packet comprises a local public network ip address of the client, the target ip address of the outer layer packet comprises a public network ip address of the server, the packet head of the inner layer packet comprises the vpn ip address, and the target ip address of the inner layer packet comprises an ip address of internal resources of the server.
In another possible implementation manner, the obtaining module obtains the data packet by: the server comprises an outer layer packet and an inner layer packet, wherein a packet header of the inner layer packet comprises a public network ip address of the server, a destination ip address of the inner layer packet comprises a local public network ip address of the client, the packet header of the outer layer packet comprises an ip address of internal resources of the server, and the destination ip address of the outer layer packet comprises the vpn ip address.
The control module 40 is configured to establish a virtual switch, and perform flow control on the data packet according to a preset flow control policy based on the vpn ip address in the data packet. In one possible implementation, control module 40 is configured to establish the virtual switch via a vyos network operating system. In a possible implementation manner, the preset flow control policy further includes: one or more of bandwidth control, ip address, port, and protocol.
In a possible implementation manner, the apparatus 1 further includes a deployment module 110, connected to the connection module 10, and configured to deploy network address translation nat through the vyos network operating system, so as to expose the server to a public network.
In a possible implementation, the device 1 further comprises an authentication module 111, connected to the connection module 10, for verifying the identity of the client.
In a possible implementation manner, the apparatus 1 further includes a statistics module 50, connected to the control module 40, and configured to record traffic used by the client and reported by the vyos network operating system.
The working method of each module in the device 1 for controlling client traffic provided in the embodiment of the present application is similar to the steps described in the foregoing method embodiment, and is not described here again.
Therefore, the device for controlling the flow of the client can efficiently establish the vpn connection between the client and the server, can identify the characteristics of a data packet, enables a vyos network operating system to have a flow control function similar to that of physical network equipment through later-stage optimization and network function enhancement, can well meet practical requirements in terms of control granularity and flexibility, and can control the flow of each client in a simple, convenient, easy-to-implement and low-cost manner to save flow resources and server resources on the premise of not changing a network architecture in a large range. Further, the device for controlling the flow of the client, provided by the embodiment of the application, can perform flow statistics of the client.
Fig. 7 is a schematic hardware structure diagram of an electronic device for performing a method for controlling client traffic according to an embodiment of the present disclosure, and as shown in the figure, the electronic device may have a relatively large difference due to different configurations or performances, and may include one or more processors 701 and a memory 702, where the memory 702 may store one or more stored applications or data. Memory 702 may be, among other things, transient storage or persistent storage. The application program stored in memory 702 may include one or more modules (not shown), each of which may include a series of computer-executable instructions for the electronic device. Still further, the processor 701 may be configured to communicate with the memory 702, and execute a series of computer-executable instructions in the memory 702 on the electronic device. The electronic device may also include one or more power supplies 703, one or more wired or wireless network interfaces 704, one or more input-output interfaces 705, one or more keyboards 706, and the like.
In a particular embodiment, the electronic device includes a memory, a processor, and computer-executable instructions stored on the memory and executable on the processor, which when executed by the processor implement the following:
establishing a virtual private network (vpn) connection between a client and a server;
issuing a virtual private network Internet protocol (vpn) ip address to the client;
acquiring a data packet transmitted based on the vpn connection, wherein the data packet carries the vpn ip address;
and based on the vpn ip address in the data packet, performing flow control on the data packet according to a preset flow control strategy through a vyos network operating system.
Optionally, when executed by the processor, the computer-executable instructions establish a virtual private network vpn connection between the client and the server, including performing:
receiving a virtual private network (vpn) request sent by the client through the vyos network operating system;
and sending the vpn request to the client through the vyos network operating system.
Optionally, when executed by the processor, the computer-executable instructions further perform, before receiving, by the vyos network operating system, a virtual private network vpn request sent by the client:
and deploying network address translation nat through the vyos network operating system, and exposing the server to a public network.
Optionally, when the computer-executable instructions are executed by the processor, the data packet comprises: the server comprises an outer layer packet and an inner layer packet, wherein the packet head of the outer layer packet comprises a local public network ip address of the client, the target ip address of the outer layer packet comprises a public network ip address of the server, the packet head of the inner layer packet comprises the vpn ip address, and the target ip address of the inner layer packet comprises an ip address of internal resources of the server.
Optionally, when the computer-executable instructions are executed by the processor, the data packet comprises: the server comprises an outer layer packet and an inner layer packet, wherein a packet header of the inner layer packet comprises a public network ip address of the server, a destination ip address of the inner layer packet comprises a local public network ip address of the client, the packet header of the outer layer packet comprises an ip address of internal resources of the server, and the destination ip address of the outer layer packet comprises the vpn ip address.
Optionally, when the computer executable instructions are executed by the processor, the preset flow control policy further includes: one or more of bandwidth control, ip address, port, and protocol.
Optionally, when executed by the processor, the computer-executable instructions further perform, after the performing flow control on the data packet according to a preset flow control policy:
and recording the flow used by the client, which is reported by the vyos network operating system.
Optionally, the computer executable instructions, when executed by the processor, further perform, before establishing a virtual private network vpn connection between the client and the server: verifying the identity of the client.
Therefore, the electronic device executing the method for controlling the client flow provided by the embodiment of the application can efficiently establish the vpn connection between the client and the server, can identify the characteristics of the data packet, enables the vyos network operating system to have the flow control function similar to that of a physical network device through later-stage optimization and network function enhancement, can well meet the practical requirements in terms of control granularity and flexibility, and can control the flow of each client in a simple, convenient and easy-to-implement and low-cost manner on the premise of not changing a network architecture to save flow resources and server resources. Further, the electronic device executing the method for controlling the client traffic provided by the embodiment of the present application is capable of performing traffic statistics of the client.
The electronic device of the embodiments of the present application exists in various forms, including but not limited to the following devices.
(1) Mobile communication devices, which are characterized by mobile communication capabilities and are primarily targeted at providing voice and data communications. Such terminals include smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) The ultra-mobile personal computer equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include PDA, MID, and UMPC devices, such as ipads.
(3) Portable entertainment devices such devices may display and play multimedia content. Such devices include audio and video players (e.g., ipods), handheld game consoles, electronic books, as well as smart toys and portable car navigation devices.
(4) The server is similar to a general computer architecture, but has higher requirements on processing capability, stability, reliability, safety, expandability, manageability and the like because of the need of providing highly reliable services.
(5) And other electronic devices with data interaction functions.
Further, an embodiment of the present application also provides a computer-readable storage medium for storing computer-executable instructions, which when executed by a processor implement the following process:
establishing a virtual private network (vpn) connection between a client and a server;
issuing a virtual private network Internet protocol (vpn) ip address to the client;
acquiring a data packet transmitted based on the vpn connection, wherein the data packet carries the vpn ip address;
and based on the vpn ip address in the data packet, performing flow control on the data packet according to a preset flow control strategy through a vyos network operating system.
Optionally, when executed by the processor, the computer-executable instructions establish a virtual private network vpn connection between the client and the server, including performing:
receiving a virtual private network (vpn) request sent by the client through the vyos network operating system;
and sending the vpn request to the client through the vyos network operating system.
Optionally, when executed by the processor, the computer-executable instructions further perform, before receiving, by the vyos network operating system, a virtual private network vpn request sent by the client:
and deploying network address translation nat through the vyos network operating system, and exposing the server to a public network.
Optionally, when the computer-executable instructions are executed by the processor, the data packet comprises: the server comprises an outer layer packet and an inner layer packet, wherein the packet head of the outer layer packet comprises a local public network ip address of the client, the target ip address of the outer layer packet comprises a public network ip address of the server, the packet head of the inner layer packet comprises the vpn ip address, and the target ip address of the inner layer packet comprises an ip address of internal resources of the server.
Optionally, when the computer-executable instructions are executed by the processor, the data packet comprises: the server comprises an outer layer packet and an inner layer packet, wherein a packet header of the inner layer packet comprises a public network ip address of the server, a destination ip address of the inner layer packet comprises a local public network ip address of the client, the packet header of the outer layer packet comprises an ip address of internal resources of the server, and the destination ip address of the outer layer packet comprises the vpn ip address.
Optionally, when the computer executable instructions are executed by the processor, the preset flow control policy further includes: one or more of bandwidth control, ip address, port, and protocol.
Optionally, when executed by the processor, the computer-executable instructions further perform, after the performing flow control on the data packet according to a preset flow control policy:
and recording the flow used by the client, which is reported by the vyos network operating system.
Optionally, the computer executable instructions, when executed by the processor, further perform, before establishing a virtual private network vpn connection between the client and the server: verifying the identity of the client.
Therefore, the electronic device executing the method for controlling the client flow provided by the embodiment of the application can efficiently establish the vpn connection between the client and the server, can identify the characteristics of the data packet, enables the vyos network operating system to have the flow control function similar to that of a physical network device through later-stage optimization and network function enhancement, can well meet the practical requirements in terms of control granularity and flexibility, and can control the flow of each client in a simple, convenient and easy-to-implement and low-cost manner on the premise of not changing a network architecture to save flow resources and server resources. Further, the electronic device executing the method for controlling the client traffic provided by the embodiment of the present application is capable of performing traffic statistics of the client.
The computer-readable storage medium includes a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (12)

1. A method of controlling client traffic, comprising:
establishing a virtual private network (vpn) connection between a client and a server;
issuing a virtual private network Internet protocol (vpnip) address to the client;
acquiring a data packet transmitted based on the vpn connection, wherein the data packet carries the vpnip address; and
establishing a virtual switch, and carrying out flow control on the data packet according to a preset flow control strategy based on the vpnip address in the data packet;
the performing flow control on the data packet according to a preset flow control strategy includes: classifying the data packet according to the type of the vpnip address in the data packet; determining the flow control strategies corresponding to the classified data packets respectively, and controlling the flow of each data packet according to the determined flow control strategies respectively;
the preset flow control strategy comprises the following steps: one or more of bandwidth control, ip address, port and protocol;
the acquiring the data packet transmitted based on the vpn connection includes: and acquiring a data packet which is received by the server and sent by the client based on the vpn connection, or intercepting a data packet which is sent by the server to the client based on the vpn connection.
2. The method of claim 1, wherein establishing a virtual private network (vpn) connection between the client and the server comprises:
receiving a virtual private network (vpn) request sent by the client through a vyos network operating system; and
and sending the vpn request to the client through the vyos network operating system.
3. The method of claim 2, wherein before the receiving, by the vyos network operating system, the virtual private network (vpn) request sent by the client, the method further comprises:
and deploying network address translation nat through the vyos network operating system, and exposing the server to a public network.
4. The method of claim 1, wherein the data packet comprises: the outer-layer packet and the inner-layer packet, wherein the packet header of the outer-layer packet comprises a local public network ip address of the client, the destination ip address of the outer-layer packet comprises a public network ip address of the server, the packet header of the inner-layer packet comprises the vpnip address, and the destination ip address of the inner-layer packet comprises an ip address of internal resources of the server.
5. The method of claim 1, wherein the data packet comprises: the outer-layer packet and the inner-layer packet, wherein a packet header of the inner-layer packet comprises a public network ip address of the service end, a destination ip address of the inner-layer packet comprises a local public network ip address of the client, the packet header of the outer-layer packet comprises an ip address of internal resources of the service end, and the destination ip address of the outer-layer packet comprises the vpnip address.
6. The method according to claim 2, further comprising, after said controlling the flow of the data packet according to a preset flow control policy:
and recording the flow used by the client, which is reported by the vyos network operating system.
7. The method of claim 1, wherein the establishing a virtual switch comprises: and establishing the virtual switch through a vyos network operating system.
8. An apparatus for controlling client traffic, comprising:
the connection module is used for establishing virtual private network vpn connection between the client and the server;
the transmission module is used for issuing a virtual private network Internet protocol (vpnip) address to the client;
an obtaining module, configured to obtain a data packet transmitted based on the vpn connection, where the data packet carries the vpnip address; and
the control module is used for establishing a virtual switch and controlling the flow of the data packet according to a preset flow control strategy based on the vpnip address in the data packet;
the control module is further configured to classify the data packet according to the type of the vpnip address in the data packet; determining the flow control strategies corresponding to the classified data packets respectively, and controlling the flow of each data packet according to the determined flow control strategies respectively;
the preset flow control strategy comprises the following steps: one or more of bandwidth control, ip address, port and protocol;
the obtaining module is further configured to obtain a data packet that is received by the server and sent by the client based on the vpn connection, or intercept a data packet that is sent by the server and sent to the client based on the vpn connection.
9. The apparatus of claim 8, wherein the connection module is configured to receive, through a vyos network operating system, a virtual private network (vpn) request sent by the client; and
and sending the vpn request to the client through the vyos network operating system.
10. The apparatus of claim 9, further comprising:
and the deployment module is used for deploying network address translation nat through the vyos network operating system and exposing the server to a public network.
11. The apparatus of claim 8, wherein the data packet obtained by the obtaining module comprises: the outer-layer packet and the inner-layer packet, wherein the packet header of the outer-layer packet comprises a local public network ip address of the client, the destination ip address of the outer-layer packet comprises a public network ip address of the server, the packet header of the inner-layer packet comprises the vpnip address, and the destination ip address of the inner-layer packet comprises an ip address of internal resources of the server.
12. The apparatus of claim 8, wherein the data packet obtained by the obtaining module comprises: the outer-layer packet and the inner-layer packet, wherein a packet header of the inner-layer packet comprises a public network ip address of the service end, a destination ip address of the inner-layer packet comprises a local public network ip address of the client, the packet header of the outer-layer packet comprises an ip address of internal resources of the service end, and the destination ip address of the outer-layer packet comprises the vpnip address.
CN201811444737.7A 2018-11-29 2018-11-29 Method and device for controlling flow of client Active CN109587028B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811444737.7A CN109587028B (en) 2018-11-29 2018-11-29 Method and device for controlling flow of client

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811444737.7A CN109587028B (en) 2018-11-29 2018-11-29 Method and device for controlling flow of client

Publications (2)

Publication Number Publication Date
CN109587028A CN109587028A (en) 2019-04-05
CN109587028B true CN109587028B (en) 2021-11-26

Family

ID=65925640

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811444737.7A Active CN109587028B (en) 2018-11-29 2018-11-29 Method and device for controlling flow of client

Country Status (1)

Country Link
CN (1) CN109587028B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113347113B (en) * 2021-06-29 2023-02-03 深信服科技股份有限公司 Flow control method, device, equipment and computer storage medium
CN113992461B (en) * 2021-10-26 2024-01-30 亿次网联(杭州)科技有限公司 Data isolation transmission method, system and storage medium
CN115834529B (en) * 2022-11-23 2023-08-08 浪潮智慧科技有限公司 Remote monitoring method and system for edge equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212374A (en) * 2006-12-29 2008-07-02 北大方正集团有限公司 Method and system for remote access to campus network resources
CN101527740A (en) * 2009-05-05 2009-09-09 杭州华三通信技术有限公司 Dynamic address allocation method, device and system thereof
CN102065125A (en) * 2010-11-18 2011-05-18 广州致远电子有限公司 Method for realizing embedded secure socket layer virtual private network (SSL VPN)
CN103731363A (en) * 2014-01-15 2014-04-16 网神信息技术(北京)股份有限公司 Internet flow control method and device
CN104753752A (en) * 2013-12-30 2015-07-01 上海格尔软件股份有限公司 As-needed connecting method suitable for VPN
CN105939241A (en) * 2016-03-10 2016-09-14 杭州迪普科技有限公司 Connection disconnecting method and device
US10038712B2 (en) * 2014-06-02 2018-07-31 Paypal, Inc. Method and apparatus for dynamic detection of geo-location obfuscation in client-server connections through an IP tunnel

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101958842B (en) * 2010-10-28 2013-07-24 神州数码网络(北京)有限公司 Flow control method based on user
CN102045363B (en) * 2010-12-31 2013-10-09 华为数字技术(成都)有限公司 Establishment, identification control method and device for network flow characteristic identification rule
WO2014038737A1 (en) * 2012-09-07 2014-03-13 에스케이텔레콤 주식회사 Network traffic management system using monitoring policy and filtering policy, and method thereof
US20160226815A1 (en) * 2015-01-30 2016-08-04 Huawei Technologies Co., Ltd. System and method for communicating in an ssl vpn

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212374A (en) * 2006-12-29 2008-07-02 北大方正集团有限公司 Method and system for remote access to campus network resources
CN101527740A (en) * 2009-05-05 2009-09-09 杭州华三通信技术有限公司 Dynamic address allocation method, device and system thereof
CN102065125A (en) * 2010-11-18 2011-05-18 广州致远电子有限公司 Method for realizing embedded secure socket layer virtual private network (SSL VPN)
CN104753752A (en) * 2013-12-30 2015-07-01 上海格尔软件股份有限公司 As-needed connecting method suitable for VPN
CN103731363A (en) * 2014-01-15 2014-04-16 网神信息技术(北京)股份有限公司 Internet flow control method and device
US10038712B2 (en) * 2014-06-02 2018-07-31 Paypal, Inc. Method and apparatus for dynamic detection of geo-location obfuscation in client-server connections through an IP tunnel
CN105939241A (en) * 2016-03-10 2016-09-14 杭州迪普科技有限公司 Connection disconnecting method and device

Also Published As

Publication number Publication date
CN109587028A (en) 2019-04-05

Similar Documents

Publication Publication Date Title
US9231846B2 (en) Providing network capability over a converged interconnect fabric
EP2499787B1 (en) Smart client routing
US11277313B2 (en) Data transmission method and corresponding device
US9838261B2 (en) Method, apparatus, and system for providing network traversing service
EP3720100A1 (en) Service request processing method and device
TWI282226B (en) Method of configuring network device
CN109088799B (en) Client access method, device, terminal and storage medium
CN109587028B (en) Method and device for controlling flow of client
CN109450905B (en) Method, device and system for transmitting data
CN111194035B (en) Network connection method, device and storage medium
CN105306433A (en) Method and device for accessing virtual machine server
US9118588B2 (en) Virtual console-port management
CN114500176B (en) Multi-flow load balancing method, device and system for VPN and storage medium
WO2015074537A1 (en) Method and apparatus for controlling communication protocol in smart tv device
US10657093B2 (en) Managing actions of a network device based on policy settings corresponding to a removable wireless communication device
US10805260B2 (en) Method for transmitting at least one IP data packet, related system and computer program product
KR20040004724A (en) Wireless LAN service system providing proxy gateway and method thereof
KR20210016802A (en) Method for optimizing flow table for network service based on server-client in software defined networking environment and sdn switch thereofor
WO2022057724A1 (en) Data offloading method and device
CN112787947B (en) Network service processing method, system and gateway equipment
CN111800330A (en) Proxy acceleration method and system for peripheral network traffic based on wireless access point
US20150089058A1 (en) System and method for software defined adaptation of broadband network gateway services
US20230413353A1 (en) Inter-plmn user plane integration
CN108512738A (en) The long-range control method and system of terminal
TW201808049A (en) Method for controlling a client device to access a network device, and associated control apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant