CN115987660A - VPN device communication method, device and storage medium - Google Patents

VPN device communication method, device and storage medium Download PDF

Info

Publication number
CN115987660A
CN115987660A CN202211698758.8A CN202211698758A CN115987660A CN 115987660 A CN115987660 A CN 115987660A CN 202211698758 A CN202211698758 A CN 202211698758A CN 115987660 A CN115987660 A CN 115987660A
Authority
CN
China
Prior art keywords
client
address
request message
virtual
vpn device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211698758.8A
Other languages
Chinese (zh)
Inventor
张中鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202211698758.8A priority Critical patent/CN115987660A/en
Publication of CN115987660A publication Critical patent/CN115987660A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the disclosure discloses a VPN device communication method, a device and a storage medium. Wherein, the method comprises the following steps: receiving an encrypted request message sent by a first client, wherein the first request message carries a first physical IP address and a first virtual IP address of the first client; when the first client is verified, decrypting the request message; determining a second virtual IP address and a corresponding second client according to the decrypted first virtual IP address; when the group of the second client and the group of the first client are the same and the second client is in an online state, encrypting the request message and sending the encrypted request message to the second client; and receiving an encrypted response message returned by the second client in response to the request message, and sending the response message to the first client. The method improves the communication safety and reliability between mobile office workers in a mobile office scene, and greatly improves the office efficiency.

Description

VPN device communication method, apparatus, device and storage medium
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a VPN device communication method, apparatus, device, and storage medium.
Background
With the popularization of internet technology in people's lives, local communication cannot meet the requirements of users, and mobile office becomes a common requirement of users. Virtual Private Network (VPN) is a technology for establishing a Private Network on a public Network, and is a mobile office implementation scheme that has efficient security and does not require high construction cost. When a virtual private network service is developed, not only an end-to-site communication scenario needs to be faced, but also an end-to-end communication requirement needs to be faced. The VPN gateway equipment is used for constructing a communication tunnel for mobile office workers, so that the protection of sensitive data can be greatly improved.
Internet protocol Security (IPSec) is an open-standard framework structure, and a secure tunnel based on a cryptographic technique is established between two communication parties to ensure secure and safe communication over an internet Security protocol network. The IPSec protocol can encapsulate the IP address of the internal network by using the routable Internet address through a packet encapsulation technique, thereby realizing interworking between different networks and end-to-end communication. The user can also select to establish an SSLVPN tunnel by using a Secure Sockets Layer (SSL) protocol or a standard SSL protocol, and end-to-end communication is realized through the SSLVPN technology.
The end-to-end communication technology in the related technology lacks security, and the SSLVPN technology realizes that the end-to-end communication does not manage the user authority comprehensively, so that the security of communication among mobile office workers in a mobile office scene is difficult to meet.
Disclosure of Invention
In view of this, the embodiments of the present disclosure provide a VPN device communication method, apparatus, device, and storage medium, which can expand the usage scenario of the SSLVPN technology, meet the end-to-end communication requirement based on the SSLVPN technology, coordinate complete user authority management, and improve the communication security and reliability between mobile office workers in a mobile office scenario, so as to greatly improve the office efficiency.
In a first aspect, an embodiment of the present disclosure provides a VPN device communication method, which adopts the following technical solutions:
receiving an encrypted request message sent by a first client, wherein the first request message carries a first physical IP address and a first virtual IP address of the first client, the first virtual IP address represents a communication address of the first client in an SSL tunnel, and the SSL tunnel is used for data communication between the first client and VPN equipment;
when the first client is verified to pass according to the first physical IP address, decrypting the request message;
determining a second virtual IP address according to the first virtual IP address obtained by decryption, and determining a second client corresponding to the second virtual IP address;
when the group of the second client and the group of the first client are the same and the second client is in an online state, encrypting the request message and sending the encrypted request message to the second client;
and receiving an encrypted response message returned by the second client in response to the request message, and sending the response message to the first client.
In some embodiments, authenticating the first client according to the first physical IP address comprises:
searching whether an SSL tunnel based on an SSL protocol is established between the first client and the VPN equipment or not according to the first physical IP address;
and when an SSL tunnel based on an SSL protocol is established between the first client and the VPN device, confirming that the first client passes the verification.
In some embodiments, the method further comprises:
receiving a connection request of the first client, and recording a first physical IP address of the first client carried in the connection request;
and establishing an SSL tunnel between the first client and the VPN equipment based on an SSL protocol according to the first physical IP address.
In some embodiments, the method further comprises:
allocating a first virtual IP address which is used for not conflicting with the first physical IP address to the first client from a preset address pool;
searching a group to which the first client belongs and at least one other client in the group through a hash table;
and sending the first virtual IP address to at least one other client in the group, and sending a second physical IP address of at least one other client in the group to the first client.
In some embodiments, the method further comprises:
when the offline information of the equipment of at least one of the first client side or the second client side is detected, the offline information of the equipment is sent to at least one other client side in the group;
and updating the hash table according to the equipment offline information.
In some embodiments, when the group to which the second client and the first client belong is the same and the second client is in an online state, encrypting the request packet and sending the request packet to the second client includes:
when the second client is in an online state, acquiring a connection handle between the VPN device and the second client;
encrypting the request message through an encryption function;
and sending the encrypted request message to the second client through the connection handle.
In a second aspect, an embodiment of the present disclosure further provides a VPN device communication apparatus, which adopts the following technical solution:
a packet receiving unit, configured to receive an encrypted request packet sent by a first client, where the first request packet carries a first physical IP address and a first virtual IP address of the first client, the first virtual IP address indicates a communication address of the first client in an SSL tunnel, and the SSL tunnel is used for data communication between the first client and a VPN device;
the verification unit is configured to decrypt the request message when the first client passes verification according to the first physical IP address;
a determining unit configured to determine a second virtual IP address according to the decrypted first virtual IP address, and determine a second client corresponding to the second virtual IP address;
the first sending unit is configured to encrypt the request message and send the request message to the second client when the group to which the second client and the first client belong is the same and the second client is in an online state;
and the second sending unit is configured to receive an encrypted response message returned by the target client in response to the request message, and send the response message to the first client.
In some embodiments, the verification unit comprises:
the search module is configured to search whether an SSL tunnel based on an SSL protocol is established between the first client and the VPN device according to the first physical IP address;
a confirmation module configured to confirm that the first client is authenticated when an SSL tunnel based on an SSL protocol is established between the first client and the VPN device.
In a third aspect, an embodiment of the present disclosure further provides an electronic device, which adopts the following technical scheme:
the electronic device includes:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform any of the VPN device communication methods described above.
In a fourth aspect, the disclosed embodiments also provide a computer-readable storage medium storing computer instructions for causing a computer to execute any of the above-described VPN device communication methods.
The VPN device communication method, device, equipment and storage medium provided by the present disclosure are configured to verify a first client according to a first physical IP address by receiving an encrypted request packet sent by the first client, decrypt the request packet if the verification is successful, determine a second virtual IP address according to the first virtual IP address obtained by decryption, and determine a second client corresponding to the second virtual IP address, and encrypt and send the request packet to the second client when a group to which the second client and the first client belong is the same and the second client is in an online state; and receiving an encrypted response message returned by the target client in response to the request message, and sending the response message to the first client. Therefore, the application scene of the SSLVPN technology is expanded, the end-to-end communication requirement based on the SSLVPN technology is met, complete user authority management is coordinated, the communication safety and reliability between mobile office workers in a mobile office scene are improved, and the office efficiency is greatly improved.
The foregoing is a summary of the present disclosure, and for the purposes of promoting a clear understanding of the technical means of the present disclosure, the present disclosure may be embodied in other specific forms without departing from the spirit or essential attributes thereof.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings needed to be used in the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present disclosure, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a VPN device communication method according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a VPN device communication apparatus according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of another VPN device communication apparatus according to an embodiment of the present disclosure;
fig. 4 is a schematic block diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
The embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
It is to be understood that the embodiments of the present disclosure are described below by specific examples, and other advantages and effects of the present disclosure will be readily apparent to those skilled in the art from the disclosure herein. It is to be understood that the described embodiments are merely illustrative of some, and not restrictive, of the embodiments of the disclosure. The disclosure may be embodied or carried out in various other specific embodiments, and various modifications and changes may be made in the details within the description without departing from the spirit of the disclosure. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the appended claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the disclosure, one skilled in the art should appreciate that one aspect described herein may be implemented independently of any other aspects and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. In addition, such an apparatus may be implemented and/or such a method may be practiced using other structure and/or functionality in addition to or other than one or more of the aspects set forth herein.
It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present disclosure, and the drawings only show the components related to the present disclosure rather than the number, shape and size of the components in actual implementation, and the type, amount and ratio of the components in actual implementation may be changed arbitrarily, and the layout of the components may be more complicated.
In addition, in the following description, specific details are provided to facilitate a thorough understanding of the examples. However, it will be understood by those skilled in the art that the aspects may be practiced without these specific details.
As shown in fig. 1, an embodiment of the present disclosure provides a VPN device communication method, executed on a VPN device side, including the following steps:
s101, the VPN device receives an encrypted request message sent by a first client, wherein the first request message carries a first physical IP address and a first virtual IP address of the first client, the first virtual IP address represents a communication address of the first client in an SSL tunnel, and the SSL tunnel is used for data communication between the first client and the VPN device.
S102, when the VPN device passes the verification of the first client according to the first physical IP address, the VPN device decrypts the request message.
Optionally, the VPN device decrypts the request packet through a decryption function, and the user may select the decryption function according to actual requirements, which is not limited in this disclosure.
S103, the VPN device determines a second virtual IP address according to the decrypted first virtual IP address, and determines a second client corresponding to the second virtual IP address according to the decrypted first virtual IP address.
And S104, when the VPN device determines that the group to which the second client and the first client belong is the same and the second client is in an online state, the VPN device encrypts the request message and sends the request message to the second client.
Optionally, when the VPN device determines that the groups to which the first client and the second client belong are different, the request packet may be discarded without being processed; or, when the VPN device determines that the second client is offline, the request packet may be discarded without being processed.
S105, the VPN device receives an encrypted response message returned by the second client in response to the request message, and sends the response message to the first client.
Optionally, after receiving the request message, the second client decrypts the request message through a decryption function, and confirms that the request message is a message sent by the first client according to the decrypted request message, encrypts the response message through an encryption function, and sends the encrypted response message to the VPN device, and the VPN device sends the response message to the first client.
In some embodiments, the step S102 of authenticating the first client according to the first physical IP address includes:
the VPN device searches whether an SSL tunnel based on an SSL protocol is established between the first client and the VPN device according to the first physical IP address;
when an SSL tunnel based on an SSL protocol is established between the first client and the VPN device, the VPN device confirms that the first client passes the verification.
In the embodiment of the present disclosure, in order to ensure that data communication between the first client and the second client is performed in the SSL tunnel, when an access request of the first client or the second client is received, it is required to verify whether the SSL tunnel is established between the first client or the second client and the VPN device, so as to ensure security of the data communication.
In some embodiments, the VPN device communication further comprises:
the VPN equipment receives a connection request of a first client and records a first physical IP address of the first client carried in the connection request;
and the VPN device establishes an SSL tunnel between the first client and the VPN device based on an SSL protocol according to the first physical IP address.
In the embodiment of the disclosure, after the VPN device detects the connection request of the first client, the SSL tunnel is established based on the SSL protocol through the first physical IP address sent by the first client, so as to ensure that data communication between the VPN device and the first client is completed in the SSL tunnel, and ensure the security of data transmission between the VPN device and the first client.
In some embodiments, the VPN device communication method further comprises:
the VPN equipment allocates a first virtual IP address which is used for being not in conflict with the first physical IP address to the first client from a preset address pool;
the VPN device searches a group to which the first client belongs and at least one other client in the group through a hash table;
the VPN device sends the first virtual IP address to at least one other client in the group, and sends a second physical IP address of the at least one other client in the group to the first client.
In the embodiment of the disclosure, when the first client is online, the first client initiates a connection request to the VPN device, and at this time, after the SSL tunnel is successfully established between the VPN device and the first client, the VPN device allocates a first virtual IP address to the first client, and the first client uses the first virtual IP address as an intranet communication address. And the VPN device pushes the first virtual IP address of the first client to other clients in the group and pushes the IP addresses of the other clients in the group to the first client.
Optionally, the VPN device updates the device online information of the first client in the hash table, and updates the first virtual IP address of the first client in the hash table, so as to ensure timeliness of information update of all clients in the group.
In some embodiments, the VPN device communication method further comprises:
when the VPN device detects the device offline information of at least one of the first client side or the second client side, the VPN device sends the device offline information to at least one other client side in the group;
and the VPN equipment updates the hash table according to the equipment offline information.
According to the embodiment of the disclosure, when the user logs off, all users in the group are traversed, and the device offline information of the user who logs off is pushed to other users in the group, so that the information of all users in the group is ensured to be correct.
In some embodiments, when the group to which the second client and the first client belong is the same and the second client is in an online state, the encrypting, by the VPN device, the request packet and sending the request packet to the second client includes:
when the second client is in an online state, acquiring a connection handle between the VPN device and the second client;
the VPN equipment encrypts the request message through an encryption function;
and the VPN equipment sends the encrypted request message to the second client through the connection handle.
Optionally, the user may select an encryption function according to actual requirements to encrypt and encapsulate the request packet, which is not limited in this disclosure.
In some embodiments, it may be assumed that a first virtual IP address of a first client for performing communication in an intranet is 1.1.1.1, a second virtual IP address of a second client for performing communication in the intranet is 1.1.1.2, the first client sends a request packet from the first virtual IP address 1.1.1.1 to the second virtual IP address 1.1.1.2 of the second client, the first client performs packet processing on the request packet through an encryption function, a source address of the encrypted request packet is a first physical IP address 2.2.2.1 of the first client, and a destination IP address is a gateway address 3.3.3.2 of a VPN device in an SSL tunnel.
The VPN device acquires a first physical IP address 2.2.2.1 of a first client in a request message when receiving the encrypted request message of the first client, and sends the request message to a decryption function for decryption processing when determining that an SSL tunnel is established between the first client and the VPN device.
The VPN device obtains the decrypted request message, obtains a first virtual IP address 1.1.1.1 of the first client, searches a group to which the first virtual IP address 1.1.1.1 belongs in a hash table, obtains a second virtual IP address 1.1.1.2 in the group, and determines a target user, namely the second client, of the first client to send the request message.
The VPN device confirms whether the second client side is on-line or not, and discards the request message and does not process the request message if the second client side is not on-line; and if the second client is online, acquiring a connection handle between the VPN device and the second client.
The VPN device sends the request message to an encryption function for encryption, the source IP address of the encrypted request message is changed into a gateway address 3.3.3.2 of the VPN device, and the destination IP address is changed into a second physical IP address 4.4.4.2 of the second client.
And the VPN equipment sends the encrypted request message to the second client corresponding to the second physical IP address 4.4.4.2 through the connection handle because the VPN equipment obtains the connection handle of the second client.
And the second client receives the request message, decrypts the request message through a decryption function, and sends a response message to the VPN equipment to complete interaction if the request message is confirmed to be the message sent by the first client. The response message also needs to be encrypted by the second client and then sent to the VPN device.
During the interaction between the first client and the second client, all data is encrypted.
As shown in fig. 2, an embodiment of the present disclosure further provides a VPN device communication apparatus, executed on a VPN device side, including:
the message receiving unit 21 is configured to receive, by the VPN device, an encrypted request message sent by a first client, where the first request message carries a first physical IP address and a first virtual IP address of the first client, the first virtual IP address indicates a communication address of the first client in an SSL tunnel, and the SSL tunnel is used for data communication between the first client and the VPN device;
the verification unit 22 is configured to decrypt the request message when the VPN device passes verification of the first client according to the first physical IP address;
a determining unit 23, configured to determine, by the VPN device, a second virtual IP address according to the decrypted first virtual IP address, and determine a second client corresponding to the second virtual IP address;
the first sending unit 24 is configured to encrypt and send the request message to the second client by the VPN device when the VPN device confirms that the group to which the second client and the first client belong is the same and that the second client is in an online state;
and a second sending unit 25 configured to receive, by the VPN device, the encrypted response message returned by the target client in response to the request message, and send the response message to the first client.
As shown in fig. 3, in some embodiments, the verification unit 23 includes:
the search module 231 is configured to search, by the VPN device according to the first physical IP address, whether an SSL tunnel based on the SSL protocol is established between the first client and the VPN device;
a confirmation module 231 configured to confirm that the first client is authenticated when an SSL tunnel based on the SSL protocol is established between the first client and the VPN appliance.
The embodiment of the disclosure expands the use scene of the SSL VPN technology, meets the end-to-end communication requirement based on the SSL VPN technology, coordinates complete user authority management, improves the communication safety and reliability between mobile office workers in the mobile office scene, and greatly improves the office efficiency.
An electronic device according to an embodiment of the present disclosure includes a memory and a processor. The memory is to store non-transitory computer readable instructions. In particular, the memory may include one or more computer program products that may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, random Access Memory (RAM), cache memory (cache), and/or the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, etc.
The processor may be a Central Processing Unit (CPU) or other form of processing unit having data processing capabilities and/or instruction execution capabilities, and may control other components in the electronic device to perform desired functions. In one embodiment of the present disclosure, the processor is configured to execute the computer readable instructions stored in the memory, so that the electronic device performs all or part of the aforementioned steps of the VPN device communication method according to the embodiments of the present disclosure.
Those skilled in the art should understand that, in order to solve the technical problem of how to obtain a good user experience, the present embodiment may also include well-known structures such as a communication bus, an interface, and the like, and these well-known structures should also be included in the protection scope of the present disclosure.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. There is shown a schematic diagram of a structure suitable for use to implement an electronic device in embodiments of the present disclosure. The electronic device shown in fig. 4 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 4, the electronic device may include a processing means (e.g., a central processing unit, a graphic processor, etc.) that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) or a program loaded from a storage means into a Random Access Memory (RAM). In the RAM, various programs and data necessary for the operation of the electronic apparatus are also stored. The processing device, the ROM, and the RAM are connected to each other by a bus. An input/output (I/O) interface is also connected to the bus.
Generally, the following devices may be connected to the I/O interface: input means including, for example, a sensor or a visual information acquisition device; output devices including, for example, display screens and the like; storage devices including, for example, magnetic tape, hard disk, etc.; and a communication device. The communication means may allow the electronic device to communicate wirelessly or by wire with other devices, such as edge computing devices, to exchange data. While fig. 4 illustrates an electronic device having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided.
In particular, the processes described above with reference to the flow diagrams may be implemented as computer software programs, according to embodiments of the present disclosure. For example, embodiments of the present disclosure include a computer program product comprising a computer program carried on a non-transitory computer readable medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication means, or installed from a storage means, or installed from a ROM. When executed by the processing device, the computer program performs all or part of the steps of the VPN device communication method according to the embodiment of the present disclosure.
For the detailed description of the present embodiment, reference may be made to the corresponding descriptions in the foregoing embodiments, which are not repeated herein.
A computer-readable storage medium according to an embodiment of the present disclosure has non-transitory computer-readable instructions stored thereon. The non-transitory computer readable instructions, when executed by the processor, perform all or part of the steps of the VPN device communication method of the embodiments of the present disclosure as previously described.
The computer-readable storage media include, but are not limited to: optical storage media (e.g., CD-ROMs and DVDs), magneto-optical storage media (e.g., MOs), magnetic storage media (e.g., magnetic tapes or removable disks), media with built-in rewritable non-volatile memory (e.g., memory cards), and media with built-in ROMs (e.g., ROM cartridges).
For the detailed description of the present embodiment, reference may be made to the corresponding descriptions in the foregoing embodiments, which are not repeated herein.
The foregoing describes the general principles of the present disclosure in conjunction with specific embodiments, however, it is noted that the advantages, effects, etc. mentioned in the present disclosure are merely examples and are not limiting, and they should not be considered essential to the various embodiments of the present disclosure. Furthermore, the foregoing disclosure of specific details is for the purpose of illustration and description and is not intended to be limiting, since the disclosure is not intended to be limited to the specific details so described.
In the present disclosure, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions, and the block diagrams of devices, apparatuses, devices, systems, and apparatuses herein referred to are used merely as illustrative examples and are not intended to require or imply that the connections, arrangements, configurations, etc. must be made in the manner shown in the block diagrams. These devices, apparatuses, devices, systems may be connected, arranged, configured in any manner, as will be appreciated by those skilled in the art. Words such as "including," "comprising," "having," and the like are open-ended words that mean "including, but not limited to," and are used interchangeably therewith. The words "or" and "as used herein mean, and are used interchangeably with, the word" and/or, "unless the context clearly dictates otherwise. The word "such as" is used herein to mean, and is used interchangeably with, the phrase "such as but not limited to".
Also, as used herein, "or" as used in a list of items beginning with "at least one" indicates a separate list, such that, for example, a list of "at least one of a, B, or C" means a or B or C, or AB or AC or BC, or ABC (i.e., a and B and C). Furthermore, the word "exemplary" does not mean that the described example is preferred or better than other examples.
It is also noted that in the systems and methods of the present disclosure, components or steps may be decomposed and/or re-combined. These decompositions and/or recombinations are to be considered equivalents of the present disclosure.
Various changes, substitutions and alterations to the techniques described herein may be made without departing from the techniques of the teachings as defined by the appended claims. Moreover, the scope of the claims of the present disclosure is not limited to the particular aspects of the process, machine, manufacture, composition of matter, means, methods and acts described above. Processes, machines, manufacture, compositions of matter, means, methods, or acts, presently existing or later to be developed that perform substantially the same function or achieve substantially the same result as the corresponding aspects described herein may be utilized. Accordingly, the appended claims are intended to include within their scope such processes, machines, manufacture, compositions of matter, means, methods, or acts.
The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the disclosure. Thus, the present disclosure is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing description has been presented for purposes of illustration and description. Furthermore, this description is not intended to limit embodiments of the disclosure to the form disclosed herein. While a number of example aspects and embodiments have been discussed above, those of skill in the art will recognize certain variations, modifications, alterations, additions and sub-combinations thereof.

Claims (10)

1. A VPN device communication method, comprising:
receiving an encrypted request message sent by a first client, wherein the first request message carries a first physical IP address and a first virtual IP address of the first client, the first virtual IP address represents a communication address of the first client in an SSL tunnel, and the SSL tunnel is used for data communication between the first client and VPN equipment;
when the first client is verified to pass according to the first physical IP address, decrypting the request message;
determining a second virtual IP address according to the first virtual IP address obtained by decryption, and determining a second client corresponding to the second virtual IP address;
when the group of the second client and the group of the first client are the same and the second client is in an online state, encrypting the request message and sending the encrypted request message to the second client;
and receiving an encrypted response message returned by the second client in response to the request message, and sending the response message to the first client.
2. The VPN device communication method according to claim 1, wherein authenticating the first client based on the first physical IP address comprises:
searching whether an SSL tunnel based on an SSL protocol is established between the first client and the VPN equipment or not according to the first physical IP address;
and when an SSL tunnel based on an SSL protocol is established between the first client and the VPN device, confirming that the first client passes the verification.
3. The VPN device communication method according to claim 1, wherein said method further comprises:
receiving a connection request of the first client, and recording a first physical IP address of the first client carried in the connection request;
and establishing an SSL tunnel between the first client and the VPN equipment based on an SSL protocol according to the first physical IP address.
4. The VPN device communication method according to claim 3, wherein said method further comprises:
allocating a first virtual IP address which is used for not conflicting with the first physical IP address to the first client from a preset address pool;
searching a group to which the first client belongs and at least one other client in the group through a hash table;
and sending the first virtual IP address to at least one other client in the group, and sending a second physical IP address of the at least one other client in the group to the first client.
5. The VPN device communication method of claim 4, further comprising:
when the offline information of the equipment of at least one of the first client side or the second client side is detected, the offline information of the equipment is sent to at least one other client side in the group;
and updating the hash table according to the equipment offline information.
6. The VPN device communication method according to claim 1, wherein when the group to which the second client and the first client belong is the same and the second client is in an online state, encrypting the request packet and sending the request packet to the second client includes:
when the second client is in an online state, acquiring a connection handle between the VPN device and the second client;
encrypting the request message through an encryption function;
and sending the encrypted request message to the second client through the connection handle.
7. A VPN device communication apparatus, comprising:
a message receiving unit, configured to receive an encrypted request message sent by a first client, where the first request message carries a first physical IP address and a first virtual IP address of the first client, the first virtual IP address represents a communication address of the first client in an SSL tunnel, and the SSL tunnel is used for data communication between the first client and a VPN device;
the verification unit is configured to decrypt the request message when the first client passes verification according to the first physical IP address;
a determining unit configured to determine a second virtual IP address according to the decrypted first virtual IP address, and determine a second client corresponding to the second virtual IP address;
the first sending unit is configured to encrypt the request message and send the request message to the second client when the group to which the second client and the first client belong is the same and the second client is in an online state;
and the second sending unit is configured to receive an encrypted response message returned by the target client in response to the request message, and send the response message to the first client.
8. The VPN device communication method according to claim 7, wherein said authentication unit includes:
the search module is configured to search whether an SSL tunnel based on an SSL protocol is established between the first client and the VPN device according to the first physical IP address;
a confirmation module configured to confirm that the first client is authenticated when an SSL tunnel based on an SSL protocol is established between the first client and the VPN device.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the VPN device communication method of any of claims 1 to 6.
10. A computer-readable storage medium storing computer instructions for causing a computer to perform the VPN device communication method according to any one of claims 1 to 6.
CN202211698758.8A 2022-12-28 2022-12-28 VPN device communication method, device and storage medium Pending CN115987660A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211698758.8A CN115987660A (en) 2022-12-28 2022-12-28 VPN device communication method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211698758.8A CN115987660A (en) 2022-12-28 2022-12-28 VPN device communication method, device and storage medium

Publications (1)

Publication Number Publication Date
CN115987660A true CN115987660A (en) 2023-04-18

Family

ID=85969651

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211698758.8A Pending CN115987660A (en) 2022-12-28 2022-12-28 VPN device communication method, device and storage medium

Country Status (1)

Country Link
CN (1) CN115987660A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117395084A (en) * 2023-12-11 2024-01-12 中国联合网络通信集团有限公司 Cloud storage resource access method, device, equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117395084A (en) * 2023-12-11 2024-01-12 中国联合网络通信集团有限公司 Cloud storage resource access method, device, equipment and storage medium
CN117395084B (en) * 2023-12-11 2024-04-09 中国联合网络通信集团有限公司 Cloud storage resource access method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN110708170B (en) Data processing method and device and computer readable storage medium
CN110191031B (en) Network resource access method and device and electronic equipment
CN107404461B (en) Data secure transmission method, client and server method, device and system
US11451614B2 (en) Cloud authenticated offline file sharing
JP5009294B2 (en) Distributed single sign-on service
RU2542911C2 (en) Low-latency peer-to-peer session establishment
JP2020080530A (en) Data processing method, device, terminal, and access point computer
EP4040717A1 (en) Method and device for secure communications over a network using a hardware security engine
US10824744B2 (en) Secure client-server communication
EP3197121A1 (en) Information security realizing method and system based on digital certificate
US9876773B1 (en) Packet authentication and encryption in virtual networks
CN111740966B (en) Data processing method based on block chain network and related equipment
US10257171B2 (en) Server public key pinning by URL
EP3633949A1 (en) Method and system for performing ssl handshake
CN101599967A (en) Authority control method and system based on the 802.1x Verification System
JP2013503514A (en) Service access method, system and apparatus based on WLAN access authentication
CN110519259B (en) Method and device for configuring communication encryption between cloud platform objects and readable storage medium
CN110635901A (en) Local Bluetooth dynamic authentication method and system for Internet of things equipment
CN115987660A (en) VPN device communication method, device and storage medium
US20240106811A1 (en) Systems and methods for network privacy
CN111404884B (en) Secure communication method, client and non-public server
US20230179582A1 (en) Centralized management of private networks
WO2014201783A1 (en) Encryption and authentication method, system and terminal for ad hoc network
CN115714678A (en) Authentication method and device of terminal equipment
EP4315739A1 (en) Agile cryptographic deployment service

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination