Disclosure of Invention
The invention aims to provide a data transmission system, a method for establishing VPN connection, a terminal and a VPN proxy thereof, which are used for solving the technical problems of low network data transmission efficiency and high upgrading difficulty in the related technology by using a classical protocol.
In order to achieve the above object, in a first aspect of the embodiments of the present disclosure, a data transmission system is provided, including:
a terminal, a virtual private network, VPN, server, and a VPN agent for establishing a VPN connection between said terminal and said VPN server;
the terminal comprises a first http proxy client supporting a QUIC protocol and used for establishing connection with the VPN proxy based on the QUIC protocol;
the VPN agent is used for establishing connection with the VPN server based on a Transmission Control Protocol (TCP) protocol so as to establish VPN connection between the terminal and the VPN server.
Optionally, the VPN agent includes an http proxy server supporting a QUIC protocol, and the terminal includes a configuration module, configured to obtain address information of the http proxy server included in the VPN agent, and configure the first http proxy client according to the address information.
Optionally, the terminal includes a second http proxy client supporting a TCP protocol;
the terminal is further used for determining whether the first http proxy client is in a starting state or not when receiving a VPN tunnel establishment instruction;
and if the first http proxy client is not in the enabled state, establishing connection with the VPN proxy based on the second http proxy client.
Optionally, the terminal is further configured to establish a TCP connection between the second http proxy client and the first http proxy client when the first http proxy client is in an enabled state, where the second http proxy client is configured to send data of a TCP protocol to the first http proxy client.
Optionally, the VPN agent is deployed on the same electronic device as the VPN server.
In a second aspect of the embodiments of the present disclosure, a VPN agent is provided, where the VPN agent is any one of the VPN agents in the first aspect.
In a third aspect of the embodiments of the present disclosure, a terminal is provided, where the terminal is the terminal in any one of the first aspect.
In a fourth aspect of the embodiments of the present disclosure, a method for establishing a VPN connection is provided, which is applied to a terminal, and includes:
when a VPN connection establishment instruction is received, determining whether a first http proxy client in the terminal is in a starting state or not, wherein the first http proxy client is an http proxy client supporting a QUIC protocol;
and if the first http proxy client is in an enabled state, establishing connection with a VPN proxy based on the first http proxy client, wherein the VPN proxy is used for establishing connection with a VPN server based on a TCP protocol so as to establish VPN connection between the terminal and the VPN server.
Optionally, before the establishing a connection with a VPN proxy based on the first http proxy client, the method includes:
and establishing a TCP connection between a second http proxy client in the terminal and the first http proxy client, wherein the second http proxy client is an http proxy client supporting a TCP protocol in the terminal.
Optionally, the method further comprises:
acquiring address information of an http proxy server supporting a QUIC protocol, wherein the VPN proxy server supports the QUIC protocol;
configuring the first http proxy client according to the address information;
the establishing of the connection with the VPN agent based on the first http agent client comprises the following steps:
and establishing connection with an http proxy server supporting a QUIC protocol and included in the VPN proxy according to the address information.
According to the technical scheme, the first http proxy client supporting the QUIC protocol and arranged on the terminal is connected with the VPN proxy on the basis of the QUIC protocol, the VPN proxy is connected with the VPN server on the basis of the TCP protocol, so that information acquired by the terminal can be transmitted to the VPN proxy on the basis of the QUIC protocol, the transmission rate of the QUIC protocol is high, the terminal does not depend on an operating system and intermediate equipment, and the requirement for high-efficiency network transmission in part of application scenes of network transmission can be met.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows.
Detailed Description
The following detailed description of specific embodiments of the present disclosure is provided in connection with the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present disclosure, are given by way of illustration and explanation only, not limitation.
Since the rise of the Internet in the 90 s of the 20 th century, most Internet data transmission uses some classical protocols, such as routing using IPV4(Internet Protocol version 4), flow Control using tcp (transmission Control Protocol) for link Layer, transmission security using tls (transport Layer security), and the like.
On the other hand, with the rapid development of the mobile internet and the gradual rise of the internet of things, the requirements of users on the network transmission efficiency and the WEB response speed are higher and higher, however, most internet data transmission still uses the classical protocol at present, the transmission rate of the classical protocol is difficult to meet the requirements of high-efficiency data transmission application scenarios, if a brand-new application layer protocol is implemented on the existing TCP and TLS protocols, the deployment cost is high, and the implementation difficulty is high depending on the support of an operating system and intermediate equipment.
In order to solve the above problem, an embodiment of the present disclosure provides a data transmission system, as shown in fig. 1, the system including:
a terminal 10, a virtual private network, VPN, server 30, and a VPN agent 20 for establishing a VPN connection between said terminal 10 and said VPN server 30;
wherein, said terminal 10 comprises a first http proxy client 110 supporting the QUIC protocol for establishing a connection with said VPN proxy 20 based on the QUIC protocol;
the VPN agent 20 is configured to establish a connection with the VPN server 30 based on a transmission control protocol TCP protocol to establish a VPN connection between the terminal 10 and the VPN server 30.
Compared with the HTTP/2.0 protocol and the TLS protocol which are widely used at present, the quic (quick UDPInternet connection) protocol is a protocol which uses UDP (user data protocol) to perform multi-path concurrent transmission, reduces three-way handshake of TCP and handshake time of TLS, and has high data transmission efficiency due to the use of UDP.
Specifically, the terminal 10 may be an electronic device used by a user, such as a computer, and the number of the terminals 10 may be one or more. The VPN agent 20 is a virtual module for constructing a VPN tunnel, which may be a module constructed based on OpenVPN software, for example. The first Http Proxy Client 110 is a Proxy Client supporting the QUIC protocol, and may be a module constructed based on OpenVPN software, such as a QUIC Http-Proxy Client module. A first http proxy client 110 is deployed at the terminal 10 for establishing a connection with said VPN agent 20 based on the QUIC protocol. In addition, the VPN agent 20 establishes a connection with the VPN server 30 based on the TCP protocol, wherein the VPN server 30 is an electronic device providing computation, and the number of the VPN servers 30 may be one or more.
As shown in fig. 1, in one possible embodiment, there are 2 terminals 10 and 2 VPN servers 30, and the VPN agent 20 is deployed in a separate server. A connection is established between the VPN agent 20 and each terminal 10 based on the QUIC protocol, and a connection is established between the VPN agent 20 and each VPN server 30 based on the TCP protocol. Further, when the terminal 10 needs to transmit data to the VPN server 30, the data may be transmitted to the VPN agent 20 based on the QUIC protocol, and then the VPN agent 20 may transmit the data to the VPN server 30 based on the TCP protocol. On the other hand, in the embodiment shown in fig. 1, since the VPN agent 20 and the VPN server 30 are deployed in the same IDC (Internet Data Center), and the improvement of the transmission rate due to the use of other protocols is not obvious, the TCP protocol is still used between the VPN agent 20 and the VPN server 30, and the VPN server 30 does not need to be modified, thereby reducing the difficulty in building the entire system. Moreover, the data transmission can be safer by using the VPN agent 20 to transmit data through the VPN tunnel, the terminal 10 only needs to be connected to the port corresponding to the VPN agent 20, and different terminals 10 can be connected to different VPN servers 30 through the VPN agent 20, so that the load balancing and the external port reduction can be achieved.
The first http proxy client 110 supporting the QUIC protocol included in the terminal 10 establishes a connection with the VPN proxy 20 based on the QUIC protocol, and the VPN proxy 20 establishes a connection with the VPN server 30 based on the TCP protocol, so that the information acquired by the terminal 10 can be transmitted to the VPN proxy 20 based on the QUIC protocol, and the transmission rate of the QUIC protocol is fast, and is not dependent on an operating system and intermediate equipment, and can meet the requirement for efficient network transmission in part of application scenarios of network transmission.
Optionally, as shown in fig. 2, the VPN agent 20 includes an http proxy server 210 supporting a QUIC protocol, and the terminal 10 includes a configuration module 130, configured to obtain address information of the http proxy server 210 included in the VPN agent 20, and configure the first http proxy client 110 according to the address information.
Specifically, the Http Proxy 210 may be a module established based on OpenVPN, such as a QUIC Http-Proxy Server module, and the configuration module 130 may be a module established based on OpenVPN. OpenVPN is a source opening software, is convenient to use and has high transformation performance. After acquiring the address information, such as the IP and the port, of the http proxy server 210 included in the VPN proxy 20, the configuration module 130 configures the first http proxy client 110 according to the acquired address information, so that the first http proxy client 110 establishes a connection with the http proxy server 210 in the VPN proxy 20.
Optionally, as shown in fig. 2, the terminal 10 includes a second http proxy client 120 supporting the TCP protocol;
the terminal 10 is further configured to, when receiving a VPN tunnel establishment instruction, determine whether the first http proxy client 110 is in an enabled state;
if the first http proxy client 110 is not in the enabled state, a connection is established with the VPN agent 20 based on the second http proxy client 120.
As shown in fig. 2, the second http proxy Client 120 may be an OpenVPNClient module established based on OpenVPN, and the OpenVPN Client module may establish a connection with the VPN proxy 20 based on a TCP protocol, or may establish a connection with the first http proxy Client 110 based on a TCP protocol. When receiving a VPN tunnel establishment instruction, detecting whether the first http proxy client 110 is in an enabled state, if the first http proxy client 110 is not in the enabled state, indicating that the terminal 10 cannot establish connection with the VPN proxy 20 based on a QUIC protocol, and further selecting to establish connection with the VPN proxy 20 based on the second http proxy client 120, so that the connection between the terminal 10 and the VPN proxy 20 is established based on a TCP protocol, and the establishment of the VPN tunnel is ensured to enable data to be transmitted, or selecting not to enable the first http proxy client 110 under the condition that the requirement on the data transmission efficiency is not high, and further providing multiple choices by using the TCP protocol to transmit data between the terminal 10 and the VPN proxy 20 based on the second http proxy client 120.
Optionally, the terminal 10 is further configured to, when the first http proxy client 110 is in an enabled state, establish a TCP connection between the second http proxy client 120 and the first http proxy client 110, where the second http proxy client 120 is configured to send data of a TCP protocol to the first http proxy client 110.
Specifically, when the first http proxy client 110 is detected to be in the enabled state, a TCP connection between the second http proxy client 120 and the first http proxy client 110 is established, so that data can be transmitted between the terminal 10 and the VPN agent 20 based on the QUIC protocol, and the transmission efficiency is high. For example, when the terminal 10 needs to transmit data to the VPN server 30, the second http proxy client 120 transmits the data to the first http proxy client 110 based on the TCP protocol, the first http proxy client 110 transmits the data to the VPN agent 20 based on the QUIC protocol, and finally the VPN agent 20 transmits the data to the VPN server 30 based on the TCP protocol, thereby completing the transmission of the data from the terminal 10 to the server. Most of the second http proxy Client 120 is an existing module, for example, an OpenVPN Client module in OpenVPN, so that only the second http proxy Client 120 needs to be added to establish a connection between the terminal 10 and the VPN proxy 20, which is easy to implement and low in modification cost.
Alternatively, as shown in fig. 3, the VPN agent 20 is deployed on the same electronic device 40 as the VPN server 30.
As shown in fig. 3, the VPN agent 20 is private to the VPN server 30, and compared to the VPN agent 20 connected to a plurality of VPN servers 30 (see fig. 1 or fig. 2), the load of the VPN agent 20 can be reduced, and the electronic device 40 where the VPN agent 20 is located can be prevented from being overloaded and down. The terminal 10 can establish a connection with the VPN server 30 directly based on the address information of the VPN server 30.
In addition, functional units in the embodiments of the present disclosure may be integrated into one processing unit, or each unit may be physically included alone, or two or more units may be integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
In another aspect of the embodiments of the present disclosure, a VPN agent is further provided, where the VPN agent is configured as a VPN agent in any of the data transmission systems described above, for example, the VPN agent 20 in fig. 1, and reference may specifically be made to the description of fig. 1 in the above embodiments, and details are not repeated here.
In another aspect of the embodiments of the present disclosure, a terminal is further provided, where the terminal is configured as a terminal in any one of the data transmission systems described above, for example, the terminal 10 in fig. 1, and specific reference may be made to the description of fig. 1 in the above embodiments, and details are not repeated here.
As shown in fig. 4, an embodiment of the present disclosure further provides a method for establishing a VPN connection, which may be applied to the terminal 10 shown in fig. 1, where as shown in fig. 1, the method includes:
and S11, when receiving the VPN connection establishment instruction, determining whether a first http proxy client in the terminal is in a starting state.
The first http proxy client is an http proxy client supporting a QUIC protocol.
And S12, if the first http proxy client is in a starting state, establishing connection with a VPN proxy based on the first http proxy client, wherein the VPN proxy is used for establishing connection with a VPN server based on a TCP protocol so as to establish VPN connection between the terminal and the VPN server.
The method comprises the steps that when a terminal receives a VPN connection establishment instruction and determines that a first http proxy client in the terminal is in an enabled state, connection is established between the first http proxy client and a VPN proxy, information acquired by the terminal can be transmitted to the VPN proxy based on a QUIC protocol, the transmission rate of the QUIC protocol is high, and the method does not depend on an operating system and intermediate equipment, and can meet the requirement for high-efficiency network transmission in part of application scenes of network transmission.
Fig. 5 is another flowchart illustrating a method of establishing a VPN connection according to an exemplary embodiment, as shown in fig. 5, the method comprising:
and S21, when receiving the VPN connection establishment instruction, determining whether a first http proxy client in the terminal is in a starting state.
The first http proxy client is an http proxy client supporting a QUIC protocol.
S22, if the first http proxy client is in the enabled state, establishing a TCP connection between a second http proxy client in the terminal and the first http proxy client.
And the second http proxy client is an http proxy client supporting a TCP in the terminal.
And S23, establishing connection with a VPN proxy based on the first http proxy client, wherein the VPN proxy is used for establishing connection with a VPN server based on a TCP protocol so as to establish VPN connection between the terminal and the VPN server.
Fig. 6 is another flowchart illustrating a method of establishing a VPN connection according to an exemplary embodiment, as shown in fig. 6, the method including:
and S31, when receiving the VPN connection establishment instruction, determining whether a first http proxy client in the terminal is in a starting state.
The first http proxy client is an http proxy client supporting a QUIC protocol.
S32, if the first http proxy client is in the enabled state, establishing a TCP connection between a second http proxy client in the terminal and the first http proxy client.
And the second http proxy client is an http proxy client supporting a TCP in the terminal.
S33, acquiring the address information of the http proxy server which supports the QUIC protocol and is included in the VPN proxy.
And S34, configuring the first http proxy client according to the address information.
And S35, establishing connection with an http proxy server which supports QUIC protocol and is included in the VPN proxy according to the address information, wherein the VPN proxy is used for establishing connection with the VPN server based on TCP protocol so as to establish VPN connection between the terminal and the VPN server.
With regard to the method in the above-described embodiment, the respective steps have been described in detail in the related embodiment of the above-described data transmission system, and will not be elaborated herein.
Fig. 7 is a block diagram illustrating a terminal according to an example embodiment. As shown in fig. 7, the terminal 700 may include: a processor 701 and a memory 702. The terminal 700 can also include one or more of a multimedia component 703, an input/output (I/O) interface 704, and a communication component 705.
The processor 701 is configured to control the overall operation of the terminal 700, so as to complete all or part of the steps in the above-mentioned VPN connection establishment method. The memory 702 is used to store various types of data to support operation of the terminal 700, such as instructions for any application or method operating on the terminal 700 and application-related data, such as contact data, messaging, pictures, audio, video, and the like. The Memory 702 may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk, or optical disk. The multimedia components 703 may include screen and audio components. Wherein the screen may be, for example, a touch screen and the audio component is used for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signal may further be stored in the memory 702 or transmitted through the communication component 705. The audio assembly also includes at least one speaker for outputting audio signals. The I/O interface 704 provides an interface between the processor 701 and other interface modules, such as a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication component 705 is used for wired or wireless communication between the terminal 700 and other devices. Wireless Communication, such as Wi-Fi, bluetooth, Near Field Communication (NFC), 2G, 3G, 4G, NB-IOT, eMTC, or other 5G, etc., or a combination of one or more of them, which is not limited herein. The corresponding communication component 705 may thus include: Wi-Fi module, Bluetooth module, NFC module, etc.
In an exemplary embodiment, the terminal 700 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors or other electronic components for performing the above-mentioned VPN connection establishment method.
In another exemplary embodiment, a computer readable storage medium is also provided, which comprises program instructions, which when executed by a processor, implement the steps of the above-described VPN connection establishment method. For example, the computer readable storage medium may be the above-mentioned memory 702 including program instructions executable by the processor 701 of the terminal 700 to perform the above-mentioned VPN connection establishment method.
The preferred embodiments of the present disclosure are described in detail with reference to the accompanying drawings, however, the present disclosure is not limited to the specific details of the above embodiments, and various simple modifications may be made to the technical solution of the present disclosure within the technical idea of the present disclosure, and these simple modifications all belong to the protection scope of the present disclosure. Example (b)
It should be noted that, in the foregoing embodiments, various features described in the above embodiments may be combined in any suitable manner, and in order to avoid unnecessary repetition, various combinations that are possible in the present disclosure are not described again.
In addition, any combination of various embodiments of the present disclosure may be made, and the same should be considered as the disclosure of the present disclosure, as long as it does not depart from the spirit of the present disclosure.