CN116405346A - VPN channel establishment method, device, equipment and medium - Google Patents
VPN channel establishment method, device, equipment and medium Download PDFInfo
- Publication number
- CN116405346A CN116405346A CN202310481417.3A CN202310481417A CN116405346A CN 116405346 A CN116405346 A CN 116405346A CN 202310481417 A CN202310481417 A CN 202310481417A CN 116405346 A CN116405346 A CN 116405346A
- Authority
- CN
- China
- Prior art keywords
- client
- vpn
- port
- local port
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000001514 detection method Methods 0.000 claims abstract description 51
- 238000013507 mapping Methods 0.000 claims abstract description 43
- 238000012795 verification Methods 0.000 claims abstract description 28
- 238000004590 computer program Methods 0.000 claims description 15
- 230000005540 biological transmission Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000036541 health Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 210000001503 joint Anatomy 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a VPN channel establishment method, device, equipment and medium. The method is suitable for the VPN server and comprises the following steps: responding to a VPN channel establishment request initiated by a client, carrying out identity verification on the client, and adding an IP address of the client into a white list when the client passes the identity verification so as to acquire a local port of the client; and according to the mapping relation between the local port of the client and the cloud server port distributed to the client by the VPN server, carrying out uniqueness detection on the local port of the client, and establishing a VPN channel when the local port of the client passes the uniqueness detection. The invention can optimize and establish the VPN channel and improve the stability and the safety of the VPN channel.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, a device, and a medium for establishing a VPN channel.
Background
The VPN (Virtual Private Network ) functions to establish a private network on a public network, and performs encrypted communication, which is widely used in enterprise networks. In the existing tools used for establishing the VPN channel, whether the tools are open source tools or custom tools, the encryption and decryption data streams are interacted through an IPsec network transmission protocol cluster, and the encryption mode is easy to crack, so that the VPN channel has safety risks.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides a VPN channel establishment method, device, equipment and medium, which can optimize the establishment of a VPN channel and improve the stability and safety of the VPN channel.
In order to solve the above technical problem, in a first aspect, an embodiment of the present invention provides a VPN tunnel establishment method, which is applicable to a VPN server, and the method includes:
responding to a VPN channel establishment request initiated by a client, carrying out identity verification on the client, and adding an IP address of the client into a white list when the client passes the identity verification so as to acquire a local port of the client;
and according to the mapping relation between the local port of the client and the cloud server port distributed to the client by the VPN server, carrying out uniqueness detection on the local port of the client, and establishing a VPN channel when the local port of the client passes the uniqueness detection.
Further, after the establishing the VPN channel when the local port of the client passes the uniqueness detection, the method further includes:
when the VPN connection with the client is disconnected and the running information of the client does not accord with the predefined firewall rule, the IP address of the client is moved out of the white list;
and when the latest IP address of the client is inconsistent with the IP address of the client in the white list, the IP address of the client is moved out of the white list.
Further, the authentication of the client is specifically:
the UDP protocol is adopted to acquire the encryption basic information of the client, and the encryption basic information of the client is decrypted to acquire the basic information of the client; the encryption basic information of the client is obtained by encrypting the basic information of the client by adopting a preset symmetric encryption algorithm;
and checking the basic information of the client, if the basic information is checked successfully, judging that the client passes the identity authentication, otherwise, judging that the client fails the identity authentication.
Further, the responding to the VPN channel establishment request initiated by the client performs identity verification on the client, adds the IP address of the client to a white list to obtain a local port of the client when the client passes the identity verification, and further includes:
and adding the IP address of the client into a blacklist when the client fails to pass the authentication.
Further, the detecting the uniqueness of the local port of the client according to the mapping relationship between the local port of the client and the cloud server port allocated to the client by the VPN server specifically includes:
determining a first mapping port corresponding to a local port of the client according to the configuration file of the client, and determining a second mapping port corresponding to the local port of the client according to the configuration file of the cloud WAF;
judging whether the first mapping port is consistent with the second mapping port, if so, judging that the local port of the client passes the uniqueness detection, otherwise, judging that the local port of the client does not pass the uniqueness detection.
Further, when the local port of the client passes the uniqueness detection, a VPN channel is established, specifically:
and establishing an open port, connecting a local port of the client, the open port and a cloud server port distributed to the client by the VPN server, and establishing the VPN channel.
Further, after the uniqueness detection is performed on the local port of the client according to the mapping relationship between the local port of the client and the cloud server port allocated to the client by the VPN server, the method further includes:
and when the local port of the client fails to pass the uniqueness detection, sending a port repeatability alarm to the client so as to reject the VPN channel establishment request.
Further, after the establishing the VPN tunnel, the method further includes:
and interfacing the target instant messaging software through a target API interface, detecting the running state of the VPN channel at regular time, and uploading the obtained running state detection result to the target instant messaging software.
Further, when the VPN connection with the client is disconnected and the running information of the client does not conform to a predefined firewall rule, the IP address of the client is moved out of the white list, specifically:
and after the VPN connection with the client is disconnected, the operation information of the client is obtained at regular time, whether the operation information of the client accords with the firewall rule is judged, and if the operation information of the client does not accord with the firewall rule, the IP address of the client is moved out of the white list.
In a second aspect, an embodiment of the present invention provides a VPN tunnel establishment apparatus, a VPN tunnel establishment method, the apparatus including:
the client identity verification module is used for responding to a VPN channel establishment request initiated by a client, carrying out identity verification on the client, and adding an IP address of the client into a white list when the client passes the identity verification so as to acquire a local port of the client;
and the VPN channel establishing module is used for carrying out uniqueness detection on the local port of the client according to the mapping relation between the local port of the client and the cloud server port distributed to the client by the VPN server, and establishing a VPN channel when the local port of the client passes the uniqueness detection.
In a third aspect, an embodiment of the present invention provides a VPN tunnel establishment apparatus, including a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, the memory being coupled to the processor, and the processor implementing the VPN tunnel establishment method as described above when executing the computer program.
In a fourth aspect, an embodiment of the present invention provides a computer readable storage medium, where the computer readable storage medium includes a stored computer program, where the computer program when executed controls a device in which the computer readable storage medium is located to perform a VPN tunnel establishment method as described above.
In a fifth aspect, an embodiment of the present invention provides a computer program product, which when run on a computer causes the computer to perform the VPN tunnel establishment method as described above.
Compared with the prior art, the embodiment of the invention has the following beneficial effects:
the method comprises the steps that an authentication is carried out on a client in response to a VPN channel establishment request initiated by the client, and when the client passes the authentication, an IP address of the client is added into a white list to obtain a local port of the client; according to the mapping relation between the local port of the client and the cloud server port distributed to the client by the VPN server, the uniqueness of the local port of the client is detected, and when the local port of the client passes the uniqueness detection, a VPN channel is established, so that the VPN channel can be optimally established, and the stability and the safety of the VPN channel are improved.
Drawings
Fig. 1 is a flow chart of a VPN tunnel establishment method according to a first embodiment of the present invention;
fig. 2 is a data flow diagram of a VPN tunnel establishment method as an example in the first embodiment of the present invention;
fig. 3 is a schematic diagram of port mapping between a VPN server and a client according to an example of the first embodiment of the present invention;
fig. 4 is a schematic structural diagram of a VPN tunnel establishment device according to a second embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made more apparent and fully hereinafter with reference to the accompanying drawings, in which some, but not all embodiments of the invention are shown. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that, the step numbers herein are only for convenience of explanation of the specific embodiments, and are not used as limiting the order of execution of the steps. The method provided in this embodiment may be executed by a related terminal device, and the following description will take the VPN server as an execution body.
As shown in fig. 1, a first embodiment provides a VPN tunnel establishment method, which is applicable to a VPN server, and includes steps S1 to S2:
s1, responding to a VPN channel establishment request initiated by a client, carrying out identity verification on the client, and adding an IP address of the client into a white list when the client passes the identity verification so as to acquire a local port of the client;
s2, according to the mapping relation between the local port of the client and the cloud server port distributed to the client by the VPN server, carrying out uniqueness detection on the local port of the client, and establishing a VPN channel when the local port of the client passes the uniqueness detection.
As an example, in step S1, after the client is started, the client may initiate a VPN tunnel establishment request to the VPN server, and specifically, the client may use a UDP protocol to send custom content, such as a certificate part content, a certificate name, and an IP address, to the VPN server to request to establish a VPN tunnel.
It will be appreciated that UDP (User Datagram Protocol ) is a connectionless transport layer protocol in the OSI reference model that provides a transaction-oriented simple unreliable information transfer service. OSI (Open System Interconnection, network seven layer protocol) refers to the communication system interconnection reference model.
The VPN server receives a VPN channel establishment request initiated by the client, responds to the VPN channel establishment request initiated by the client, performs identity verification on the client, considers the client as a legal client when the client passes the identity verification, adds the IP address of the client into a white list of a TCP protocol to establish TCP connection, so that the client can push a local port of the client to the VPN server by adopting an SSH Tunnel technology, and the VPN channel can be conveniently established subsequently.
It will be appreciated that TCP (Transmission Control Protocol ) is a connection-oriented, reliable, byte stream based transport layer communication protocol, defined by the internet engineering group, intended to accommodate a layered protocol hierarchy supporting multiple network applications.
SSH (Secure Shell protocol) is a relatively reliable protocol that works on the application layer basis in the OSI reference model, providing security specifically for telnet sessions and other network services.
In step S2, after the VPN server obtains the local port of the client, according to the mapping relationship between the local port of the client and the cloud server port allocated to the client by the VPN server, the VPN server performs uniqueness detection on the local port of the client, and when the local port of the client passes the uniqueness detection, it is considered that the local port of the client has no problem of repeatability, and the local port of the client and the unique cloud server port allocated to the client by the VPN server may be mapped to establish a VPN channel.
The cloud server is a server for providing service data. The cloud server may map its ports to the VPN server such that the VPN server may assign the cloud server ports to the corresponding clients.
According to the invention, the VPN channel of the client-VPN server-cloud server is established only when the client passes identity verification and the local port of the client passes uniqueness verification, so that the VPN channel can be optimally established, and the safety of the VPN channel is improved.
In a preferred embodiment, after the VPN tunnel is established when the local port of the client passes the uniqueness detection, the method further comprises: when the VPN connection with the client is disconnected and the running information of the client does not accord with the predefined firewall rule, the IP address of the client is moved out of the white list; and when the latest IP address of the client is inconsistent with the IP address of the client in the white list, the IP address of the client is moved out of the white list.
As an example, the client may disconnect its VPN connection with the VPN server according to its application requirement, and when the VPN server monitors that its VPN connection with the client is disconnected, obtain the operation information of the client, determine whether the operation information of the client meets a predefined firewall rule, if the operation information of the client does not meet the firewall rule, consider that the client has a security problem, shift the IP address of the client out of the whitelist, and refuse to establish a VPN channel for the client.
In the process of VPN connection between the client and the VPN server, the VPN server monitors the IP address change condition of the client at regular time or in real time, acquires the latest IP address of the client, and when the latest IP address of the client is inconsistent with the IP address of the client in the white list, moves the IP address of the client out of the white list so as to disconnect the VPN connection between the client and the client.
In practical application, the latest IP addresses of all the current online clients and the IP addresses of all the clients in the white list can be directly matched at regular time or in real time, if the IP addresses of all the clients in the white list are uniformly matched with the latest IP addresses of all the current online clients, the operation of cleaning the white list is not required to be executed, and if the IP address of a certain client in the white list is not matched with the latest IP addresses of all the current online clients, the IP address of the client is moved out of the white list.
According to the embodiment, when the VPN connection between the client and the VPN server is disconnected and the running information of the client does not accord with the predefined firewall rule, the IP address of the client is moved out of the white list, and when the IP address of the client is changed to the latest IP address, the IP address of the client is moved out of the white list, so that a VPN channel can be effectively prevented from being established with an abnormal client, and the stability and the safety of the VPN channel are further improved.
In a preferred embodiment, the authentication of the client is specifically: the method comprises the steps of adopting UDP protocol to obtain the encryption basic information of a client, decrypting the encryption basic information of the client, and obtaining the basic information of the client; the encryption basic information of the client is obtained by encrypting the basic information of the client by adopting a preset symmetric encryption algorithm; and checking the basic information of the client, if the basic information is checked successfully, judging that the client passes the identity authentication, otherwise, judging that the client fails the identity authentication.
As an example, the client uses UDP protocol to initiate a VPN channel establishment request to the VPN server, and at the same time, uses a preset symmetric encryption algorithm to encrypt the basic information of the client, so as to obtain the encrypted basic information of the client, and sends the encrypted basic information of the client to the VPN server. Specifically, the basic information of the client includes a port, a domain name, a part of certificate content, a certificate name, and an IP address. The preset symmetric encryption algorithm comprises an MD5 algorithm and an SSH-KEYGEN algorithm.
It will be appreciated that MD5 (MD 5 Message-Digest Algorithm) is a widely used cryptographic hash function that generates a 128-bit (16-byte) hash value to ensure that the information transfer is complete and consistent, verifies the certificate using the MD5 Algorithm, and encrypts the certificate using the SSH-keyen Algorithm.
The UDP protocol provides a method for sending encapsulated packets without establishing a connection, and compared with TCP connections, there is no "handshake" or "waving" process, which requires less network quality. The VPN server uses the characteristics, adopts VPN protocol to obtain the encryption basic information of the client, decrypts the encryption basic information of the client to obtain the basic information of the client, verifies the basic information of the client, and specifically comprises port consistency verification and verification after certificate decryption, if verification is successful, the client is judged to pass the identity verification, otherwise, the client is judged not to pass the identity verification.
According to the embodiment, the client encrypts the basic information of the client by adopting the preset symmetric encryption algorithm, and the VPN server verifies the identity of the client according to the basic information of the client, so that the safe data transmission can be effectively ensured, the establishment of the VPN channel only for the legal client can be effectively ensured, and the stability and the safety of the VPN channel can be further improved.
In a preferred embodiment, the responding to the VPN tunnel establishment request initiated by the client performs authentication on the client, and adds the IP address of the client to a white list to obtain the local port of the client when the client passes the authentication, and further includes: and when the client fails the identity verification, adding the IP address of the client into a blacklist.
Illustratively, when the client fails the authentication, the client is considered as an illegitimate client, and the IP address of the client is blacklisted to refuse to establish a VPN tunnel for the client.
In a preferred embodiment, the detecting of uniqueness of the local port of the client according to the mapping relationship between the local port of the client and the cloud server port allocated to the client by the VPN server specifically includes: according to the configuration file of the client, a first mapping port corresponding to the local port of the client is determined, and according to the configuration file of the cloud WAF, a second mapping port corresponding to the local port of the client is determined; judging whether the first mapping port is consistent with the second mapping port, if so, judging that the local port of the client passes the uniqueness detection, otherwise, judging that the local port of the client does not pass the uniqueness detection.
As an example, the VPN server obtains a configuration file of the client and a configuration file of the cloud WAF, where the configuration file of the client records a cloud server port allocated to the client by the server, and the configuration file of the cloud WAF records a self port mapped to the VPN server by the cloud server, and a cloud server port allocated to the client by the VPN server.
According to the configuration file of the client, searching a cloud server port allocated to the client by a server, determining the searched cloud server port allocated to the client as a first mapping port corresponding to a local port of the client, searching a cloud server port allocated to the client by a VPN server according to the configuration file of a cloud WAF, determining the searched cloud server port allocated to the client as a second mapping port corresponding to the local port of the client, judging whether the first mapping port is consistent with the second mapping port, if so, judging that the local port of the client is consistent with the first mapping port, mapping the local port of the client with the unique cloud server port allocated to the client by the VPN server through the unique detection, otherwise, judging that the local port of the client is not through the unique detection, and not mapping the local port of the client with the unique cloud server port allocated to the client by the VPN server.
It is appreciated that WAF (Web Application Firewall, web application level intrusion prevention system) is a product that provides protection specifically for Web applications by implementing a series of security policies for HTTP/HTTPs.
In order to effectively ensure the data transmission safety, the client may encrypt the configuration file of the client by using a preset symmetric encryption algorithm and then send the configuration file to the VPN server, and the cloud WAF may encrypt the configuration file of the cloud WAF by using the preset symmetric encryption algorithm and then send the configuration file to the VPN server.
According to the embodiment, the local port of the client and the unique cloud server port allocated to the client by the VPN server are mapped when the local port of the client passes the uniqueness verification, so that a VPN channel of 'the client-the VPN server-the cloud server' is established, the uniqueness of a VPN link can be effectively ensured, and the stability and the safety of the VPN channel are further improved.
In a preferred embodiment, when the local port of the client passes the uniqueness detection, a VPN channel is established, specifically: and establishing an open port, connecting a local port of the client, the open port and a cloud server port distributed to the client by the VPN server, and establishing a VPN channel.
As an example, when the local port of the client passes the uniqueness detection, the VPN server establishes an open port, opens to a corresponding unique cloud server through the cloud WAF, connects the local port of the client, the open port of the VPN server, and the cloud server port allocated to the client by the VPN server, and establishes a VPN channel of "client local port—vpn server open port—cloud server port".
In a preferred embodiment, after the detecting the uniqueness of the local port of the client according to the mapping relationship between the local port of the client and the cloud server port allocated to the client by the VPN server, the method further includes: and when the local port of the client fails to pass the uniqueness detection, sending a port repeatability alarm to the client so as to reject the VPN channel establishment request.
As an example, when the local port of the client fails the uniqueness detection, it is considered that there is a problem of repeatability in the local port of the client, and the local port of the client cannot be mapped with the unique cloud server port allocated to the client by the VPN server, so that a port repeatability alarm needs to be sent to the client to refuse to establish a VPN channel for the client.
In a preferred embodiment, after the establishing of the VPN tunnel, the method further comprises: and interfacing the target instant messaging software through the target API interface, detecting the running state of the VPN channel at fixed time, and uploading the obtained running state detection result to the target instant messaging software.
It should be noted that the target instant messaging software is any instant messaging software selected from all instant messaging software in advance, and all instant messaging software includes WeChat, nail and cloud home. The target API interface is an API interface corresponding to the target instant messaging software.
As an example, the VPN server detects the running state of the VPN channel at regular time, including determining whether the VPN link is accessible, determining the health state of the VPN channel, obtaining a running state detection result, and uploading the running state detection result to the target instant messaging software through the target API interface.
According to the embodiment, the VPN server is in butt joint with the target instant messaging software through the target API interface, and the running state detection result obtained by detecting the running state of the VPN channel at fixed time is uploaded to the target instant messaging software, so that the running state of the VPN channel can be actively broadcasted to the target instant messaging software, and the usability of the VPN channel is improved.
In a preferred embodiment, when the VPN connection with the client is disconnected and the running information of the client does not conform to the predefined firewall rule, the IP address of the client is removed from the white list, specifically: and after the VPN connection with the client is disconnected, the operation information of the client is acquired at regular time, whether the operation information of the client accords with the firewall rule is judged, and if the operation information of the client does not accord with the firewall rule, the IP address of the client is moved out of the white list.
As an example, after the client actively disconnects its VPN connection with the VPN server, the VPN server periodically obtains the operation information of the client, determines whether the operation information of the client conforms to the firewall rule, if the operation information of the client does not conform to the firewall rule, the IP address of the client is removed from the white list, otherwise, the operation is not processed, and waits for the next operation.
For example, the predefined firewall rule includes that the number of times that the client initiates the VPN tunnel establishment request in the preset time does not reach the preset threshold, when the number of times that the client initiates the VPN tunnel establishment request in the preset time reaches the preset threshold, the client is defined as a high-frequency connection, and it is determined that the running information of the client does not conform to the firewall rule, and even if the IP address of the client is in the white list, the IP address of the client is moved out of the white list. In practical application, after the IP address of the client is removed from the white list, the IP address of the client may be added to the black list, and the IP address of the client may not be added to the white list again until the blacking duration reaches a preset duration.
Assume that the predefined firewall rules are: more than 10 requests to establish a VPN tunnel within 1 minute will be considered a high frequency connection and even if the IP address of the client is on the white list, the IP address will be blacked out for 1 hour. The VPN server acquires the total number of VPN channel establishment requests initiated by the client within 1 minute every 1 minute, if the total number of requests exceeds a preset threshold, namely 10, the client is considered to have a safety problem, the IP address of the client is moved out of the white list, and the IP address of the client is added into the white list after waiting for 1 hour.
Existing firewall rules are typically: as long as the IP address of the client is on the white list, the VPN tunnel is allowed to be established regardless of whether the connection frequency, the number of times and other operation information are abnormal. The predefined firewall rules can discover clients with security problems in time.
According to the embodiment, when the VPN connection between the client and the VPN server is disconnected and the running information of the client does not accord with the predefined firewall rule, the IP address of the client is moved out of the white list, so that the establishment of a VPN channel with an abnormal client can be effectively avoided, and the stability and safety of the VPN channel are further improved.
As an example, in order to more clearly explain one VPN tunnel establishment method provided by the first embodiment, in order to establish a silver-enterprise VPN tunnel between a client and a cloud server, the VPN tunnel establishment method is applied. The data flow diagram of applying the VPN tunnel establishment method is shown in fig. 2, and the port mapping between the client and the cloud server is shown in fig. 3.
The VPN channel establishment method has the following advantages:
1. the data encryption mode and the automatic white list mechanism by the preset symmetric encryption algorithm provided by the embodiment greatly reduce the safety risk of establishing the VPN channel on the Internet, and the IP address of a client with malicious attacks such as high-frequency links, UDP, TCP connections and the like is automatically blacked;
2. the traditional VPN tool needs to configure bidirectional certificates at the client and the VPN server, and has certain requirements on client configuration, and complicated network configuration is also needed at the operating system level, so that the complexity of client configuration is obviously reduced in the embodiment;
3. the traditional VPN tool needs to configure all current nodes in the processes of adding, modifying and deleting new users, when the user quantity is increased, the maintenance difficulty is exponentially increased, when the VPN channel is established, the unique cloud server port is allocated to the VPN server side to be mapped with the local port of the client side, and an encryption certificate named by a client name is created at the VPN server side, so that the management is easy even under the condition that the user quantity is greatly increased;
4. according to the embodiment, whether the VPN link can be accessed or not is judged at regular time, the health state of the VPN channel is judged, and the special API interface is used as an auxiliary, so that the main stream instant messaging software such as WeChat, nail and cloud family can be subjected to active broadcasting of the running state, and the VPN availability SLA is improved to 99.99%.
Based on the same inventive concept as the first embodiment, a second embodiment provides a VPN tunnel establishment apparatus as shown in fig. 4, adapted to a VPN server, the apparatus including: the client authentication module 21 is configured to respond to a VPN channel establishment request initiated by a client, perform authentication on the client, and add an IP address of the client to a white list to obtain a local port of the client when the client passes the authentication; the VPN channel establishing module 22 is configured to perform uniqueness detection on the local port of the client according to a mapping relationship between the local port of the client and a cloud server port allocated to the client by the VPN server, and establish a VPN channel when the local port of the client passes the uniqueness detection.
In a preferred embodiment, the apparatus further comprises: the client security check module 23 is configured to, after the VPN channel is established when the local port of the client passes the uniqueness detection, remove the IP address of the client from the whitelist when the VPN connection with the client is disconnected and the running information of the client does not conform to the predefined firewall rule; and when the latest IP address of the client is inconsistent with the IP address of the client in the white list, the IP address of the client is moved out of the white list.
In a preferred embodiment, the authentication of the client is specifically: the method comprises the steps of adopting UDP protocol to obtain the encryption basic information of a client, decrypting the encryption basic information of the client, and obtaining the basic information of the client; the encryption basic information of the client is obtained by encrypting the basic information of the client by adopting a preset symmetric encryption algorithm; and checking the basic information of the client, if the basic information is checked successfully, judging that the client passes the identity authentication, otherwise, judging that the client fails the identity authentication.
In a preferred embodiment, the responding to the VPN tunnel establishment request initiated by the client performs authentication on the client, and adds the IP address of the client to a white list to obtain the local port of the client when the client passes the authentication, and further includes: and when the client fails the identity verification, adding the IP address of the client into a blacklist.
In a preferred embodiment, the detecting of uniqueness of the local port of the client according to the mapping relationship between the local port of the client and the cloud server port allocated to the client by the VPN server specifically includes: according to the configuration file of the client, a first mapping port corresponding to the local port of the client is determined, and according to the configuration file of the cloud WAF, a second mapping port corresponding to the local port of the client is determined; judging whether the first mapping port is consistent with the second mapping port, if so, judging that the local port of the client passes the uniqueness detection, otherwise, judging that the local port of the client does not pass the uniqueness detection.
In a preferred embodiment, when the local port of the client passes the uniqueness detection, a VPN channel is established, specifically: and establishing an open port, connecting a local port of the client, the open port and a cloud server port distributed to the client by the VPN server, and establishing a VPN channel.
In a preferred embodiment, after the detecting the uniqueness of the local port of the client according to the mapping relationship between the local port of the client and the cloud server port allocated to the client by the VPN server, the method further includes: and when the local port of the client fails to pass the uniqueness detection, sending a port repeatability alarm to the client so as to reject the VPN channel establishment request.
In a preferred embodiment, after the establishing of the VPN tunnel, the method further comprises: and interfacing the target instant messaging software through the target API interface, detecting the running state of the VPN channel at fixed time, and uploading the obtained running state detection result to the target instant messaging software.
In a preferred embodiment, when the VPN connection with the client is disconnected and the running information of the client does not conform to the predefined firewall rule, the IP address of the client is removed from the white list, specifically: and after the VPN connection with the client is disconnected, the operation information of the client is acquired at regular time, whether the operation information of the client accords with the firewall rule is judged, and if the operation information of the client does not accord with the firewall rule, the IP address of the client is moved out of the white list.
Based on the same inventive concept as the first embodiment, a third embodiment provides a VPN tunnel establishment apparatus including a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, the memory being coupled to the processor, and the processor implementing the VPN tunnel establishment method as described in the first embodiment when executing the computer program, and achieving the same advantageous effects as described above.
Based on the same inventive concept as the first embodiment, a fourth embodiment provides a computer readable storage medium, which includes a stored computer program, wherein the device in which the computer readable storage medium is located is controlled to execute the VPN tunnel establishment method as described in the first embodiment when the computer program is run, and the same advantageous effects as the first embodiment can be achieved.
Based on the same inventive concept as the first embodiment, a fifth embodiment provides a computer program product, which when run on a computer, causes the computer to perform the VPN tunnel establishment method as described in the first embodiment, and can achieve the same advantageous effects as the first embodiment.
In summary, the embodiment of the invention has the following beneficial effects:
the method comprises the steps that an authentication is carried out on a client in response to a VPN channel establishment request initiated by the client, and when the client passes the authentication, an IP address of the client is added into a white list to obtain a local port of the client; according to the mapping relation between the local port of the client and the cloud server port distributed to the client by the VPN server, the uniqueness of the local port of the client is detected, and when the local port of the client passes the uniqueness detection, a VPN channel is established, so that the VPN channel can be optimally established, and the stability and the safety of the VPN channel are improved.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that changes and modifications may be made without departing from the principles of the invention, such changes and modifications are also intended to be within the scope of the invention.
Those skilled in the art will appreciate that implementing all or part of the above-described embodiments may be accomplished by way of computer programs, which may be stored on a computer readable storage medium, which when executed may comprise the steps of the above-described embodiments. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), or the like.
Claims (11)
1. A VPN tunnel establishment method, which is applicable to a VPN server, the method comprising:
responding to a VPN channel establishment request initiated by a client, carrying out identity verification on the client, and adding an IP address of the client into a white list when the client passes the identity verification so as to acquire a local port of the client;
and according to the mapping relation between the local port of the client and the cloud server port distributed to the client by the VPN server, carrying out uniqueness detection on the local port of the client, and establishing a VPN channel when the local port of the client passes the uniqueness detection.
2. The VPN tunnel establishment method according to claim 1, further comprising, after said establishing a VPN tunnel when said local port of said client passes the uniqueness detection:
when the VPN connection with the client is disconnected and the running information of the client does not accord with the predefined firewall rule, the IP address of the client is moved out of the white list;
and when the latest IP address of the client is inconsistent with the IP address of the client in the white list, the IP address of the client is moved out of the white list.
3. The VPN tunnel establishment method according to claim 1, wherein the authenticating the client is specifically:
the UDP protocol is adopted to acquire the encryption basic information of the client, and the encryption basic information of the client is decrypted to acquire the basic information of the client; the encryption basic information of the client is obtained by encrypting the basic information of the client by adopting a preset symmetric encryption algorithm;
and checking the basic information of the client, if the basic information is checked successfully, judging that the client passes the identity authentication, otherwise, judging that the client fails the identity authentication.
4. A VPN tunnel establishment method according to claim 1 or 3, wherein said responding to a VPN tunnel establishment request initiated by a client performs authentication on said client, and adds an IP address of said client to a white list to obtain a local port of said client when said client passes authentication, and further comprising:
and adding the IP address of the client into a blacklist when the client fails to pass the authentication.
5. The VPN tunnel establishment method according to claim 1, wherein the detecting the uniqueness of the local port of the client according to the mapping relationship between the local port of the client and the cloud server port allocated to the client by the VPN server specifically includes:
determining a first mapping port corresponding to a local port of the client according to the configuration file of the client, and determining a second mapping port corresponding to the local port of the client according to the configuration file of the cloud WAF;
judging whether the first mapping port is consistent with the second mapping port, if so, judging that the local port of the client passes the uniqueness detection, otherwise, judging that the local port of the client does not pass the uniqueness detection.
6. The VPN tunnel establishment method according to claim 1, wherein when the local port of the client passes the uniqueness detection, a VPN tunnel is established, specifically:
and establishing an open port, connecting a local port of the client, the open port and a cloud server port distributed to the client by the VPN server, and establishing the VPN channel.
7. The VPN tunnel establishment method according to claim 1, further comprising, after said uniqueness detection of the local port of the client according to a mapping relationship between the local port of the client and a cloud server port assigned to the client by the VPN server:
and when the local port of the client fails to pass the uniqueness detection, sending a port repeatability alarm to the client so as to reject the VPN channel establishment request.
8. The VPN tunnel establishment method according to claim 1, further comprising, after said establishing a VPN tunnel:
and interfacing the target instant messaging software through a target API interface, detecting the running state of the VPN channel at regular time, and uploading the obtained running state detection result to the target instant messaging software.
9. A VPN tunnel establishment apparatus, characterized by a VPN tunnel establishment method, the apparatus comprising:
the client identity verification module is used for responding to a VPN channel establishment request initiated by a client, carrying out identity verification on the client, and adding an IP address of the client into a white list when the client passes the identity verification so as to acquire a local port of the client;
and the VPN channel establishing module is used for carrying out uniqueness detection on the local port of the client according to the mapping relation between the local port of the client and the cloud server port distributed to the client by the VPN server, and establishing a VPN channel when the local port of the client passes the uniqueness detection.
10. A VPN tunnel establishment device, characterized by comprising a processor, a memory and a computer program stored in the memory and configured to be executed by the processor, the memory being coupled to the processor, and the processor implementing the VPN tunnel establishment method according to any of the claims 1 to 8 when the computer program is executed by the processor.
11. A computer readable storage medium, characterized in that the computer readable storage medium comprises a stored computer program, wherein the computer program, when run, controls a device in which the computer readable storage medium is located to perform the VPN tunnel establishment method according to any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310481417.3A CN116405346A (en) | 2023-04-27 | 2023-04-27 | VPN channel establishment method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310481417.3A CN116405346A (en) | 2023-04-27 | 2023-04-27 | VPN channel establishment method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116405346A true CN116405346A (en) | 2023-07-07 |
Family
ID=87019879
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310481417.3A Pending CN116405346A (en) | 2023-04-27 | 2023-04-27 | VPN channel establishment method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116405346A (en) |
-
2023
- 2023-04-27 CN CN202310481417.3A patent/CN116405346A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11647003B2 (en) | Concealing internal applications that are accessed over a network | |
| US9838428B1 (en) | Systems and methods for utilizing client side authentication to select services available at a given port number | |
| EP2850770B1 (en) | Transport layer security traffic control using service name identification | |
| US20200389437A1 (en) | Methods and systems for establishing a connection between a first device and a second device across a software-defined perimeter | |
| US8214635B2 (en) | Transparent proxy of encrypted sessions | |
| US9461975B2 (en) | Method and system for traffic engineering in secured networks | |
| JP4245838B2 (en) | Method and system for managing secure client-server transactions | |
| JP3343064B2 (en) | Pseudo network adapter for capturing, encapsulating and encrypting frames | |
| US9369491B2 (en) | Inspection of data channels and recording of media streams | |
| CN107113319B (en) | Method, device and system for responding in virtual network computing authentication and proxy server | |
| US20180375841A1 (en) | Systems and methods for enterprise communications | |
| US8117273B1 (en) | System, device and method for dynamically securing instant messages | |
| US20170111269A1 (en) | Secure, anonymous networking | |
| CN114499989B (en) | Security device management method and device | |
| Touil et al. | Secure and guarantee QoS in a video sequence: a new approach based on TLS protocol to secure data and RTP to ensure real-time exchanges | |
| US20150281963A1 (en) | Remote wireless adapter | |
| US20170127280A1 (en) | Secure handling of secure socket layer ("ssl") traffic | |
| WO2009082950A1 (en) | Key distribution method, device and system | |
| CN114553414B (en) | Intranet penetration method and system based on HTTPS service | |
| CN116405346A (en) | VPN channel establishment method, device, equipment and medium | |
| Cisco | Configuring IPSec Network Security | |
| JP2006216014A (en) | System and method for authenticating message, and firewall, network device, and computer-readable medium for authenticating message | |
| FR3015839A1 (en) | METHOD FOR SLOWING COMMUNICATION IN A NETWORK | |
| CN114070878B (en) | Network connection processing method and device | |
| Khandkar et al. | Extended TLS: Masking Server Host Identity on the Internet Using Encrypted TLS Handshake |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |