CN110324227A - Data transmission method and vpn server in a kind of vpn server - Google Patents

Data transmission method and vpn server in a kind of vpn server Download PDF

Info

Publication number
CN110324227A
CN110324227A CN201910560980.3A CN201910560980A CN110324227A CN 110324227 A CN110324227 A CN 110324227A CN 201910560980 A CN201910560980 A CN 201910560980A CN 110324227 A CN110324227 A CN 110324227A
Authority
CN
China
Prior art keywords
message
data
vpn server
user client
vpn
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910560980.3A
Other languages
Chinese (zh)
Inventor
陆兆新
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xiamen Wangsu Co Ltd
Original Assignee
Xiamen Wangsu Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen Wangsu Co Ltd filed Critical Xiamen Wangsu Co Ltd
Priority to CN201910560980.3A priority Critical patent/CN110324227A/en
Publication of CN110324227A publication Critical patent/CN110324227A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Abstract

The invention discloses the data transmission methods and vpn server in a kind of vpn server, wherein, it include message Dispatching Unit in the vpn server, and operation has control to flow into journey and data flow process in the vpn server, wherein: control message therein and data message are forwarded to the control respectively and flow into journey and the data flow process by the message Dispatching Unit for obtaining the request message that user client is sent;After the control flows into journey for negotiating with the user client, it is connect so that the vpn server establishes VPN with the user client, and collect the negotiation information generated in negotiations process, and the negotiation information is shared into the data flow process;The data flow process is used to the data message that the message Dispatching Unit forwards being reduced to initial data message, and the initial data message is sent to the intranet server being connected with the vpn server.Technical solution provided by the present application, can be improved data transmission efficiency.

Description

Data transmission method and vpn server in a kind of vpn server
Technical field
Data transmission method and VPN clothes the present invention relates to Internet technical field, in particular in a kind of vpn server Business device.
Background technique
Currently, in order to improve the safety of network data transmission, VPN (Virtual Private Network, it is virtual specially With network) technology is used increasingly.Wherein, based on PPTP (Point to Point Tunneling Protocol, Point to Point Tunnel Protocol) vpn server can pass through the methods of Password Authentication Protocol, Extensible Authentication Protocol and enhance data Safety, therefore PPTP vpn server becomes a kind of vpn server of mainstream.
Existing PPTP vpn server is normally based on kernel state realization, when data message reaches network interface card, first Data message can be copied in core system from from network interface card, then, then the data message in core system be copied into VPN and is answered With in program, to be handled by vpn application data message.
Therefore existing PPTP vpn server can carry out the process of multiple copies to data message.When in face of Pang When big customer flow, the quantity of the data message of duplication can also increase, and will increase the load of PPTP vpn server in this way, from And data transmission efficiency and service quality can be reduced.
Summary of the invention
The data transmission method and vpn server of the application being designed to provide in a kind of vpn server, can be improved Data transmission efficiency.
To achieve the above object, on the one hand the application provides a kind of vpn server, includes that message is distributed in vpn server Unit, and the data flow process for having the control of kernel state to flow into journey and User space is run in vpn server, in which: message point Bill member for obtaining the request message that user client is sent from the public network network interface of vpn server, and identifies request message Type, and the control message that will identify that is forwarded to control and flows into journey, and the data message forwarding that will identify that is to data flow Process;Control flows into journey, the control message for being forwarded according to message Dispatching Unit, after negotiating with user client, so that VPN Server is established VPN with user client and is connect, and collects the negotiation information generated in negotiations process, and negotiation information is total to It enjoys to data flow process;Data flow process forwards message Dispatching Unit for flowing into the shared negotiation information of journey according to control Data message be reduced to initial data message, and initial data message is sent to the Intranet service being connected with vpn server Device.
To achieve the above object, on the other hand the application also provides the data transmission method in a kind of vpn server, method It include: to obtain the request message that user client is sent from the public network network interface of vpn server, and identify the type of request message, The type of request message includes control message and data message;According to the control message identified, after negotiating with user client, It is connect so that vpn server establishes VPN with user client, and collects the negotiation information generated in negotiations process;According to negotiation Information, the data message that will identify that is reduced to initial data message, and initial data message is sent to and vpn server phase Intranet server even.
To achieve the above object, on the other hand the application also provides a kind of vpn server, and vpn server includes memory And processor, memory is for storing computer program, when computer program is executed by processor, realizes above-mentioned data transmission Method.
Therefore technical solution provided by the present application, the vpn server of kernel state can be improved, so that changing Vpn server after can support kernel state and User space simultaneously.Wherein, kernel state can flow into journey into line number by control According to processing, User space can carry out data processing by data flow process.In this application, message Dispatching Unit can be from VPN The public network network interface of server obtains the request message that user client is sent, and control control message therein can be transferred to flow Process is handled, and transfers to data flow process to handle data message therein.Control flows into journey can be according to connecing The control message received, holds consultation with user client, connect so that vpn server establishes VPN with user client, And control flows into journey and may collect in the negotiation information generated in negotiations process.Data flow process can then be flowed into according to control The shared negotiation information of journey, handles the data message received, so that data message is reduced to initial data message, And the initial data message that reduction obtains can be sent to intranet server, to complete user client to intranet server Access.Therefore technical solution provided by the present application, data message can be carried out directly by the data flow process of User space Processing, without being subjected to the process of multiple data duplication, to dramatically reduce the load of vpn server.In addition, VPN takes The control of business device while compatible kernel state flows into the data flow process of journey and User space, and the data message of data flow is led to It crosses User space protocol stack to be handled, to improve the treatment effeciency of data message.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.
Fig. 1 is the data distribution schematic diagram of vpn server in embodiment of the present invention;
Fig. 2 is the functional block diagram of vpn server in embodiment of the present invention;
Fig. 3 is the step schematic diagram of data transmission method in embodiment of the present invention;
Fig. 4 is the structural schematic diagram of vpn server in embodiment of the present invention;
Fig. 5 is the structural schematic diagram of terminal in the present invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention Formula is described in further detail.
Referring to Fig. 1, a kind of vpn server provided by the present application, especially PPTP vpn server.It can be existing It is improved on the basis of the vpn server of kernel state.It specifically, as shown in Figure 1, can in vpn server provided by the present application To include the core system of kernel state and the vpn application of User space.It is sent when vpn server receives user client Request message when, these request messages can be routed directly to the vpn application of User space.In practical applications, Yong Huke It may include control message and data message in the request message that family end is sent.Wherein, the vpn application of User space can be with Data message is only handled, and transfers to core system to handle control message.In this way, passing through core system and vpn application phase The mutually mode of separation and Collaboration, can be improved the treatment effeciency of data message.
Specifically, referring to Fig. 2, vpn server provided by the present application, may include message Dispatching Unit, and VPN takes The data flow process for having the control comprising kernel module to flow into journey and User space is run in business device.In practical applications, it is taken in VPN Dpdk (Data Plane Development Kit, data plane development kit) component, the dpdk group can be added in business device Part can be responsible for receiving and dispatching message by the physical network card of vpn server, and above-mentioned message Dispatching Unit can be located at dpdk group In part.Specifically, as shown in Fig. 2, the physical network card of vpn server may include public network network interface eth0 and Intranet network interface eth1. Wherein, public network network interface can carry out data communication with the equipment in wide area network, and Intranet network interface can be with the Intranet in local area network Server carries out data communication.Intranet server can be enterprises for storing the server of internal resource, in enterprise Employee can access vpn server by user client, to further be accessed in intranet server by vpn server Internal resource.
It in the present embodiment, can be by the public network network interface and Intranet network interface of vpn server in deployment vpn server It is mutually bound with above-mentioned dpdk component.It can make dpdk component adapter tube NIC driver in this way, to pass through dpdk component Message is received and dispatched directly from public network network interface and Intranet network interface, rather than message is received and dispatched by original NIC driver.This The purpose of sample processing is, when original NIC driver obtains message, generally requires in the message that will acquire first is sent to Core system, to will cause the multiple copies of message.And dpdk component can need not move through directly by Receive message to application layer Core system to application layer multiple copies so that data transmission it is more efficient.
In the present embodiment, the message handled needed for vpn server can be divided into two major classes: one kind is VPN service Between device and user client by the generic route encapsulation of wide area network transmission (Generic Routing Encapsulation, GRE) message, another kind of is the initial data message for passing through local network transport between vpn server and Intranet equipment.In addition, right For GRE message, control message and data message can also be subdivided into, in the present embodiment, due to vpn server into It has gone User space transformation, therefore above-mentioned control the control message in GRE message can be transferred to flow into journey processing, and can be with Above-mentioned data flow process is transferred to handle the data message in GRE message.
In the present embodiment, in order to enable control message normally can be transferred to kernel state, dpdk group from User space Part can be created and public network network interface eth0 and Intranet by KNI (Kernel NIC Interface, kernel network card interface) mechanism The corresponding virtual public network network interface of network interface eth1 and virtual Intranet network interface.Then, control flow into journey can be with virtual public network net Mouthful and virtual Intranet network interface mutually bind, in this way, control flow into Cheng Houxu can be by virtual public network network interface and virtual Intranet Network interface is communicated with the message Dispatching Unit in dpdk component, to realize the message transmissions of User space and kernel state.
Specifically, inside vpn server, kernel state and User space can be divided into.As shown in Fig. 2, in kernel state, Above-mentioned control can be run and flow into journey accel-pptpd, and in User space, the number based on User space protocol stack can be run According to flowing into journey pptp.Since the received message of vpn server directly can get application layer, user visitor by dpdk component The request message that family end is sent by the public network network interface of vpn server after being received, the report that can be directly transferred in dpdk component In literary Dispatching Unit.Message Dispatching Unit gets the request message that user client is sent from the public network network interface of vpn server Afterwards, the type that can identify request message can forward the control message identified by above-mentioned virtual public network network interface Journey is flowed into control, and the data message for identifying, data flow process can be forwarded directly to.Specifically, it is asked in identification It, on the one hand can be by the sending port of discrimination request message, if sending port is preset when seeking the type of message Particular port, then can be determined that the request message for control message.On the other hand, the head of identification request message can also be passed through Type field in portion's information, the type field can indicate the type of request message.
In practical applications, after vpn server is completed to dispose, can receive that user client sends for establishing The request message of VPN connection.After the request message is received by the public network network interface of vpn server, above-mentioned report can be transmitted to Literary Dispatching Unit, message Dispatching Unit can identify that the type of the request message is control message, therefore can be by the control The control that message is sent to kernel state flows into journey.Control flows into the control message that journey can be forwarded according to message Dispatching Unit, with User client carries out communication negotiation, connect so that vpn server establishes VPN with user client.The communication protocols Quotient's process is determined for the communication protocol used between vpn server and user client, the encapsulation mode of agreement, encryption The information such as the shared key of data and the life cycle of key are protected in algorithm, specific stream.
In one embodiment, message Dispatching Unit can be by above-mentioned virtual public network network interface, the control that will identify that Message processed is forwarded to control and flows into journey.Control flows into the control that the forwarding of message Dispatching Unit is received at the virtual public network network interface of Cheng Cong After message processed, by parsing the content of the control message, the stage for establishing connection that is currently at can be known, therefore can pass through Virtual public network network interface, to message Dispatching Unit feedback for the response message of control message.The response message can be by message point Bill member is sent to user client by the public network network interface of vpn server.In this way, in the stage for establishing connection, user client The control message held and interacted between vpn server can be flowed into journey processing, by control so as to complete entirely to negotiate Journey.
In the present embodiment, it can produce negotiation information in negotiations process, negotiation information for example may include user The information such as certification code key, cryptographic protocol between client and vpn server.These negotiation informations can be flowed into journey receipts by control Collection.Control flows into journey after having collected negotiation information, negotiation information can be shared to the data flow process of User space, to make Obtaining data flow process can use these negotiation informations, the corresponding gre tunneling of creation user client.
Specifically, control flow into journey can by IPC (InterProcess Communication, interprocess communication) side The negotiation information collected in negotiations process is shared to data flow process by formula, and data flow process can be established according to negotiation information The gre tunneling of user client, and can initialize for processes such as the enciphering and deciphering algorithms of data message.In practical applications, Data flow process the example in the tunnel can be written in connection example table after creating the gre tunneling of user client.? In the connection example table, the every terms of information of gre tunneling may include.For example, may include data encryption/decryption method, routing plan The every terms of information such as the Microsoft Loopback Adapter that identity information that summary, Intranet network segment, client network segment, client use, client use.This Outside, in the connection example table, the every terms of information of gre tunneling can be associated with the IP address of corresponding user client to be deposited Storage.In this way, by the IP address of user client the corresponding GRE of user client can be inquired in connection example table The every terms of information in tunnel and the gre tunneling.It should be noted that the IP address of user client, can be user client With vpn server in negotiations process, the virtual ip address of user client, subsequent, user client are distributed to by vpn server The virtual ip address can be carried by holding in the message of transmitting-receiving, so as to distinguish different user visitors by virtual ip address Family end.
In the present embodiment, data flow process is after creating the gre tunneling of user client, user client The request message for accessing Intranet resource is sent to vpn server by the gre tunneling.User client it is to be sent can To be raw requests message, which can be encapsulated as GRE message by user client.Specifically, it is encapsulating When GRE message, GRE header information can be added in user client in initial data message, and determines according in negotiations process Encryption Algorithm, the initial data message that joined GRE header information is encrypted, thus the GRE message after being encapsulated. Then, user client can transmit the GRE message after encapsulation by gre tunneling.
In the present embodiment, after vpn server receives the GRE message that user client is sent by public network network interface, It can determine that the GRE message belongs to data message by message Dispatching Unit, therefore, which can be forwarded to data flow Process.Data flow process can flow into the shared negotiation information of journey according to control, and data message is reduced to initial data message. Specifically, data flow process can initialize after receiving control and flowing into the shared negotiation information of journey according to the negotiation information Enciphering and deciphering algorithm.At this point, data flow process can be to removal data after the data message for receiving the forwarding of message Dispatching Unit The header information of message, and the data message for eliminating header information can be decrypted, to restore original datagram Text.Then, initial data message can be sent to the intranet server being connected with vpn server by data flow process.Specifically, Initial data message can be sent to intranet server by the Intranet network interface of vpn server by data flow process.
In the present embodiment, it after intranet server receives the initial data message that vpn server is sent, can be directed to The initial data message feedback data response message, the data response message can be received by the Intranet network interface of vpn server. After vpn server receives the data response message, the data can be responded and reported by IP divert (IP transfer) mechanism At text guidance to the data flow process of User space.In this way, data flow process can receive the data of intranet server feedback Response message.In the data response message, the virtual ip address of user client can be carried.Data flow process in order to Correctly the data response message is encrypted and encapsulated, can identify the virtual ip address in the data response message, and The corresponding gre tunneling of the virtual ip address and every letter of the gre tunneling can be inquired from above-mentioned connection example table Breath.These information inquired can be used as the corresponding client-side information of the virtual ip address.From the above description it can be seen that Client's segment information can be used for limiting encryption and the packaged type of data response message.In this way, data flow process is inquiring After corresponding client-side information, data response message can be encrypted and be encapsulated, and can will be after encryption and encapsulation Data response message is sent at user client by the corresponding gre tunneling of user client.In this way, can complete to use Data communication process between family client and intranet server.
In practical applications, for above-mentioned GRE message, vpn server can create network on User space protocol stack Socket raw_socket carries out transmitting-receiving process, and the initial data message for being sent to intranet server, vpn server Web socket raw_sender can be created on User space protocol stack to send, the data that intranet server is sent are rung Answer message, can by the IP divert mechanism of User space protocol stack, by data response message be redirected to data flow process into Row processing.
In original unmodified vpn server, the GRE message that is transmitted in gre tunneling (including control message and datagram Text), it is usually all to be responsible for transmitting-receiving by the same process, which uniformly can distribute sequence number for each GRE message, should Sequence number can be used for distinguishing different GRE messages, and can characterize the distribution order of each GRE message.However, right After vpn server carries out User space transformation, the GRE message transmitted in gre tunneling can flow into journey and data flow process by control It handles respectively, at this point, if being likely to occurrence sequence unrest respectively to GRE message assigned sequence number by the two processes The case where sequence.In consideration of it, in the present embodiment, the process of assigned sequence number can be by above-mentioned message Dispatching Unit Lai real It is existing.Specifically, the GRE message that control flows into journey and data flow process is sent out, requires to summarize to message Dispatching Unit, In this way, message Dispatching Unit can receive the GRE message that control flows into journey and data flow process is sent.At this point, message is distributed The GRE message assigned sequence number that unit can be received uniformly, to avoid the phenomenon of sequence number random ordering.Certainly, one In a little application scenarios, journey and data flow process first can also be flowed into respectively to respective GRE message assigned sequence number by control, after It is continuous when summarizing to message Dispatching Unit, then sequence number is adjusted by message Dispatching Unit, so that it is out-of-order to solve sequence number Situation.
In one embodiment, after completing to communicate between user client and vpn server, in order to save VPN clothes The resource of business device, journey can be flowed by the control in vpn server or user client initiates the connection disconnection message, the connection Disconnecting message can be received by message Dispatching Unit, and is transmitted to control and is flowed into journey or user client.In this way, user client End flows into journey with according to the step similar with the negotiations process for establishing connection with control, completes the negotiations process disconnected.? It completes that the VPN connection between vpn server and user client can be disconnected after negotiating.
In the present embodiment, after VPN connection disconnection, control flows into journey can send notice letter to data flow process Breath so that notification data, which flows into journey, destroys the gre tunneling of user client, and recycles the related resource of gre tunneling.So far, VPN This communication between server and user client can stop.
Referring to Fig. 3, the application also provides the data transmission method in a kind of vpn server, this method comprises:
S1: the request message that user client is sent is obtained from the public network network interface of vpn server, and identifies request message Type, the type of request message include control message and data message;
S3: according to the control message identified, after negotiating with user client, so that vpn server and user client VPN connection is established, and collects the negotiation information generated in negotiations process;
S5: according to negotiation information, the data message that will identify that is reduced to initial data message, and by initial data message It is sent to the intranet server being connected with vpn server.
In one embodiment, after the negotiation information generated in collecting negotiations process, method further include:
According to negotiation information, the corresponding generic routing encapsulation tunnel of user client is established, and initialization is directed to data The enciphering and deciphering algorithm of message;
The generic route encapsulation header information of data message is removed, and according to the enciphering and deciphering algorithm of initialization, it is logical to removal It is decrypted with the data message of routed encapsulation header information, to restore initial data message.
In one embodiment, this method further include:
The data response message that intranet server is directed to initial data message feedback is received, and data response message is carried out After encryption and encapsulation, the data response message after encryption and encapsulation is passed through into the corresponding generic route encapsulation tunnel of user client Road is sent at user client.
In one embodiment, this method further include:
The generic routing encapsulation message that the control in vpn server flows into journey and data flow process is sent is received, and is Received generic routing encapsulation message assigned sequence number.
Referring to Fig. 4, the application also provides a kind of vpn server, vpn server includes memory and processor, storage When computer program is executed by processor, above-mentioned data transmission method may be implemented for storing computer program in device.
Referring to Fig. 5, in this application, the technical solution in above-described embodiment can be applied to calculating as shown in Figure 5 In machine terminal 10.Terminal 10 may include one or more (one is only shown in figure) (processors 102 of processor 102 Can include but is not limited to the processing unit of Micro-processor MCV or programmable logic device FPGA etc.), depositing for storing data Reservoir 104 and transmission module 106 for communication function.It will appreciated by the skilled person that knot shown in fig. 5 Structure is only to illustrate, and does not cause to limit to the structure of above-mentioned electronic device.For example, terminal 10, which may also include, compares Fig. 5 Shown in more perhaps less component or with the configuration different from shown in Fig. 5.
Memory 104 can be used for storing the software program and module of application software, and processor 102 is stored in by operation Software program and module in memory 104, thereby executing various function application and data processing.Memory 104 can wrap Include high speed random access memory, may also include nonvolatile memory, as one or more magnetic storage device, flash memory or Other non-volatile solid state memories.In some instances, memory 104 can further comprise long-range relative to processor 102 The memory of setting, these remote memories can pass through network connection to terminal 10.The example of above-mentioned network includes But be not limited to internet, intranet, local area network, mobile radio communication and combinations thereof.
Transmitting device 106 is used to that data to be received or sent via a network.Above-mentioned network specific example may include The wireless network that the communication providers of terminal 10 provide.In an example, transmitting device 106 includes that a network is suitable Orchestration (Network Interface Controller, NIC), can be connected by base station with other network equipments so as to Internet is communicated.In an example, transmitting device 106 can be radio frequency (Radio Frequency, RF) module, For wirelessly being communicated with internet.
Therefore technical solution provided by the present application, the vpn server of kernel state can be improved, so that changing Vpn server after can support kernel state and User space simultaneously.Wherein, kernel state can flow into journey into line number by control According to processing, User space can carry out data processing by data flow process.In this application, message Dispatching Unit can be from VPN The public network network interface of server obtains the request message that user client is sent, and control control message therein can be transferred to flow Process is handled, and transfers to data flow process to handle data message therein.Control flows into journey can be according to connecing The control message received, holds consultation with user client, connect so that vpn server establishes VPN with user client, And control flows into journey and may collect in the negotiation information generated in negotiations process.Data flow process can then be flowed into according to control The shared negotiation information of journey, handles the data message received, so that data message is reduced to initial data message, And the initial data message that reduction obtains can be sent to intranet server, to complete user client to intranet server Access.Therefore technical solution provided by the present application, data message can be carried out directly by the data flow process of User space Processing, without being subjected to the process of multiple data duplication, to dramatically reduce the load of vpn server.In addition, VPN takes The control of business device while compatible kernel state flows into the data flow process of journey and User space, and the data message of data flow is led to It crosses User space protocol stack to be handled, to improve the treatment effeciency of data message.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It realizes by means of software and necessary general hardware platform, naturally it is also possible to be realized by hardware.Based on such Understand, substantially the part that contributes to existing technology can embody above-mentioned technical proposal in the form of software products in other words Out, which may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, packet Some instructions are included to use so that a computer equipment (can be personal computer, server or the network equipment etc.) executes The method of certain parts of each embodiment or embodiment.
The foregoing is merely a prefered embodiment of the invention, is not intended to limit the invention, all in the spirit and principles in the present invention Within, any modification, equivalent replacement, improvement and so on should all be included in the protection scope of the present invention.

Claims (15)

1. a kind of vpn server, which is characterized in that include message Dispatching Unit in the vpn server, and the VPN takes The data flow process for having the control of kernel state to flow into journey and User space is run in business device, in which:
The message Dispatching Unit, for obtaining the request report that user client is sent from the public network network interface of the vpn server Text, and the control message that identifies the type of the request message, and will identify that is forwarded to the control and flows into journey, and will know Not Chu data message forwarding to the data flow process;
The control flows into journey, the control message for being forwarded according to the message Dispatching Unit, assists with the user client Shang Hou is connect so that the vpn server establishes VPN with the user client, and collects the negotiation generated in negotiations process Information, and the negotiation information is shared into the data flow process;
The data flow process turns the message Dispatching Unit for flowing into the shared negotiation information of journey according to the control The data message of hair is reduced to initial data message, and the initial data message is sent to and is connected with the vpn server Intranet server.
2. vpn server according to claim 1, which is characterized in that it further include dpdk component in the vpn server, The message Dispatching Unit is in the dpdk component, and the dpdk component is for the public network network interface with the vpn server And Intranet network interface is mutually bound, to receive and dispatch message from the public network network interface and the Intranet network interface.
3. vpn server according to claim 2, which is characterized in that the dkdp component is also used to create and the public affairs Net network interface and the corresponding virtual public network network interface of the Intranet network interface and virtual Intranet network interface;Correspondingly, the control flows into Journey is also used to mutually bind with the virtual public network network interface and the virtual Intranet network interface, with by the virtual public network network interface and The virtual Intranet network interface is communicated with the message Dispatching Unit.
4. vpn server according to claim 3, which is characterized in that the control flows into journey and is used for from the virtual public affairs The control message of the message Dispatching Unit forwarding is received at net network interface, and passes through the virtual public network network interface, Xiang Suoshu message Dispatching Unit feedback is for the response message for controlling message, so that the message Dispatching Unit leads to the response message It crosses the public network network interface and is sent to the user client.
5. vpn server according to claim 1, which is characterized in that the data flow process is receiving the control After flowing into the shared negotiation information of journey, it is also used to establish the corresponding general road of the user client according to the negotiation information The enciphering and deciphering algorithm of data message is directed to by encapsulation tunnel, and initialization.
6. vpn server according to claim 5, which is characterized in that the data flow process is receiving the message After the data message of Dispatching Unit forwarding, it is also used to remove the generic route encapsulation header information of the data message, and according to The enciphering and deciphering algorithm of initialization is decrypted the data message of removal generic route encapsulation header information, to restore The initial data message.
7. vpn server according to claim 1 or 5, which is characterized in that the data flow process is also used to receive described Intranet server is directed to the data response message of initial data message feedback, and encrypts to the data response message After encapsulation, the data response message after encryption and encapsulation is passed through into the corresponding generic route encapsulation tunnel of the user client Road is sent at the user client.
8. vpn server according to claim 7, which is characterized in that the data flow process is receiving the Intranet clothes It is engaged in after the data response message of device feedback, is also used to identify virtual ip address from the data response message, and described in inquiry The corresponding client-side information of virtual ip address;Wherein, the client-side information is used to limit the encryption of the data response message And packaged type, when the vpn server is established VPN with the user client and connect, the virtual ip address is by described Vpn server distributes to the user client.
9. vpn server according to claim 1, which is characterized in that the message Dispatching Unit is also used to receive described The generic routing encapsulation message that control flows into journey and the data flow process is sent, and be the received generic route encapsulation Message assigned sequence number.
10. vpn server according to claim 1, which is characterized in that the message Dispatching Unit is also used to the control System flows into journey or user client forwarding connection disconnects message, so that the control flows into journey and the user client After end is negotiated, the VPN connection is disconnected;
Correspondingly, after VPN connection disconnection, the control flows into journey and is also used to send notice letter to the data flow process Breath, so that the data flow process destroys the generic routing encapsulation tunnel of the user client, and recycles the general road By the resource of encapsulation tunnel.
11. the data transmission method in a kind of vpn server, which is characterized in that the described method includes:
The request message that user client is sent is obtained from the public network network interface of the vpn server, and identifies the request message Type, the type of the request message includes control message and data message;
According to the control message identified, after negotiating with the user client, so that the vpn server and user visitor VPN connection is established at family end, and collects the negotiation information generated in negotiations process;
According to the negotiation information, the data message that will identify that is reduced to initial data message, and by the original datagram Text is sent to the intranet server being connected with the vpn server.
12. according to the method for claim 11, which is characterized in that in collecting negotiations process the negotiation information that generates it Afterwards, the method also includes:
According to the negotiation information, the corresponding generic routing encapsulation tunnel of the user client is established, and initialization is directed to The enciphering and deciphering algorithm of data message;
The generic route encapsulation header information of the data message is removed, and according to the enciphering and deciphering algorithm of initialization, to going Except the data message of generic route encapsulation header information is decrypted, to restore the initial data message.
13. method according to claim 11 or 12, which is characterized in that the method also includes:
The data response message that the intranet server is directed to initial data message feedback is received, and the data are responded It is after message is encrypted and encapsulated, the data response message after encryption and encapsulation is corresponding general by the user client Router packaging tunnel is sent at the user client.
14. according to the method for claim 11, which is characterized in that the method also includes:
The generic routing encapsulation message that the control in the vpn server flows into journey and data flow process is sent is received, and is The received generic routing encapsulation message assigned sequence number.
15. a kind of vpn server, which is characterized in that the vpn server includes memory and processor, and the memory is used In storage computer program, when the computer program is executed by the processor, realize as any in claim 11 to 14 The data transmission method.
CN201910560980.3A 2019-06-26 2019-06-26 Data transmission method and vpn server in a kind of vpn server Pending CN110324227A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910560980.3A CN110324227A (en) 2019-06-26 2019-06-26 Data transmission method and vpn server in a kind of vpn server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910560980.3A CN110324227A (en) 2019-06-26 2019-06-26 Data transmission method and vpn server in a kind of vpn server

Publications (1)

Publication Number Publication Date
CN110324227A true CN110324227A (en) 2019-10-11

Family

ID=68120391

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910560980.3A Pending CN110324227A (en) 2019-06-26 2019-06-26 Data transmission method and vpn server in a kind of vpn server

Country Status (1)

Country Link
CN (1) CN110324227A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110932890A (en) * 2019-11-20 2020-03-27 厦门网宿有限公司 Data transmission method, server and computer readable storage medium
CN111447132A (en) * 2020-03-16 2020-07-24 广州华多网络科技有限公司 Data transmission method, device, system and computer storage medium
CN113055269A (en) * 2019-12-27 2021-06-29 厦门网宿有限公司 Virtual private network data transmission method and device
CN113382014A (en) * 2021-06-23 2021-09-10 中移(杭州)信息技术有限公司 Negotiation processing method, device, terminal equipment and storage medium
CN113572688A (en) * 2021-01-21 2021-10-29 深圳市中网信安技术有限公司 Message forwarding method, terminal equipment and computer storage medium
CN113810397A (en) * 2021-09-09 2021-12-17 山石网科通信技术股份有限公司 Protocol data processing method and device
CN114205186A (en) * 2021-11-25 2022-03-18 锐捷网络股份有限公司 Message processing method, device and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106453314A (en) * 2016-10-14 2017-02-22 东软集团股份有限公司 Data encryption and decryption method and device
CN108880885A (en) * 2018-06-19 2018-11-23 杭州迪普科技股份有限公司 A kind of message processing method and device
CN108924157A (en) * 2018-07-25 2018-11-30 杭州迪普科技股份有限公司 A kind of message forwarding method and device based on IPSec VPN
CN109150688A (en) * 2018-10-22 2019-01-04 网宿科技股份有限公司 IPSec VPN data transmission method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106453314A (en) * 2016-10-14 2017-02-22 东软集团股份有限公司 Data encryption and decryption method and device
CN108880885A (en) * 2018-06-19 2018-11-23 杭州迪普科技股份有限公司 A kind of message processing method and device
CN108924157A (en) * 2018-07-25 2018-11-30 杭州迪普科技股份有限公司 A kind of message forwarding method and device based on IPSec VPN
CN109150688A (en) * 2018-10-22 2019-01-04 网宿科技股份有限公司 IPSec VPN data transmission method and device

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110932890A (en) * 2019-11-20 2020-03-27 厦门网宿有限公司 Data transmission method, server and computer readable storage medium
CN110932890B (en) * 2019-11-20 2022-09-09 厦门网宿有限公司 Data transmission method, server and computer readable storage medium
CN113055269A (en) * 2019-12-27 2021-06-29 厦门网宿有限公司 Virtual private network data transmission method and device
CN113055269B (en) * 2019-12-27 2023-03-07 厦门网宿有限公司 Virtual private network data transmission method and device
CN111447132A (en) * 2020-03-16 2020-07-24 广州华多网络科技有限公司 Data transmission method, device, system and computer storage medium
CN111447132B (en) * 2020-03-16 2021-12-21 广州方硅信息技术有限公司 Data transmission method, device, system and computer storage medium
CN113572688A (en) * 2021-01-21 2021-10-29 深圳市中网信安技术有限公司 Message forwarding method, terminal equipment and computer storage medium
CN113572688B (en) * 2021-01-21 2023-03-14 深圳市中网信安技术有限公司 Message forwarding method, terminal device and computer storage medium
CN113382014A (en) * 2021-06-23 2021-09-10 中移(杭州)信息技术有限公司 Negotiation processing method, device, terminal equipment and storage medium
CN113810397A (en) * 2021-09-09 2021-12-17 山石网科通信技术股份有限公司 Protocol data processing method and device
CN114205186A (en) * 2021-11-25 2022-03-18 锐捷网络股份有限公司 Message processing method, device and system

Similar Documents

Publication Publication Date Title
CN110324227A (en) Data transmission method and vpn server in a kind of vpn server
CN100437543C (en) Method and apparatus for implementing a layer 3/layer 7 firewall in an l2 device
CN101300806B (en) System and method for processing secure transmissions
CN1790980B (en) Secure authentication advertisement protocol
CN106790420B (en) A kind of more session channel method for building up and system
KR101097548B1 (en) Digital object title authentication
CN109361606B (en) Message processing system and network equipment
US20030105951A1 (en) Policy-driven kernel-based security implementation
US20030105953A1 (en) Offload processing for secure data transfer
CN103036784A (en) Methods and apparatus for a self-organized layer-2 enterprise network architecture
JP2004524768A (en) System and method for distributing protection processing functions for network applications
KR20030019356A (en) Secure dynamic link allocation system for mobile data communication
CN106790675A (en) Load-balancing method, equipment and system in a kind of cluster
CN106973053B (en) The acceleration method and system of BAS Broadband Access Server
CN101958822A (en) Cryptographic communication system and gateway device
CN105812322B (en) The method for building up and device of internet safety protocol safe alliance
JP3515551B2 (en) Electronic device having wireless data communication relay function
CN108964880A (en) A kind of data transmission method and device
CN110086798B (en) Method and device for communication based on public virtual interface
CN107819685A (en) The method and the network equipment of a kind of data processing
US20040168049A1 (en) Method for encrypting data of an access virtual private network (VPN)
KR101116109B1 (en) Digital object title and transmission information
US6757734B1 (en) Method of communication
CN115189920A (en) Cross-network domain communication method and related device
CN112449751A (en) Data transmission method, switch and station

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20191011

RJ01 Rejection of invention patent application after publication