CN109672602B

CN109672602B - Method and equipment for remotely accessing VPN

Info

Publication number: CN109672602B
Application number: CN201910004783.3A
Authority: CN
Inventors: 赵大赓; 代裕
Original assignee: Qingdao Juhaolian Technology Co ltd
Current assignee: Qingdao Juhaolian Technology Co ltd
Priority date: 2019-01-03
Filing date: 2019-01-03
Publication date: 2021-06-04
Anticipated expiration: 2039-01-03
Also published as: CN109672602A

Abstract

The invention discloses a method and a device for remotely accessing a VPN, which relate to the technical field of communication and are used for solving the problem that the operating systems of some terminals do not support the private VPN access protocol of an exchange equipment provider and cannot access the VPN, wherein the method comprises the following steps: after a Virtual Private Network (VPN) channel is established between a terminal and a firewall, a VPN access protocol required by a user in a protocol set is determined; the terminal establishes remote connection with the server according to the VPN access protocol selected by the user, because the terminal integrates the private VPN access protocols of a plurality of switching equipment providers, after the VPN channel is successfully established, the user selects one VPN access protocol according to the own needs, and the terminal establishes remote connection with the server according to the VPN access protocol selected by the user, so that an operating system of the terminal can support a plurality of VPN access protocols, and can access switching equipment supporting different protocols.

Description

Method and equipment for remotely accessing VPN

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a method and a device for remotely accessing a VPN.

Background

A VPN (Virtual Private Network) is a Network that establishes a Private Network on a public Network to perform encrypted communication. The method has wide application in enterprise networks. The VPN gateway realizes remote access through encryption of the data packet and conversion of a data packet target address. VPNs have a variety of classification schemes, mainly by protocol. A VPN may be implemented in a number of ways, including server, hardware, software, etc.

The VPN has the characteristics of low cost and easy use.

At present, the demand of remote office of portable equipment is increasingly strong, and particularly, in order to realize timely response, operation and maintenance personnel need the portable equipment to safely access a system and complete operations such as server files. Therefore, the portable device accessing the remote operating system through various protocols is very important for system stability.

Currently, an Android system only supports public VPN protocols such as IPSec (Internet Protocol Security). For private VPN access protocols of multiple switching device providers, many VPN access protocols do not support the android operating system.

In summary, currently, the operating systems of some terminals do not support the private VPN access protocol of the switching device provider, and cannot access the VPN.

Disclosure of Invention

The invention provides a method and equipment for remotely accessing a VPN (virtual private network), which are used for solving the problems that the operating systems of some terminals in the prior art do not support a private VPN access protocol of an exchange equipment provider and cannot access the VPN.

In a first aspect, a method for remotely accessing a VPN according to an embodiment of the present invention includes:

after a Virtual Private Network (VPN) channel is established between a terminal and a firewall, a VPN access protocol required by a user in a protocol set is determined;

and the terminal establishes remote connection with the server according to the VPN access protocol selected by the user.

According to the method, multiple VPN access protocols are collected in a protocol set of the terminal, after a VPN channel is successfully established, a user selects one VPN access protocol according to own needs, the terminal establishes remote connection with a server according to the VPN access protocol selected by the user, and the terminal integrates the private VPN access protocols of multiple switching equipment providers, so that an operating system of the terminal can support the multiple VPN access protocols, and can access switching equipment supporting different protocols.

In a possible implementation manner, before the terminal determines a VPN access protocol that a user needs to use in a protocol set, the method further includes:

the terminal requests the firewall for protocol parameters corresponding to the VPN protocol type selected by the user;

the terminal determines the VPN protocol parameter selected by the user from the VPN protocol parameter corresponding to the VPN protocol type selected by the user and returned by the firewall;

after determining an authentication mode according to the VPN protocol parameter selected by the user, the terminal sends login information corresponding to the authentication mode and the VPN protocol parameter selected by the user, which are input by the user, to the firewall so that the firewall authenticates the login information according to the authentication mode;

and after the firewall authenticates the login information, the terminal establishes a VPN channel with the firewall according to the VPN protocol parameters selected by the user.

According to the method, different types of VPN protocols are integrated in a protocol set of the terminal, before a VPN channel is established between the terminal and a firewall, a user can select the type of the VPN protocol according to the own requirement, and compared with the existing VPN protocol only supporting a default type, the method is more diversified, different authentication modes can be selected according to different protocol types, and the like, so that a rich VPN login method is provided.

In a possible implementation manner, the requesting, by the terminal, the firewall for the protocol parameter corresponding to the VPN protocol type selected by the user includes:

and the terminal establishes a virtual network card according to the VPN protocol type selected by the user and sends a data packet of the virtual network card to the firewall through a physical network card.

According to the method, the data packet of the virtual network card created by the terminal according to the VPN protocol type selected by the user contains the data related to the VPN protocol type, the data packet of the virtual network card is forwarded to the firewall through the physical network card by the terminal, and the firewall can return the VPN protocol parameters to the terminal according to the VPN protocol type.

In a possible implementation manner, the establishing, by the terminal, a VPN tunnel with the firewall according to the VPN protocol parameter selected by the user includes:

the terminal receives network information which is returned by the firewall and determined according to the VPN protocol parameter selected by the user;

and the terminal establishes a VPN channel with the firewall according to the network information.

After the terminal receives the VPN protocol parameters returned by the firewall, the user selects one VPN protocol parameter from the parameters, the firewall authenticates the login information of the user after the user inputs the login information according to the VPN protocol parameter selected by the user, the firewall returns network information determined by the VPN protocol parameter selected by the user to the user after the authentication is passed, and the terminal establishes a VPN channel with the firewall according to the network information, namely establishes the VPN channel according to the VPN protocol type and the VPN protocol parameter selected by the user.

In a possible implementation manner, after the terminal establishes a VPN tunnel with a firewall, before determining a VPN access protocol that needs to be used by a user in a protocol set, the method further includes:

and the terminal determines that the VPN channel established with the firewall is stable according to network delay and/or data packet transmission conditions.

According to the method, after the VPN channel is determined to be stable, the stable channel can be adopted for communication, and the connection between the terminal and the server is conveniently established.

In a possible implementation manner, after the terminal establishes the VPN tunnel with the firewall, the method further includes:

and if the terminal determines that the VPN channel established with the firewall is unstable according to the network delay and/or the data packet transmission condition, prompting the user to switch the VPN channel.

According to the method, the VPN channel is established between the terminal and the firewall to judge the stability of the channel, if the VPN channel is unstable, the user can be prompted to switch the VPN channel, and the stable VPN channel is adopted, so that high-reliability and low-delay communication can be realized conveniently.

In a possible implementation manner, after the terminal establishes a remote connection with a server according to the VPN access protocol selected by the user, the method further includes:

after the terminal receives an input instruction of input equipment through Bluetooth, if the input instruction is a preset input instruction, the input instruction is converted according to a VPN access protocol selected by a user, and the converted input instruction is sent to the server.

According to the method, the terminal can be accessed to some input devices through Bluetooth and preset some shortcut operations on the input devices, the preset input instructions corresponding to the shortcut operations are configured on the terminal, when a user uses the shortcut operations through the input devices, the terminal receives the input instructions and judges whether the input instructions are the preset input instructions, if yes, the received instructions are converted and sent to the server, and therefore the shortcut operations are achieved, if not, the terminal does not need to convert the received instructions, and the problem that the terminal of a small screen is inconvenient to input is solved.

In a second aspect, an apparatus for remotely accessing a VPN according to an embodiment of the present invention includes: at least one processing unit and at least one memory unit, wherein the memory unit stores program code that, when executed by the processing unit, causes the processing unit to perform the following:

after a Virtual Private Network (VPN) channel is established with a firewall, a VPN access protocol needed by a user in a protocol set is determined;

and establishing remote connection with a server according to the VPN access protocol selected by the user.

In one possible implementation, the processing unit is further configured to:

requesting protocol parameters corresponding to the VPN protocol type selected by the user from the firewall;

determining a VPN access protocol needed to be used by a user in a protocol set after determining the VPN protocol parameter selected by the user from the VPN protocol parameter corresponding to the VPN protocol type selected by the user and returned by the firewall;

after an authentication mode is determined according to the VPN protocol parameter selected by the user, login information corresponding to the authentication mode and the VPN protocol parameter selected by the user, which are input by the user, are sent to the firewall, so that the firewall authenticates the login information according to the authentication mode;

and after the firewall passes the authentication of the login information, establishing a VPN channel with the firewall according to the VPN protocol parameters selected by the user.

In a possible implementation manner, the processing unit is specifically configured to:

and establishing a virtual network card according to the VPN protocol type selected by the user, and sending a data packet of the virtual network card to the firewall through a physical network card.

receiving network information which is returned by the firewall and determined according to the VPN protocol parameter selected by the user;

and establishing a VPN channel with the firewall according to the network information.

In one possible implementation, the processing unit is further configured to:

after establishing a VPN channel with a firewall, determining that the VPN channel established with the firewall is stable according to network delay and/or data packet transmission conditions.

In one possible implementation, the processing unit is further configured to:

and after establishing a VPN channel with a firewall, if the VPN channel established with the firewall is determined to be unstable according to the network delay and/or the data packet transmission condition, prompting the user to switch the VPN channel.

In one possible implementation, the processing unit is further configured to:

after remote connection with a server is established according to the VPN access protocol selected by the user, an input instruction of an input device is received through Bluetooth, if the input instruction is a preset input instruction, the input instruction is converted according to the VPN access protocol selected by the user, and the converted input instruction is sent to the server.

In a third aspect, an embodiment of the present invention further provides an apparatus for remotely accessing a VPN, where the apparatus includes a determining module and an accessing module:

the determining module is used for determining a VPN access protocol needed by a user in a protocol set after a Virtual Private Network (VPN) channel is established with a firewall;

and the access module is used for establishing remote connection with the server according to the VPN access protocol selected by the user.

In one possible implementation, the determining module is further configured to:

In a possible implementation manner, the determining module is specifically configured to:

In one possible implementation, the access module is further configured to:

In a fourth aspect, the present application also provides a computer storage medium having a computer program stored thereon, which when executed by a processing unit, performs the steps of the method of the first aspect.

In a fifth aspect, the present application further provides a computing device comprising at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being executable by the at least one processor to enable the at least one processor to perform any of the methods of remote access to a VPN as provided by embodiments of the present application.

In addition, for technical effects brought by any one implementation manner of the third aspect to the fifth aspect, reference may be made to technical effects brought by different implementation manners of the first aspect, and details are not described here.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.

Fig. 1 is a schematic physical architecture diagram of a remote VPN access according to an embodiment of the present invention;

fig. 2 is an overall architecture diagram of a VPN protocol integrated by a software program according to an embodiment of the present invention;

fig. 3 is a schematic diagram of a method for remotely accessing a VPN according to an embodiment of the present invention;

fig. 4 is a schematic diagram of communication between a terminal and a server of an android system according to an embodiment of the present invention;

fig. 5 is a schematic diagram of a login page of a remote VPN according to an embodiment of the present invention;

fig. 6A is a schematic diagram of a VPN channel switching prompt according to an embodiment of the present invention;

fig. 6B is a schematic diagram of another VPN channel switching prompt according to an embodiment of the present invention;

fig. 6C is a schematic diagram of another apparatus for remotely accessing a VPN according to an embodiment of the present invention;

fig. 6D is a schematic diagram of a VPN access protocol hint according to an embodiment of the present invention;

fig. 7 is a schematic diagram illustrating a user setting a shortcut key according to an embodiment of the present invention;

fig. 8 is a flowchart of a complete method for remotely accessing a VPN according to an embodiment of the present invention;

fig. 9 is a schematic diagram of an apparatus for remotely accessing a VPN according to an embodiment of the present invention;

fig. 10 is a schematic diagram of another apparatus for remotely accessing a VPN according to an embodiment of the present invention;

fig. 11 is a schematic diagram of another apparatus for remotely accessing a VPN according to an embodiment of the present invention;

fig. 12 is a schematic structural diagram of a computing device according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Some of the words that appear in the text are explained below:

1. the term "and/or" in the embodiments of the present invention describes an association relationship of associated objects, and indicates that three relationships may exist, for example, a and/or B may indicate: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.

2. In the embodiment of the present invention, the term "Firewall (Firewall)" is a network security system between an internal network and an external network, and is an information security protection system that allows or restricts the passing of transmitted data according to a specific rule.

3. In the embodiment of the present invention, the term "Internet Protocol Security Virtual Private Network (IPSec VPN)" refers to a VPN technology that uses an IPSec Protocol to implement remote access, and is a Security standard framework defined by IETF (Internet Engineering Task Force) for providing end-to-end encryption and authentication services of public and Private networks.

4. The term "SSL VPN (Secure Sockets Layer Virtual Private Network, Secure socket Layer protocol Virtual Private Network)" in the embodiment of the present invention is the simplest and safest solution for remote users to access company sensitive data. Compared with a complex IPSec VPN, SSL realizes information remote communication through a simple and easy-to-use method. Any machine that installs a browser can use SSL VPN because SSL is embedded in the browser, which does not require that client software must be installed for each client, as in a conventional IPSec VPN.

5. In the embodiment of the invention, the term "Domain Name System (DNS)" is used as a distributed database on the internet for mapping Domain names and IP addresses with each other, so that a user can access the internet more conveniently without remembering IP strings that can be read directly by a machine. The process of finally obtaining the IP address corresponding to the host name through the host name is called domain name resolution (or host name resolution). The DNS Protocol runs over UDP (User Datagram Protocol), using port number 53.

6. The term "Open VPN" in the embodiments of the present invention is an application layer VPN implementation based on the OpenSSL library. Compared with the traditional VPN, the method has the advantages of simplicity and easiness in use. OpenVPN allows a single point of participation in establishing a VPN to use a shared key, an electronic certificate, or a username/password for authentication. The technical core of Open VPN is a virtual network card, and then SSL protocol is realized.

The application scenario described in the embodiment of the present invention is for more clearly illustrating the technical solution of the embodiment of the present invention, and does not form a limitation on the technical solution provided in the embodiment of the present invention, and it can be known by a person skilled in the art that with the occurrence of a new application scenario, the technical solution provided in the embodiment of the present invention is also applicable to similar technical problems. In the description of the present invention, the term "plurality" means two or more unless otherwise specified.

VPN refers to a technology for establishing a private network on a public network, and is called a virtual network, mainly because a connection between any two nodes of the entire VPN network does not have an end-to-end physical link required by a traditional private network, but is constructed on a network platform provided by a public network service provider, such as a logical network on the Internet (Internet), ATM (Asynchronous Transfer Mode), Frame Relay, and the like, and user data is transmitted in the logical link. It covers the extension of private networks to encapsulate, encrypt, and authenticate links across shared or public networks. The VPN mainly adopts a tunnel technology, an encryption and decryption technology, a key management technology and a user and equipment identity authentication technology.

Application classification by VPN can be divided into three major categories:

(1) access VPN (remote Access VPN): from the client to the gateway, the public network is used as a backbone network to transmit VPN data traffic among the devices;

(2) intranet VPN (Intranet VPN): a gateway to a gateway connecting resources from the same company through the company's network architecture;

(3) extranet VPN (Extranet VPN): an Extranet is formed with a partner enterprise network, connecting one company with the resources of another company.

The invention mainly aims at remote access of VPN, and the Android system only supports public VPN protocols such as IPSec at present. For private VPN access protocols of multiple switching equipment providers, many VPN access protocols do not support android operating systems, and computer operation and maintenance work is difficult for current operation and maintenance personnel.

Therefore, the method and the device for remotely accessing the VPN integrate the private VPN access protocols of a plurality of switching device providers through a program, and the program is adapted to input devices such as a Bluetooth folding keyboard and a mouse, so that remote operation and maintenance service on a small screen is realized.

With respect to the above scenario, the following describes an embodiment of the present invention in further detail with reference to the drawings of the specification.

Fig. 1 is a block diagram of a remote VPN according to an embodiment of the present invention, which includes a terminal, a firewall, a switch, and a plurality of servers. Because the invention collects multiple VPN access protocols in the program set of the terminal, the remote connection with the servers of different manufacturers can be realized through different VPN access protocols.

As shown in fig. 2, the software program integrates an overall architecture diagram of a VPN Protocol through a software program, wherein the software program uses VPN Protocol interfaces such as SSL VPN and IPSec VPN as external connection channels, and after establishing a VPN channel and routing, connects a Remote server background operating system through Remote connection methods such as SSH (Secure Shell, Secure Desktop Protocol), RDP (Remote Desktop Protocol), VNC (Virtual Network Protocol, Virtual Network Console), FTP (File Transfer Protocol ), and Telnet (Remote terminal Protocol); the Bluetooth assembly is connected with the portable keyboard and mouse two-in-one suite and serves as necessary input equipment to prevent the virtual keyboard from occupying too much display space of a mobile phone screen. The automatic timing component can perform timing task pushing according to a designed strategy or automatically process faults. The terminal is connected to the firewall device shown in fig. 1 through the VPN, and then connected to the backend server and the network device behind the firewall through different VPN access protocols.

Wherein, SSH is formulated by Network Working Group (Network Working Group) of IETF; SSH is a security protocol built on an application layer and a transport layer basis. SSH is currently a relatively reliable protocol that provides security for telnet sessions and other web services. The SSH protocol can effectively prevent the problem of information leakage in the remote management process, and can log in a remote server in a command line mode.

FTP is used for bi-directional transfer of control files over the Internet. At the same time, it is also an Application (Application). There are different FTP applications based on different operating systems and all of these applications adhere to the same protocol to transfer files. In the use of FTP, users often encounter two concepts: "Download" (Download) and "Upload" (Upload). "downloading" a file is copying the file from a remote host (server) to its own computer (terminal); "uploading" a file is copying the file from its own computer to a remote host, i.e., a user may upload the file to the remote host or download the file from the remote host via a client program.

RDP is a multi-channel protocol for connecting a terminal (client or "local computer") to a computer (server or "remote computer") that provides microsoft terminal services.

The VNC is free open source software based on UNIX (UNIX) and Linux operating system, has strong remote control capability, is efficient and practical, and can be operated graphically through a server remotely connected to the UNIX operating system or the Linux operating system.

The Telnet Protocol is one of the TCP/IP (Transmission Control Protocol/Internet Protocol, Transmission Control Protocol/Internet interconnection Protocol) Protocol family, and is a standard Protocol and a main mode for Internet remote login service. It provides the user with the ability to do remote host work on the local computer. The Telnet program is used on the end user's computer and is used to connect to the server. The end user can enter commands in the Telnet program that will run on the server as if entered directly on the server's console. The server can be controlled locally. To start a Telnet session, a username and password must be entered to log in to the server. Telnet is a commonly used method of remotely controlling a Web server.

As shown in fig. 3, the method for remotely accessing a VPN according to the embodiment of the present invention specifically includes the following steps:

step 300, after a Virtual Private Network (VPN) channel is established between a terminal and a firewall, a VPN access protocol needed by a user in a protocol set is determined;

step 301, the terminal establishes a remote connection with a server according to the VPN access protocol selected by the user.

By the scheme, a plurality of VPN access protocols are collected in a protocol set of the terminal, after a VPN channel is successfully established, a user selects one VPN access protocol according to own needs, and the terminal establishes remote connection with the server according to the VPN access protocol selected by the user.

In the embodiment of the invention, when a user establishes connection with a remote server through a terminal, the terminal prompts the user to select a required VPN protocol type, after the user selects, the terminal requests a firewall for a protocol parameter corresponding to the VPN protocol type selected by the user, and the specific process that the terminal requests the firewall for the protocol parameter corresponding to the VPN protocol type selected by the user is as follows: and the terminal establishes a virtual network card according to the VPN protocol type selected by the user and sends a data packet of the virtual network card to the firewall through the physical network card.

Wherein the protocol types include, but are not limited to, some or all of the following:

SSL VPN、IPSec VPN。

for example, after a user downloads and installs an application program in a mobile phone android application market, the user is prompted by a terminal to select a required VPN protocol type from SSL VPN and IPSec VPN after the application program is opened, the VPN protocol type selected by the user is an SSL protocol, that is, a connection is established with a firewall through SSL VPN, as shown in fig. 4, after the user selects a connection with the firewall through SSL VPN, step 1: a program thread (SSL VPN thread) can automatically establish a virtual network card on an operating system of the terminal according to the VPN protocol type selected by a user; step 2: the operating system will forward the data packet of the virtual network card containing the protocol parameter request information corresponding to the SSL VPN to the physical network card, step 3: the physical network card forwards the data packet to the gateway of the SSLVPN, and in the process of establishing a channel between the terminal and the VPN, the server shown in fig. 4 is a firewall, and in the embodiment of the present invention, steps 1, 2, and 3 are implemented by an Open VPN Open source component.

And after the firewall receives the data packet of the protocol parameter request information corresponding to the SSL VPN, determining the protocol parameters corresponding to the SSL VPN according to the corresponding relation between the VPN protocol type and the protocol parameters stored in the firewall and returning the protocol parameters to the terminal.

The protocol parameters corresponding to the VPN protocol type include, but are not limited to, part or all of the following:

domain information and a user login authentication mode.

Optionally, the user login authentication manner includes an authentication type and an authentication mode.

For example, the protocol parameters corresponding to the SSL VPN selected by the user and returned by the firewall received by the terminal are respectively: 4 domain information, including: market sector, research and development sector, testing sector, finance sector; 3 user login authentication types, comprising: AD (Active Directory, Directory Service In Windows server operating system), RADIUS (Remote Authentication Dial In User Service), LDAP (Lightweight Directory Access Protocol); 3 user login authentication modes: password, certificate, password + certificate.

In the embodiment of the invention, after the terminal receives the VPN protocol parameters corresponding to the VPN protocol type selected by the user and returned by the firewall, the terminal determines the VPN protocol parameter selected by the user from the received VPN protocol parameters corresponding to the VPN protocol type selected by the user and returned by the firewall, and determines the authentication mode according to the VPN protocol parameter selected by the user.

For example, the protocol parameters corresponding to the SSL VPN selected by the user and returned by the firewall received by the terminal are respectively: 4 domain information, including: market sector, research and development sector, testing sector, finance sector; 3 user login authentication types, comprising: AD. RADIUS, LDAP; 3 user login authentication modes: password, certificate, password + certificate. The domain information selected by the user determined by the terminal is a research and development department, the login authentication type of the user is AD, and the login authentication mode of the user is a password. Determining the authentication mode according to the VPN protocol parameters selected by the user as follows: the AD authenticates the user password.

In the embodiment of the invention, the terminal sends the login information corresponding to the authentication mode and the VPN protocol parameter selected by the user, which are input by the user, to the firewall after determining the authentication mode of the user. Specifically, the terminal sends a data packet containing login information and the VPN protocol parameter selected by the user to the firewall through the physical network card. After the firewall receives a data packet containing login information and VPN protocol parameters selected by a user, the firewall judges whether the login information of the user is correct according to the authentication mode of the user, and when the login information of the user is correct, the firewall returns a secret key to the terminal, and at the moment, the login is successful; and after the login is successful, the firewall returns network information determined according to the VPN protocol parameters selected by the user.

Wherein the network information includes but is not limited to some or all of the following:

virtual gateway, DNS, routing information.

For example, the user authenticates the user password by using AD, and the domain information selected by the user is the market department, as shown in fig. 5, the user name input by the user is: ihebut, password: 111111, the login domain is: after the firewall determines that the authentication is passed, the market department determines the virtual gateway, the DNS and the routing information of the domain where the user is located according to the domain information of the user, the user is in the market department domain, the corresponding virtual gateway is gateway 1, the DNS is IP1, and the routing information: IP11, IP12, IP13, IP21, IP31, IP32, gateway 1, gateway 2, gateway 3.

In the embodiment of the present invention, after the firewall authenticates the login information, the terminal establishes the VPN channel with the firewall according to the VPN protocol parameter selected by the user. Specifically, the terminal receives network information which is returned by the firewall and determined according to the VPN protocol parameter selected by the user, and establishes a VPN channel according to the network information and the firewall, namely, the VPN thread issues the received network information to the android operating system, so that the final establishment of the VPN channel is realized.

Optionally, when the terminal performs data communication with the firewall, the terminal encrypts the data packet according to a key returned by the firewall to perform communication.

For example, a data packet forwarded by the terminal to the firewall through the physical network card is encrypted according to a secret key returned by the firewall through an opensecure Sockets Layer (opensecure socket Layer) technology, and the firewall decrypts the data packet after receiving the data packet.

In the embodiment of the invention, after the VPN channel is established between the terminal and the firewall, the stability of the VPN channel established between the terminal and the firewall is judged according to network delay and/or data packet transmission conditions.

If the VPN channel is unstable, prompting the user to switch the VPN channel, and at the moment, the user can adjust information such as resolution definition and the like.

For example, if 2 data packets transmitted by the terminal to the firewall are lost, it indicates that the VPN path established between the terminal and the firewall is unstable, or if the data transmission network delay is higher than a preset threshold, it indicates that the VPN path established between the terminal and the firewall is unstable.

There are many ways for a user to switch a VPN tunnel when the VPN tunnel is unstable, and the following are listed as some:

switching mode one, switching network.

As shown in fig. 6A, when it is detected that the VPN channel is unstable, that is, the network is unstable, the user is prompted to switch the network, and the user may switch the VPN channel through WIFI (Wireless Fidelity), for example, if the VPN to be accessed that the user previously selected is ihebut, the user may switch to another network, for example, the user may switch to a china net hebut.

And switching the VPN protocol type.

As shown in fig. 6B, when it is detected that the VPN channel is not stable, the user is prompted to switch to another access gateway, and the VPN protocol type selected by the user is IPSec, then the access gateway can be switched to SSL.

And switching a gateway.

As shown in fig. 6C, when the VPN channel is detected to be unstable, the user is prompted to switch to another access gateway, and if the current VPN gateway is gateway 1, the user may switch to another gateway, for example, gateway 2.

It should be noted that the manner of switching the VPN path recited in the embodiment of the present invention is only an example, and any manner capable of switching the VPN path is applicable to the embodiment of the present invention.

As shown in fig. 6D, if the VPN channel is stable, the user is prompted to select a remote access mode that needs to be accessed, and after the user selects a VPN access protocol, the VPN access protocol that the user needs to use in the protocol set is determined.

Wherein the VPN access protocol includes, but is not limited to, some or all of the following:

SSH、RDP、VNC、FTP、Telnet。

aiming at different VPN access protocols, a user can select according to own requirements, for example, when the user needs to download files through a remote VPN, the FTP access protocol can be selected; for example, when the user just wants to shut down the company's computer through the remote VPN at home, the SSH protocol can be selected to complete the operation in the manner of a command line.

Optionally, after the terminal establishes a remote connection with the server, the interactive window is called, the keyboard and mouse driver is loaded, the user selects to use the virtual keyboard or the external input device, and the external input device is accessed to the terminal through bluetooth, wherein the external input device is a bluetooth input device.

For example, the Bluetooth of the terminal and the Bluetooth folding keyboard and mouse two-in-one device is opened, and the Bluetooth folding keyboard and mouse two-in-one device is accessed to the terminal through the Bluetooth. When a user operates the Bluetooth folding keyboard and mouse two-in-one device, the terminal receives an input instruction of an input device through Bluetooth, judges whether the input instruction is a preset input instruction of the terminal or not after receiving the input instruction, converts the input instruction into an instruction which can be identified by an operating system of a connected server according to a VPN access protocol selected by the user if the input instruction is the preset input instruction of the terminal, and sends the converted input instruction to the server, otherwise, the terminal directly forwards the received operation instruction to the connected server.

For example, the input command preset by the terminal is: ctrl + Shift + F12: print, Ctrl + F1: screen capture, Ctrl + R: refresh page, Ctrl + S: storage, Ctrl + Shift: switch screen, Shift + a: and switching windows, locking the screen by Shift + B, and exiting by Shift + C.

When a user clicks a Ctrl + F1 key on a folding keyboard, an input instruction received by the terminal through bluetooth is Ctrl + F1, Ctrl + F1 is determined to be a preset input instruction by judgment, and a VPN access protocol selected by the user is SSH, since an operating system of the SSH protocol is Linux, Ctrl + F1 is converted by the terminal into an instruction that can be recognized by Linux, and the converted instruction is forwarded to a server that establishes a remote connection with the terminal.

Optionally, the user may also perform manual setting at the terminal, and the user specifies a preset input instruction, such as switching a screen, switching a window, locking the screen, exiting, and the like, as shown in fig. 7.

For example, the preset input instruction set by the user at the terminal is as follows: ctrl + Alt + Z: extract message, Ctrl + Alt + C: capture screen, Ctrl + Alt: and sending a message, wherein the input instruction received by the terminal through the Bluetooth is B, and if the input instruction is determined not to be the preset input instruction through judgment, the actual input instruction B is directly forwarded to a remote server connected with the terminal.

Optionally, as shown in step 4 in fig. 4, the remote protocol window performs data communication through an SSL session established by the virtual network card and the SSL VPN, after the terminal establishes a connection with the remote server, the server shown in fig. 4 is the remote server, and when the user performs remote interaction with the remote server through operation, the user may select whether to record the operation content.

For example, after determining that the user selects the recording screen to record the operation content, the terminal records the operation of the video recording user on the remote server, and after determining that the user selects the recording keyboard to record the information, the terminal records the information recorded by the user through the keyboard.

Optionally, the automatic timing component of the terminal may perform timing task pushing according to a designed policy, or perform automatic fault handling.

For example, it is preset that the user pushes commodity information of a certain enterprise after logging in the VPN for half an hour, and troubleshooting is performed after logging in the VPN for one hour.

As shown in fig. 8, a complete method for remotely accessing a VPN according to an embodiment of the present invention includes:

step 800, the terminal prompts the user to select the VPN protocol type;

step 801, after determining the VPN protocol type selected by the user, the terminal requests a firewall for a protocol parameter corresponding to the VPN protocol type selected by the user;

step 802, the firewall returns the VPN protocol parameter corresponding to the VPN protocol type selected by the user to the terminal;

step 803, the terminal determines the VPN protocol parameter selected by the user from the VPN protocol parameter corresponding to the VPN protocol type selected by the user and returned by the firewall;

step 804, after determining the authentication mode according to the VPN protocol parameter selected by the user, the terminal inputs login information corresponding to the authentication mode;

step 805, the terminal sends login information and VPN protocol parameters selected by the user to the firewall;

step 806, after receiving login information corresponding to the authentication mode and input by the user, the firewall authenticates the login information according to the authentication mode;

step 807, the firewall returns the network information determined according to the VPN protocol parameter selected by the user to the terminal after passing the verification;

step 808, the firewall sends the determined network message to the terminal;

step 809, the terminal receives network information which is returned by the firewall and determined according to the VPN protocol parameters selected by the user, and then establishes a VPN channel with the firewall according to the network information;

step 810, after the terminal determines that the VPN channel is stable, determining a VPN access protocol needed by a user in the protocol set;

step 811, the terminal establishes a remote connection with the server according to the VPN access protocol selected by the user;

step 812, the terminal interacts with the server;

and step 813, recording the remote operation of the user through a recording screen.

Based on the same concept, an embodiment of the present invention provides a terminal device for remotely accessing a VPN, as shown in fig. 9, where the terminal device includes: an input unit 900, a Radio Frequency (RF) circuit 910, a power supply 920, a processor 930, a memory 940, a remote protocol access module 950, a bluetooth module 960, a VPN access module 970, an interaction module 980, a display unit 990, and the like. Those skilled in the art will appreciate that the configuration of the terminal shown in fig. 9 is not intended to be limiting, and that the terminal provided by the embodiments of the present application may include more or less components than those shown, or some components may be combined, or a different arrangement of components may be provided.

The following describes the components of the terminal in detail with reference to fig. 9:

alternatively, the input unit 900 may include a touch panel 901 and other input terminals 902.

The touch panel 901, also called a touch screen, may collect touch operations of a user on or near the touch panel 901 (for example, operations of the user on or near the touch panel 901 using any suitable object or accessory such as a finger, a stylus pen, etc.), and drive a corresponding connection device according to a preset program. Optionally, the touch panel 901 may include two parts, namely a touch detection device and a touch controller. The touch detection device detects the touch direction of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch sensing device, converts it into touch point coordinates, and sends the touch point coordinates to the processor 930, and can receive and execute commands sent from the processor 930. In addition, the touch panel 901 may be implemented by various types, such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave.

Optionally, the other input terminals 902 may include, but are not limited to, one or more of a physical keyboard, function keys (e.g., volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like.

The input unit 900 may be used to receive numeric or character information input by a user and generate key signal inputs related to user settings and function control of the terminal.

The RF circuit 910 may be used for receiving and transmitting data during a communication or conversation. In particular, the RF circuit 910 sends the downlink data of the base station to the processor 930 for processing; and in addition, sending the uplink data to be sent to the base station. Generally, the RF circuit 910 includes, but is not limited to, an antenna, at least one Amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like.

In addition, the RF circuit 910 may also communicate with networks and other terminals through wireless communication. The wireless communication may use any communication standard or protocol, including but not limited to Global System for Mobile communication (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), email, Short Messaging Service (SMS), and the like.

The terminal may be physically connected to other terminals through the communication interface 990. Optionally, the communication interface 990 is connected to the communication interfaces of the other terminals through cables, so as to implement data transmission between the terminals and the other terminals.

In the embodiment of the present application, the terminal can implement a communication service and send information to other contacts, so the terminal needs to have a data transmission function, that is, the terminal needs to include a communication module inside.

For example, when the terminal is a mobile phone, the terminal may include the RF circuit 910 and may further include the WiFi module 990; when the terminal is a computer, the terminal may include the communication interface 990, and may further include the WiFi module 990; when the terminal is a tablet computer, the terminal may include the WiFi module.

The memory 940 may be used to store software programs and modules. The processor 930 executes various functional applications and data processing of the terminal by executing software programs and modules stored in the memory 940, and after the processor 930 executes the program codes in the memory 940, part or all of the processes in fig. 11 according to the embodiment of the present invention can be implemented.

Alternatively, the memory 940 may mainly include a program storage area and a data storage area. The storage program area can store an operating system, various application programs (such as communication application), a face recognition module and the like; the storage data area may store data (such as various multimedia files like pictures, video files, etc., and face information templates) created according to the use of the terminal, etc.

Further, the memory 940 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.

Wherein, the remote protocol access module 950 is configured to establish a remote connection with the server after determining the VPN access protocol selected by the user; bluetooth (Bluetooth) is a wireless technology standard, and can implement short-distance data exchange between fixed equipment, mobile equipment and a building personal area network, thereby implementing access to a data network. The bluetooth module 960 can be used for receiving and transmitting data during communication; the VPN access module 970 pulls the protocol parameters to the firewall, receives the initial coordination information returned by the firewall, and establishes a VPN channel with the firewall; the interaction module 980 is configured to interact with a server.

The display unit 990 may be used to display information input by a user or information provided to the user and various menus of the terminal. The display unit 990 is a display system of the terminal, and is configured to present an interface and implement human-computer interaction.

The display unit 990 may include a display panel 991. Alternatively, the Display panel 991 may be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like.

Further, the touch panel 901 may cover the display panel 991, and when the touch panel 901 detects a touch operation on or near the touch panel, the touch panel is transmitted to the processor 930 to determine the type of the touch event, and then the processor 930 provides a corresponding visual output on the display panel 991 according to the type of the touch event.

Although in fig. 9, the touch panel 901 and the display panel 991 are two independent components to implement the input and output functions of the terminal, in some embodiments, the touch panel 901 and the display panel 991 may be integrated to implement the input and output functions of the terminal.

The processor 930 is a control center of the terminal, connects various components using various interfaces and lines, and performs various functions of the terminal and processes data by operating or executing software programs and/or modules stored in the memory 940 and calling data stored in the memory 940, thereby implementing various services based on the terminal.

Optionally, the processor 930 may include one or more processing units. Optionally, the processor 930 may integrate an application processor and a modem processor, wherein the application processor mainly handles operating systems, user interfaces, application programs, and the like, and the modem processor mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 930.

The terminal also includes a power supply 920 (e.g., a battery) for powering the various components. Optionally, the power supply 920 may be logically connected to the processor 930 through a power management system, so as to implement functions of managing charging, discharging, power consumption, and the like through the power management system.

Although not shown, the terminal may further include at least one sensor, an audio circuit, and the like, which will not be described herein.

The memory 940 may store, among other things, the same program code as the storage unit 1001, which when executed by the processor 930, causes the processor 930 to implement all functions of the processing unit 1000.

Based on the same inventive concept, the embodiment of the present invention further provides a device for remotely accessing a VPN, and since the device is a device in the method in the embodiment of the present invention, and the principle of the device for solving the problem is similar to that of the method, the implementation of the device may refer to the implementation of the method, and repeated details are not repeated.

As shown in fig. 10, an embodiment of the present invention further provides an apparatus for remotely accessing a VPN, where the apparatus includes: at least one processing unit 1000 and at least one memory unit 1001, wherein the memory unit 1001 stores program code which, when executed by the processing unit 1000, causes the processing unit 1000 to perform the following processes:

Optionally, the processing unit 1000 is further configured to:

Optionally, the processing unit 1000 is specifically configured to:

Optionally, the processing unit 1000 is further configured to:

As shown in fig. 11, an embodiment of the present invention further provides an apparatus for remotely accessing a VPN, where the apparatus includes: determination module 1100 and access module 1101:

the determination module 1100: the VPN access protocol is used for determining a VPN access protocol needed by a user in a protocol set after a virtual private network VPN channel is established with a firewall;

the access module 1101: and the remote connection is established with the server according to the VPN access protocol selected by the user.

Optionally, the determining module 1100 is further configured to:

Optionally, the determining module 1100 is specifically configured to:

Optionally, the access module 1101 is further configured to:

An embodiment of the present invention further provides a computer-readable non-volatile storage medium, which includes program code, and when the program code runs on a computing terminal, the program code is configured to enable the computing terminal to execute the steps of the method for remotely accessing a VPN according to the embodiment of the present invention.

Having described a method, apparatus, and computer program product for remotely accessing a VPN according to exemplary embodiments of the present application, a computing device according to another exemplary embodiment of the present application is described.

As will be appreciated by one skilled in the art, aspects of the present application may be embodied as a system, method or program product. Accordingly, various aspects of the present application may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.

In some possible implementations, a computing device according to the present application may include at least one processor, and at least one memory. Wherein the memory stores program code which, when executed by the processor, causes the processor to perform the steps of the remote VPN access method according to the various exemplary embodiments of the present application described above in this specification. For example, the processor may perform step 300 as shown in FIG. 3 and step 301.

The computing device 120 according to this embodiment of the present application is described below with reference to fig. 12. The computing device 120 of fig. 12 is only one example and should not impose any limitations on the functionality or scope of use of embodiments of the present application.

As in fig. 12, computing device 120 is embodied in the form of a general purpose computing device. Components of computing device 120 may include, but are not limited to: the at least one processor 121, the at least one memory 122, and a bus 123 connecting the various system components (including the memory 122 and the processor 121).

Bus 123 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, a processor, or a local bus using any of a variety of bus architectures.

The memory 122 may include readable media in the form of volatile memory, such as Random Access Memory (RAM)1221 and/or cache memory 1222, and may further include Read Only Memory (ROM) 1223.

Memory 122 may also include a program/utility 1225 having a set (at least one) of program modules 1224, such program modules 1224 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.

Computing device 120 may also communicate with one or more external devices 124 (e.g., keyboard, pointing device, etc.), with one or more devices that enable a user to interact with computing device 120, and/or with any devices (e.g., router, modem, etc.) that enable computing device 120 to communicate with one or more other computing devices. Such communication may be through input/output (I/O) interfaces 125. Also, the computing device 120 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) through the network adapter 126. As shown, network adapter 126 communicates with other modules for computing device 120 over bus 123. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with computing device 120, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.

In some possible embodiments, the aspects of the remote VPN access method provided by the present application may also be implemented in the form of a program product, which includes program code for causing a computer device to perform the steps in the remote VPN access method according to various exemplary embodiments of the present application described above in this specification when the program product is run on the computer device, for example, the computer device may perform the

steps

300 and 301 as shown in fig. 3.

The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

The program product of remote VPN access of embodiments of the present application may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be executable on a computing device. However, the program product of the present application is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

A readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user computing device, partly on the user equipment, as a stand-alone software package, partly on the user computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).

It should be noted that although several units or sub-units of the apparatus are mentioned in the above detailed description, such division is merely exemplary and not mandatory. Indeed, the features and functions of two or more units described above may be embodied in one unit, according to embodiments of the application. Conversely, the features and functions of one unit described above may be further divided into embodiments by a plurality of units.

Further, while the operations of the methods of the present application are depicted in the drawings in a particular order, this does not require or imply that these operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims

1. A method of remotely accessing a virtual private network, VPN, the method comprising:

after a VPN channel is established between a terminal and a firewall, a VPN access protocol needed by a user in a protocol set is determined;

the terminal establishes remote connection with a server according to the VPN access protocol selected by the user;

before the terminal determines the VPN access protocol that the user needs to use in the protocol set, the method further includes:

2. The method of claim 1, wherein the terminal requesting the firewall for the protocol parameters corresponding to the VPN protocol type selected by the user comprises:

3. The method of claim 1, wherein the terminal establishing a VPN tunnel with the firewall according to the user-selected VPN protocol parameters comprises:

4. The method of claim 1, wherein after the terminal establishes the VPN tunnel with the firewall and before determining the VPN access protocol that the user in the protocol set needs to use, further comprising:

5. The method of claim 4, wherein after the terminal establishes the VPN tunnel with the firewall, the method further comprises:

6. The method of claim 1, wherein after the terminal establishes the remote connection with the server according to the VPN access protocol selected by the user, further comprising:

7. An apparatus for remotely accessing a VPN, the apparatus comprising: at least one processing unit and at least one storage unit, wherein the storage unit stores program code that, when executed by the processing unit, causes the apparatus to:

establishing remote connection with a server according to the VPN access protocol selected by the user;

the processing unit is further configured to request, from the firewall, a protocol parameter corresponding to a VPN protocol type selected by the user before determining a VPN access protocol that the user needs to use in a protocol set;

determining the VPN protocol parameter selected by the user from the VPN protocol parameter corresponding to the VPN protocol type selected by the user and returned by the firewall;

8. A computer-readable medium having stored thereon computer-executable instructions for performing the method of any one of claims 1-6.

9. A computing device, comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-6.