WO2023185823A1

WO2023185823A1 - Remote communication methods for industrial device, apparatuses and devices

Info

Publication number: WO2023185823A1
Application number: PCT/CN2023/084356
Authority: WO
Inventors: 李林
Original assignee: 阿里巴巴（中国）有限公司
Priority date: 2022-03-30
Filing date: 2023-03-28
Publication date: 2023-10-05
Also published as: CN114615080A; CN114615080B

Abstract

Provided in the present application are remote communication methods for an industrial device, apparatuses and devices A method comprises: an edge device acquiring a first data packet from a terminal device via a VPN channel, the first data packet comprising a destination address, the destination address in the first data packet being an IP address of a target industrial device in a first local area network, and the target industrial device being one of at least one industrial device, and sending the first data packet to the target industrial device. Without exposing an industrial device to a public network, communication between a terminal device and an edge device is achieved, so that the security of remote communication of the industrial device is improved.

Description

Remote communication methods, devices and equipment for industrial equipment

This application claims priority to the Chinese patent application filed with the China Patent Office on March 30, 2022, with the application number 202210334472.5 and the application title "Remote communication method, device and equipment for industrial equipment", the entire content of which is incorporated by reference. in this application.

Technical field

The present application relates to the field of cloud computing technology, and in particular to a remote communication method, device and equipment for industrial equipment.

Background technique

In some industrial manufacturing scenarios, various industrial control devices need to be remotely controlled through terminal devices to control industrial equipment. Currently, the remote communication solution between terminal equipment and industrial equipment requires the industrial equipment to be exposed to the public network through port mapping through a router to establish a communication link between the remote terminal equipment and industrial equipment. In this case, it brings great safety risks to industrial production and maintenance. Therefore, how to realize remote communication of industrial equipment to ensure the security of remote communication of industrial equipment is an issue that needs to be solved urgently.

Contents of the invention

Embodiments of the present application provide a remote communication method, device and equipment for industrial equipment, in order to improve the security of remote communication of industrial equipment.

In a first aspect, embodiments of the present application provide a remote communication method for industrial equipment, which is applied to an edge device. The edge device implements a communication connection with at least one industrial device in a first local area network, including: through a virtual private network (Virtual Private Network) , VPN) channel, obtain the first data packet from the terminal device, the first data packet includes a destination address, and the destination address in the first data packet is the Internet Protocol (Internet Protocol) of the target industrial equipment in the first local area network. Protocol, IP) address, the target industrial device is one of the at least one industrial device; send the first data packet to the target industrial device.

In a second aspect, embodiments of the present application provide a remote communication method for industrial equipment, applied to a VPN server, including: sending first configuration information to an edge device, the first configuration information carrying information about a network segment of a second local area network, the The network segment of the second LAN is the LAN used for communication through the VPN channel; the first data packet from the terminal device is forwarded to the edge device. The first data packet includes a source address and a destination address. In the first data packet The source address is the IP address of the terminal device in the second LAN, the destination address in the first data packet is the IP address of the target industrial equipment in the first LAN, and the target industrial equipment is in the first LAN One of at least one industrial device that implements communication connection with the edge device.

In the third aspect, embodiments of the present application provide a remote communication method for industrial equipment, applied to terminal equipment, including: Send a first data packet to the edge device through the VPN channel. The first data packet includes a source address and a destination address. The source address in the first data packet is the IP address of the terminal device in the second local area network. The third data packet includes a source address and a destination address. The destination address in a data packet is the IP address of a target industrial device in the first local area network, and the target industrial device is one of at least one industrial device that communicates with the edge device in the first local area network; through the VPN channel , receiving the second data packet sent by the edge device.

In a fourth aspect, embodiments of the present application provide an edge device that implements communication connections with at least one industrial device in a first local area network. The edge device includes: an acquisition unit configured to acquire from In the first data packet of the terminal device, the first data packet includes a destination address. The destination address in the first data packet is the Internet Protocol IP address of the target industrial device in the first local area network. The target industrial device is One of at least one industrial device; a transceiver unit, configured to send the first data packet to the target industrial device.

In a fifth aspect, embodiments of the present application provide a server, including: a transceiver unit configured to send first configuration information to an edge device. The first configuration information carries information about a network segment of a second local area network. The network segment of the second local area network Segment is the local area network used for communication through the VPN channel; the transceiver unit is also used to forward the first data packet from the terminal device to the edge device. The first data packet includes a source address and a destination address. The first data packet The source address in is the IP address of the terminal device in the second local area network, and the destination address in the first data packet is the IP address of the target industrial equipment in the first local area network, and the target industrial equipment is in the first local area network. One of at least one industrial device that implements communication connection with the edge device.

In a sixth aspect, embodiments of the present application provide a terminal device, including: a transceiver unit configured to send a first data packet to an edge device through a VPN channel. The first data packet includes a source address and a destination address. The first data packet The source address in the packet is the IP address of the terminal device in the second local area network. The destination address in the first data packet is the IP address of the target industrial equipment in the first local area network. The target industrial equipment is in the first local area network. One of at least one industrial device that implements communication connection with the edge device; the transceiver unit is also used to receive the second data packet sent by the edge device through the VPN channel.

In a seventh aspect, embodiments of the present application provide an electronic device, including: at least one processor and a memory; the memory stores computer execution instructions; the at least one processor executes the computer execution instructions stored in the memory, so that the at least one processor Perform a method as provided in the first aspect, the second aspect or the third aspect.

In an eighth aspect, embodiments of the present application provide a computer-readable storage medium. Computer-executable instructions are stored in the computer-readable storage medium. When the processor executes the computer-executable instructions, the implementation of the first aspect, the second aspect, or The method provided by the third aspect.

In a ninth aspect, embodiments of the present application provide a computer program product, which includes computer instructions. When the computer instructions are executed by a processor, the method provided in the first aspect, the second aspect, or the third aspect is implemented.

In the embodiment of this application, encrypted communication is performed between the edge device and the terminal device through a VPN channel, and then the edge device sends the first data packet sent by the terminal device to the target industrial device in the first LAN. When exposed to the public network, communication between terminal devices and edge devices is realized, improving the security of remote communication of industrial equipment.

Description of drawings

Figure 1 is a schematic diagram of a remote communication scenario 100 of industrial equipment provided by an embodiment of the present application;

Figure 2 is a schematic interactive flow diagram of a remote communication method 200 for industrial equipment provided by an embodiment of the present application;

Figure 3 is a schematic interactive flow diagram of a remote communication method 300 for industrial equipment provided by an embodiment of the present application;

Figure 4 is a schematic block diagram of an electronic device 400 provided by an embodiment of the present application;

Figure 5 is a schematic structural diagram of an electronic device 500 provided by an embodiment of the present application;

Figure 6 is a schematic structural diagram of a cloud server 600 provided by an exemplary embodiment of the present application.

Detailed ways

Industry is a material-generating industry that mines and collects natural resources and processes various raw materials. This can generally include, but is not limited to, light industry, heavy industry and chemical industry. Light industry may include but is not limited to: light industry using agricultural products as raw materials, such as food manufacturing, tobacco processing, textiles, papermaking, printing, etc.; light industry using non-agricultural products as raw materials, such as cultural, educational and sporting goods, chemical manufacturing, synthetic fiber manufacturing, and daily necessities Manufacturing, hand tool manufacturing, medical device manufacturing, etc. Heavy industry can include, but is not limited to, energy mining, metal smelting and processing, cement processing, electricity, etc. The chemical industry can include, but is not limited to, plastic and rubber products, coatings, chemical waste treatment, etc. The industrial equipment in the embodiments of the present application can be applied to any of the above-mentioned industrial fields to achieve industrial production or maintenance. Industrial equipment includes but is not limited to Computerized Numerical Control Machine (CNC)

In the current implementation of industrial automation, industrial equipment is often controlled through industrial control devices to achieve industrial production or maintenance. It should be understood that the industrial control device here may be independent of the industrial equipment, or may be integrated with the industrial equipment. When industrial equipment is integrated with industrial control devices, the industrial equipment can be called industrial control equipment (abbreviated as industrial control equipment). The industrial control device may be, for example, a programmable logic controller (PLC).

For ease of explanation, the following takes an industrial control device integrated into industrial equipment as an example.

In view of the problem that in current industrial manufacturing scenarios, industrial equipment is exposed to the public network through routers to achieve remote communication with industrial equipment, resulting in poor remote communication security of industrial equipment, in the embodiment of this application, the edge device and the remote terminal equipment They communicate through VPN, and then the edge device communicates with the industrial control device in the first LAN. The IP of the industrial control device does not need to be exposed to the public network to achieve communication with the remote terminal device.

Also, since remote communication of industrial equipment is achieved with the help of routers, configuration needs to be performed in the router to realize the routing relationship between industrial equipment and terminal equipment. However, when the number of industrial equipment is large, the configuration process is more complicated. In the embodiment of this application, different industrial devices can reuse the VPN channel established between the edge device and the terminal device. It is not necessary for each industrial device to establish a connection with the terminal device, which reduces the complexity of the configuration. Moreover, based on the VPN channel The communication between the edge device and the terminal device has high network penetration.

FIG. 1 is a schematic diagram of a remote communication scenario 100 of industrial equipment provided by an embodiment of the present application. As shown in FIG. 1 , the edge device 110 and at least one industrial device 120 implement communication connections within the first local area network. Among them, the edge device 110 can be implemented as a gateway. The industrial equipment 120 can be implemented as the above-mentioned industrial control equipment, or the industrial equipment 120 Can be replaced by the above industrial control devices.

The edge device 110 and the terminal device 130 are connected through a virtual private network (Virtual Private Network, VPN) channel. VPN is a private network established on a public network. The VPN channel can realize encrypted communication between the edge device 110 and the terminal device 130.

Generally speaking, a VPN channel can be established between the edge device 110 and the terminal device 130 through the VPN server 140, and communication between the edge device 110 and the terminal device 130 is implemented based on the forwarding of the VPN server 140. The terminal device 130 and the edge device 110 pass A second LAN can be used for VPN channel communication. Of course, the VPN server 140 can be integrated into the terminal device 130 or the edge device 110 in the form of a functional module, which is not limited in this application.

The VPN server 140 can be implemented as an ordinary server, a server cluster, or a cloud server or a server cluster.

The number of terminal devices 130 may be one or more, and this application does not limit this. When the number of terminal devices 130 is multiple, the multiple terminal devices 130 can communicate with the edge device 110 through the VPN server 140. Specifically, the multiple terminal devices 130 can be in the same local area network (such as the second local area network above) Encrypted communication is performed with the edge device 110, and the IP addresses of the multiple terminal devices 130 all belong to the network segment of the second local area network.

The edge device 110 may forward the received data packet from the terminal device 130 to at least one of the industrial devices 120, or may forward the received data packet from the industrial device 120 to the terminal device 130 to implement the terminal device Communication between 130 and industrial equipment 120.

For example, a VPN client is deployed in both the edge device 110 and the terminal device 130; a VPN server is deployed in the VPN server 140.

The "first" and "second" in the above-mentioned first LAN and second LAN are used to distinguish different LANs. They do not represent the order, nor do they limit the types of the first LAN and the second LAN.

It should be noted that the scenario shown in Figure 1 is only used as an example to provide components of scenarios relevant to the embodiments of the present application, and does not constitute any limitation to the present application.

The remote communication method for industrial equipment provided by the embodiment of the present application will be described in detail below with reference to the accompanying drawings.

It should be understood that the following is only for convenience of understanding and explanation. The method provided by the embodiment of the present application is described in detail by taking the interaction between terminal equipment, edge equipment, and industrial equipment as an example. The terminal device may be, for example, the terminal device 130 in FIG. 1 , the edge device may be, for example, the edge device 110 in FIG. 1 , and the industrial device may be, for example, the industrial device 120 in FIG. 1 . In some embodiments, a VPN server also participates in the interaction to implement the method provided by the embodiments of this application. The VPN server may be, for example, the VPN server 140 in Figure 1 .

However, it should be understood that this should not constitute any limitation on the execution subject of the method provided in this application. As long as the method provided by the embodiment of the present application can be implemented by running a program that records the code of the method provided by the embodiment of the present application, it can be used as the execution subject of the method provided by the embodiment of the present application. For example, the terminal device shown in the following embodiments can also be replaced with components in the terminal device, such as a chip, a chip system, or other functional modules that can call and execute programs. The edge device can also be replaced with components in the edge device. , such as chips, chip systems or other functional modules that can call and execute programs. Industrial equipment can also be replaced by components in the industrial equipment, such as chips, chips System or other functional modules that can call and execute programs. The VPN server can be replaced by components in the VPN server, such as chips, chip systems, or other functional modules that can call and execute programs.

FIG. 2 is a schematic interactive flow diagram of a remote communication method 200 for industrial equipment provided by an embodiment of the present application. As shown in Figure 2, the method 200 includes some or all of the following processes:

S210: The terminal device sends the first data packet to the edge device through the VPN channel.

Correspondingly, the edge device obtains the first data packet from the terminal device through the VPN channel.

S220: The edge device sends the first data packet to the target industrial device.

In this embodiment of the present application, the first data packet at least includes a destination address, and the destination address in the first data packet is the IP address of the target industrial device in the first local area network. As mentioned above, the industrial equipment and the edge device realize communication connection in the first local area network, and the target industrial equipment can be any one of the at least one industrial equipment that realizes communication connection with the edge device in the first local area network, and the terminal device passes The destination address in the first packet indicates the destination industrial device.

The edge device sends the first data packet to the target industrial device indicated by the destination address in the first data packet. For example, the edge device and the target industrial device may communicate through the first LAN based on their IP addresses in the first LAN.

The data in the first data packet can be used to control or maintain the target industrial equipment. The number of target industrial equipment may be one or more, and this application does not limit this. When there is more than one target industrial device, the terminal device can send the first data packet corresponding to each target industrial device to the edge device, and then the edge device forwards each first data packet to the corresponding target industrial device.

Therefore, in the above-mentioned S210 and S220, encrypted communication is performed between the edge device and the terminal device through the VPN channel, and then the edge device sends the first data packet sent by the terminal device to the target industrial device in the first LAN. When industrial equipment is exposed to the public network, communication between terminal equipment and edge devices is realized, improving the security of remote communication of industrial equipment.

It can be understood that in addition to the destination address and data, the first data packet may also include a source address. After the target industrial equipment receives the first data packet, the source address in the first data packet may be used as the destination address. And send a data packet (such as the second data packet below) to the destination address to realize information exchange. The source address in the first data packet is the IP address of the terminal device in the second LAN, that is, the virtual IP address under the VPN. In this case, the target industrial equipment connected to the first LAN cannot transmit the second data. The packet is sent to the terminal device. Therefore, in some embodiments, in order to ensure that after sending the first data packet to the target industrial device, the edge device can forward the second data packet from the target industrial device to the terminal device, the edge device may forward the first data packet before forwarding the first data packet. Modify the source address in the first data packet to the IP address of the edge device in the first LAN, and then send the modified data packet to the target industrial device, so that the target industrial device can identify the IP address of the edge device in the first LAN. The IP address is used as the destination address to send the second data packet.

The modification of the source address in the first data packet by the edge device may include the following possible implementations: after receiving the first data packet sent by the terminal device, the edge device may determine whether the first data packet comes from the VPN channel. For example, the edge device determines whether it belongs to the network segment of the second LAN based on the network segment to which the source address in the first data packet belongs. If the network segment to which the source address in the first data packet belongs belongs to the network segment of the second LAN, then the The first packet comes from The VPN channel, or the terminal device sends the first data packet through the VPN client. In this case, the edge device can modify the source address in the first data packet. For example, the network segment of the second LAN is 192.168.40.x, and the source address in the first data packet is 192.168.40.4. The edge device determines that the source address in the first data packet belongs to the network segment of the second LAN, and then modifies the The source address in the first packet.

Continuing with the above possible implementation methods, the edge device can modify the source address in the first data packet to the IP address of the edge device in the second LAN according to the preconfigured Source Network Address Translation (SNAT) entry. It should be noted that the SNAT entry is used to indicate that the source address of the network segment belonging to the second LAN is modified to the IP address of the edge device. The SNAT entry can be understood as a SNAT policy, which can include the edge device in the first The mapping relationship between the IP address in the LAN and the network segment of the second LAN.

By combining VPN channels and SNAT, a network tunnel is established between terminal equipment and industrial equipment, so that communication is carried out at the Transmission Control Protocol (TCP)/IP network layer without affecting networks above the three-layer network.

Of course, in the above possible implementation manner, the edge device modifies the source address in the first data packet, which is only an example and not a limiting explanation. For example, the edge device may also add the edge device's IP address within the first local area network as an additional source address to the first data packet. Modifying the source address in the first data packet based on SNAT is also just an example and not a limiting explanation. For example, the edge device can be based on the preset network segment of the second LAN, and the edge device can be on the first LAN. The mapping relationship between IP addresses is modified to modify the source address in the first packet.

In some embodiments, the method 200 further includes the following steps S230 and S240.

S230: The target industrial device sends the second data packet to the edge device.

Correspondingly, the edge device receives the second data packet sent by the target industrial device.

S240: The edge device sends the second data packet to the terminal device through the VPN channel.

Correspondingly, the terminal device receives the second data packet through the VPN channel.

It should be noted that the above-mentioned process of transmitting the first data packet and the process of transmitting the second data packet may overlap in time. For example, while the edge device forwards the first data packet sent by the terminal device to the target industrial device, it also forwards the target industrial device to the target industrial device. The second data packet sent by the industrial equipment is forwarded to the terminal device; or the above-mentioned process of transmitting the first data packet and the process of transmitting the second data packet may not overlap in time. For example, the second data packet is based on the data in the first data packet. In this case, the edge device can forward the first data packet from the terminal device to the target industrial device, and then forward the second data packet from the target industrial device to the terminal device. This application does not limit this.

Similar to the first data packet, the second data packet may include a destination address, a source address and data. The destination address of the second data packet may be the source address of the received first data packet, and the source address of the second data packet may be the destination address of the received first data packet. Specifically, the destination address of the second data packet may be the IP address of the edge device in the first local area network, and the source address of the second data packet may be the IP address of the target industrial device in the first local area network. The target industrial equipment transmits the second data packet within the first local area network.

After receiving the second data packet sent by the target industrial equipment, the edge device can modify the destination address in the second data packet to the IP address of the terminal device in the second LAN, and then forward the second data packet to end terminal equipment. For example, when the edge device modifies the source address of the first data packet, it can retain the source address modification record of the first data packet. The source address modification record of the first data packet can at least include the original source address of the first data packet. (i.e., the IP address of the terminal device in the second LAN) and the destination address (i.e., the IP address of the target industrial device in the first LAN). Furthermore, the edge device can modify the record and the second data according to the source address of the first data packet. The source address of the packet (that is, the IP address of the target industrial device in the first LAN), and the destination address of the second data packet is modified to the IP address of the terminal device in the second LAN. For example, the edge device can When the source address is consistent with the destination address in the source address modification record of the first data packet, the destination address of the second data packet is modified to the IP address of the terminal device in the third LAN. Furthermore, the edge device may send the second data packet to the terminal device through the VPN channel based on the IP address of the terminal device in the second local area network.

In this embodiment, the edge device receives the second data packet sent by the target industrial device through the first LAN, and sends the second data packet to the terminal device through the VPN channel, without exposing the industrial device to the public network. It improves the communication between terminal devices and edge devices and improves the security of remote communication of industrial equipment.

The VPN channel in the above embodiment may be a network channel established and implemented based on the VPN server. The following is explained in conjunction with Figure 3.

FIG. 3 is a schematic interactive flow diagram of a remote communication method 300 for industrial equipment provided by an embodiment of the present application. The method 300 may include some or all of the following processes:

First, an exemplary description of the VPN environment in which the VPN server configures the terminal device is provided.

The VPN server may obtain the second client configuration request. For example, as shown in Figure 3, the VPN server obtains the second client configuration request input by the user. The second client configuration request is used to request to configure a VPN environment corresponding to at least one terminal device. For example, the second client configuration request may carry the number and/or identification of the terminal devices. In response to the second client configuration request, the VPN server may determine the network segment of the second local area network and the VPN certificate corresponding to each terminal device. Further, the VPN server carries the information of the network segment of the second LAN and at least one VPN certificate respectively in at least one third configuration information, or carries the IP address and one VPN certificate of the network segment belonging to the second LAN in a third party. configuration information. Compared with the first method, the second method allows the terminal device to determine its own IP address from the third configuration information without requiring the terminal device to determine the IP address from the network segment of the second LAN. own IP address.

Continuing with the VPN environment deployment method of the terminal device mentioned above, the VPN server can send the third configuration information to the terminal device. When the VPN server is connected to multiple terminal devices, the VPN server can send multiple third configuration information to the corresponding terminals respectively. equipment. Furthermore, the terminal device can determine its own IP address in the second local area network based on the third configuration information, and install the certificate, thereby completing the configuration of the VPN environment.

The server deployed in the VPN server can be set to bridge (TAP) mode so that the server can be implemented as a Secure Sockets Layer (SSL) server. Correspondingly, the client deployed in the terminal device may be an SSL client.

This is an exemplary description of the VPN environment in which the VPN server is configured as an edge device.

As shown in Figure 3, the VPN server receives the first client configuration request sent by the edge device. The first client The configuration request is used to request the VPN server to send second configuration information. The first client configuration request may be sent by the edge device when it is powered on for the first time. Of course, this should not be understood as any limitation on this application. For example, the first client configuration request may also be sent by the edge device in response to user input. The request sent by the command.

It should be noted that the second configuration information may include: at least one of a VPN client installation package, a VPN certificate, and a VPN startup instruction. For example, the edge device can install the VPN client by running the VPN client installation package in the second configuration information; the edge device can install the VPN certificate in the second configuration information; the edge device can also respond to the VPN client in the second configuration information. The VPN start command starts the VPN client.

In some embodiments, edge devices need to configure SNAT entries. The edge device may configure the SNAT entry according to the network segment of the second LAN to establish a mapping relationship between the network segment of the second LAN and the IP address of the edge device in the first LAN.

The network segment of the second LAN may be preset in the edge device, or the edge device may receive a message sent by the VPN server. For example, the VPN server determines the network segment of the second LAN in response to the second client configuration request, carries the network segment information of the second LAN in the first configuration information, and sends it to the edge device.

The deployment of the VPN environment described above in conjunction with Figure 3 is only an exemplary description and does not constitute any limitation on the present application. For example, part or all of the process in the deployment method of the VPN environment may also be configured in response to user input. And completed.

After the terminal device and edge device deploy the VPN server, data transmission on the VPN channel can be realized between the terminal device and the edge device through the VPN server. For example, the terminal device can send a first data packet to the VPN server, and the VPN server forwards the first data packet sent by the terminal device to the edge device, so that the terminal device sends the first data to the edge device through the VPN channel; and/or the edge The device sends the second data packet to the VPN server, and the VPN server forwards the received second data packet to the terminal device, so that the edge device sends the second data packet to the terminal device through the VPN channel.

In the embodiment shown in FIG. 3 , communication between the edge device and the target industrial device is still implemented through the first local area network. The implementation method can be referred to the communication method between the edge device and the target industrial device in any of the above embodiments. For example, after the edge device modifies the source address in the first data packet to the IP address of the edge device in the first LAN, it sends the first data packet to the target industrial device. For another example, the edge device receives the third packet sent by the target industrial device. After receiving the second data packet, modify the destination address in the second data packet to the IP address of the terminal device in the second LAN and then send it to the terminal device through the VPN channel.

In the embodiment of this application, when there is more than one industrial device, multiple industrial devices and edge devices can be deployed in the same local area network, and remote communication can be realized through the VPN channel between the edge device and the terminal device. Compared with the existing technology that establishes a communication link for each industrial device, the convenience of remote deployment is improved.

It should be noted that descriptions such as "first", "second" and "third" in this article are used to distinguish different LANs, data packets, configuration information, requests, etc., and do not represent the order or limit " "First" and "Second" are different types.

In the various embodiments of this application, if there is no special explanation or logical conflict, the terminology between the various embodiments And/or the descriptions are consistent and can be referenced to each other, and the technical features in different embodiments can be combined to form new embodiments according to their inherent logical relationships.

FIG. 4 is a schematic block diagram of an electronic device 400 provided by an embodiment of the present application. As shown in Figure 4, the electronic device 300 can be implemented as an execution subject in the above method embodiment, such as an edge device, a VPN server or a terminal device. The electronic device 400 at least includes a transceiver unit 410. In some embodiments, the electronic device 400 may also include an acquisition unit 420 and/or a processing unit 430.

Optionally, the electronic device 400 may correspond to the edge device in the above method embodiment, for example, it may be an implementation of the edge device, or a component (such as a chip or chip system) configured in the edge device.

Wherein, the obtaining unit 420 can be used to obtain the first data packet from the terminal device through the virtual private network VPN channel, the first data packet includes a destination address, and the destination address in the first data packet is the target industrial device in the The Internet Protocol IP address in the first local area network, the target industrial device is one of the at least one industrial device; the transceiver unit 410 is used to send the first data packet to the target industrial device.

In some embodiments, the first data packet further includes a source address. The source address in the first data packet is the IP address of the terminal device in a second local area network. The second local area network is used for communication through a VPN channel. The local area network; the transceiver unit 410 is specifically configured to: modify the source address in the first data packet to the IP address of the edge device in the first local area network; and send the first data packet to the target industrial device.

In some embodiments, the transceiver unit 410 is specifically configured to: when the source address in the first data packet belongs to the network segment of the second LAN, convert the SNAT entry according to the preconfigured source network address, and convert the first The source address in the data packet is modified to the IP address of the edge device in the second LAN, and the SNAT entry is used to indicate that the source address of the network segment belonging to the second LAN is modified to the IP address of the edge device.

In some embodiments, the transceiver unit 420 is further configured to: receive first configuration information sent by the VPN server, where the first configuration information carries information about the network segment of the second local area network; and the processing unit 430 is configured to receive the first configuration information according to the first configuration information. Configuration information, configure the SNAT entry.

In some embodiments, the obtaining unit 420 is specifically configured to: receive the first data packet forwarded by the VPN server.

Obtain the first data packet from the terminal device. The transceiver unit 410 is also used to receive the second data packet sent by the target industrial device. The second data packet includes a source address and a destination address. The destination in the second data packet The address is the IP address of the edge device in the first LAN; the processing unit 430 is also configured to modify the record according to the source address of the first data packet and the source address of the second data packet, and modify the destination of the second data packet. The address is modified to the IP address of the terminal device in the second local area network; the transceiver unit 410 is also used to send the second data packet to the terminal device through the VPN channel.

In some embodiments, the transceiver unit 410 is also configured to receive second configuration information sent by the VPN server, where the second configuration information carries at least one of a VPN client installation package, a VPN certificate, and a VPN startup instruction; process Unit 430 is also used to configure the VPN environment according to the second configuration information to build the VPN channel.

In some embodiments, before receiving the second configuration information sent by the VPN server, the transceiver unit 410 It is also used to send a first client configuration request to the VPN server when it is powered on for the first time. The first client configuration request is used to request the VPN server to send the second configuration information.

Optionally, the electronic device 400 may correspond to the VPN server in the above method embodiment, for example, it may be an implementation of the VPN server, or a component (such as a chip or chip system) configured in the VPN server.

The transceiver unit 410 may be configured to: send first configuration information to the edge device, where the first configuration information carries information about a network segment of a second local area network, and the network segment of the second local area network is a local area network used when communicating through a VPN channel. ; Forward the first data packet from the terminal device to the edge device. The first data packet includes a source address and a destination address. The source address in the first data packet is the IP of the terminal device in the second local area network. Address, the destination address in the first data packet is the IP address of the target industrial device in the first local area network, and the target industrial device is one of at least one industrial device that communicates with the edge device in the first local area network.

In some embodiments, the transceiver unit 410 is further configured to send second configuration information to the edge device, where the second configuration information carries at least one of a VPN client installation package, a VPN certificate, and a VPN startup instruction.

In some embodiments, the transceiver unit 410 is also configured to: receive a first client configuration request sent by the edge device when it is powered on for the first time. The first client configuration request is used to request the VPN server to send the second configuration information. .

In some embodiments, the obtaining unit 420 is used to obtain a second client configuration request, the second client request is used to request the configuration of a VPN environment corresponding to at least one terminal device; the processing unit 430 is used to obtain a VPN environment corresponding to at least one terminal device according to the second client request. A terminal configuration request is generated to generate the first configuration information and/or at least one third configuration information respectively corresponding to the at least one terminal device. The third configuration information includes the network segment of the second LAN and/or the VPN corresponding to the terminal device. The certificate; transceiving unit 410 is also configured to send the third configuration information to the at least one terminal device respectively.

In some embodiments, the VPN server is configured in bridge mode.

Optionally, the electronic device 400 may correspond to the terminal device in the above method embodiment, and may be, for example, an implementation of the terminal device, or a component (such as a chip or chip system) configured in the terminal device.

Wherein, the transceiver unit 410 may be configured to: send a first data packet to the edge device through the VPN channel, the first data packet includes a source address and a destination address, and the source address in the first data packet is the terminal device in the third. 2. IP addresses in the local area network. The destination address in the first data packet is the IP address of the target industrial device in the first local area network. The target industrial device is at least one industrial device that communicates with the edge device in the first local area network. One of the devices; receives the second data packet sent by the edge device through the VPN channel.

It should be understood that the specific process of each unit performing the above corresponding steps has been described in detail in the above method embodiments, and will not be described again for the sake of brevity.

FIG. 5 is a schematic structural diagram of an electronic device 500 provided by an embodiment of the present application. The electronic device 500 shown in Figure 5 can be implemented as a terminal device, an edge device or a VPN server, and is used to implement the steps performed by the terminal device, edge device or VPN server in the above method embodiment. The electronic device 500 includes a processor 520, and the processor 520 can call and run a computer program from the memory to implement the method in the embodiment of the present application.

In some embodiments, as shown in FIG. 5 , the electronic device 500 may also include a memory 530 . The processor 520 can call and run the computer program from the memory 530 to implement the method in the embodiment of the present application.

The memory 530 may be a separate device independent of the processor 520 , or may be integrated into the processor 520 .

In some embodiments, as shown in Figure 5, the electronic device 500 may also include a transceiver 510, and the processor 520 may control the transceiver 510 to communicate with other devices, specifically, may send information or data to other devices, or Receive information or data from other devices.

Among them, the transceiver 510 may include a transmitter and a receiver. The transceiver 510 may further include an antenna, and the number of antennas may be one or more.

In some embodiments, the electronic device 500 can implement the corresponding processes of each method on the terminal device, edge device or VPN server side in the embodiments of this application. For the sake of brevity, details are not repeated here.

Figure 6 is a schematic structural diagram of a cloud server 600 provided by an exemplary embodiment of the present application. The cloud server 600 may be an implementation of the VPN server in the above method embodiment. As shown in FIG. 6 , the VPN server 600 includes: a memory 610 and a processor 620 .

Memory 610 is used to store computer programs and may be configured to store various other data to support operations on the VPN server. The storage 610 may be an object storage (Object Storage Service, OSS).

The processor 620 is coupled to the memory 610 and is used to execute the computer program in the memory 610 to implement the method implemented by the VPN server in the above method embodiment.

Further, as shown in Figure 6, the VPN server also includes: a firewall 630, a load balancer 640, a communication component 650, a power supply component 660 and other components. Only some components are schematically shown in Figure 6, which does not mean that the VPN server only includes the components shown in Figure 6.

It should be understood that the VPN server 500 shown in Figure 6 can implement various processes related to the VPN server in the above method embodiment. The operations and/or functions of each module in the VPN server 500 are respectively intended to implement the corresponding processes in the above method embodiments. For details, please refer to the description in the above method embodiment. To avoid repetition, the detailed description is appropriately omitted here.

This application also provides a processing device, including at least one processor, the at least one processor is used to execute a computer program stored in the memory, so that the processing device executes the terminal device, edge device or VPN in the above method embodiment. The method executed by the server.

An embodiment of the present application also provides a processing device, including a processor and an input and output interface. The input and output interface is coupled to the processor. The input and output interface is used to input and/or output information. The information includes at least one of instructions and data. The processor is used to execute a computer program, so that the processing device executes the method executed by the terminal device, edge device or VPN server in the above method embodiment.

An embodiment of the present application also provides a processing device, including a processor and a memory. The memory is used to store a computer program, and the processor is used to call and run the computer program from the memory, so that the processing device performs the method performed by the terminal device, edge device or VPN server in the above method embodiment.

It should be understood that the above-mentioned processing device may be one or more chips. For example, the processing device may be a field programmable gate array (FPGA) or an application specific integrated chip (application specific integrated circuit (ASIC), system on chip (SoC), central processor unit (CPU), network processor (NP), or digital signal The processing circuit (digital signal processor, DSP) can also be a microcontroller unit (micro controller unit, MCU), a programmable logic device (PLD), or other integrated chips.

During the implementation process, each step of the above method can be completed by instructions in the form of hardware integrated logic circuits or software in the processor. The steps of the methods disclosed in conjunction with the embodiments of the present application can be directly implemented by a hardware processor for execution, or can be executed by a combination of hardware and software modules in the processor. The software module can be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other mature storage media in this field. The storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.

It should be noted that the processor in the embodiment of the present application may be an integrated circuit chip with signal processing capabilities. During the implementation process, each step of the above method embodiment can be completed through an integrated logic circuit of hardware in the processor or instructions in the form of software. The above-mentioned processor can be a general-purpose processor, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. . Each method, step and logical block diagram disclosed in the embodiment of this application can be implemented or executed. A general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc. The steps of the method disclosed in conjunction with the embodiments of the present application can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module can be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other mature storage media in this field. The storage medium is located in the memory, and the processor reads the information in the memory and completes the steps of the above method in combination with its hardware.

It can be understood that the memory in the embodiment of the present application may be a volatile memory or a non-volatile memory, or may include both volatile and non-volatile memories. Among them, non-volatile memory can be read-only memory (ROM), programmable ROM (PROM), erasable programmable read-only memory (erasable PROM, EPROM), electrically removable memory. Erase electrically programmable read-only memory (EPROM, EEPROM) or flash memory. Volatile memory can be random access memory (RAM), which is used as an external cache. By way of illustration, but not limitation, many forms of RAM are available, such as static random access memory (SRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (synchronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (double data rate SDRAM, DDR SDRAM), enhanced synchronous dynamic random access memory (enhanced SDRAM, ESDRAM), synchronous link dynamic random access memory (synchlink DRAM, SLDRAM) ) and direct memory bus random access memory (direct rambus RAM, DR RAM). It should be noted that the memory of the systems and methods described herein is intended to include, but is not limited to, these and any other suitable types of memory.

According to the method provided by the embodiment of the present application, the present application also provides a computer program product. The computer program product includes: computer program code. When the computer program code is run on a computer, it causes the computer to execute the steps in the above method embodiment. The method performed by the end device, edge device or VPN server.

According to the method provided by the embodiment of the present application, the present application also provides a computer-readable storage medium. The computer-readable storage medium stores program code. When the program code is run on a computer, it causes the computer to execute the above method embodiment. A method performed by an end device, edge device, or VPN server.

The above are only specific embodiments of the present application, but the protection scope of the present application is not limited thereto. Any person familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the present application. should be covered by the protection scope of this application. Therefore, the protection scope of this application should be subject to the protection scope of the claims.

Claims

A remote communication method for industrial equipment, characterized in that it is applied to an edge device, and the edge device implements a communication connection with at least one industrial device in a first local area network, including:

Obtain the first data packet from the terminal device through the virtual private network VPN channel. The first data packet includes a destination address. The destination address in the first data packet is the address of the target industrial device in the first local area network. Internet Protocol IP address, the target industrial device is one of the at least one industrial device;

Send the first data packet to the target industrial device.
The method of claim 1, wherein the first data packet further includes a source address, and the source address in the first data packet is the IP address of the terminal device in the second local area network, and the The second LAN is the LAN used for communication through the VPN channel;

The sending of the first data packet to the target industrial equipment includes:

Modify the source address in the first data packet to the IP address of the edge device in the first local area network;

Send the first data packet to the target industrial device.
The method of claim 2, wherein modifying the source address in the first data packet to the IP address of the edge device in the second local area network includes:

When the source address in the first data packet belongs to the network segment of the second LAN, convert the SNAT entry according to the preconfigured source network address, and modify the source address in the first data packet to the edge device. The IP address in the second local area network, and the SNAT entry is used to indicate that the source address of the network segment belonging to the second local area network is modified to the IP address of the edge device.
The method according to any one of claims 1 to 3, characterized in that, obtaining the first data packet from the terminal device through the VPN channel includes:

Receive the first data packet forwarded by the VPN server.
The method according to any one of claims 2 to 3, characterized in that the method further includes:

Receive a second data packet sent by the target industrial device. The second data packet includes a source address and a destination address. The destination address in the second data packet is the IP of the edge device in the first local area network. address;

Modify the destination address of the second data packet to the IP address of the terminal device in the second local area network according to the source address modification record of the first data packet and the source address of the second data packet;

The second data packet is sent to the terminal device through the VPN channel.
A remote communication method for industrial equipment, characterized in that it is applied to a VPN server and includes:

Send first configuration information to the edge device, where the first configuration information carries information about a network segment of a second local area network, and the network segment of the second local area network is a local area network used for communication through the VPN channel;

Forward the first data packet from the terminal device to the edge device, where the first data packet includes a source address and a destination address, and the source address in the first data packet is the terminal device in the second The IP address in the local area network. The destination address in the first data packet is the IP address of the target industrial equipment in the first local area network. The target industrial equipment is at least one that implements communication connection with the edge device in the first local area network. A piece of industrial equipment.
The method according to claim 6, characterized in that before forwarding the first data packet from the terminal device to the edge device, the method further includes:

Send second configuration information to the edge device, where the second configuration information carries at least one of a VPN client installation package, a VPN certificate, and a VPN startup instruction.
The method according to claim 7, characterized in that before sending the second configuration information to the edge device, the method further includes:

Receive a first client configuration request sent by the edge device when it is powered on for the first time, where the first client configuration request is used to request the VPN server to send the second configuration information.
The method according to any one of claims 6 to 8, characterized in that the method further includes:

Obtain a second client configuration request, where the second client request is used to request configuration of a VPN environment corresponding to at least one terminal device;

According to the second client configuration request, generate the first configuration information and/or at least one third configuration information corresponding to the at least one terminal device, where the third configuration information includes the network number of the second local area network. segment and/or the VPN certificate corresponding to the terminal device;

Send the third configuration information to the at least one terminal device respectively.
A remote communication method for industrial equipment, characterized in that it is applied to terminal equipment and includes:

Send a first data packet to the edge device through the VPN channel. The first data packet includes a source address and a destination address. The source address in the first data packet is the IP address of the terminal device in the second local area network. , the destination address in the first data packet is the IP address of the target industrial device in the first local area network, and the target industrial device is at least one industrial device that communicates with the edge device in the first local area network. one;

Receive the second data packet sent by the edge device through the VPN channel.
An edge device, characterized in that the edge device communicates with at least one industrial device within a first local area network, and the edge device includes:

The acquisition unit is configured to acquire the first data packet from the terminal device through the virtual private network VPN channel, the first data packet includes a destination address, and the destination address in the first data packet is the target industrial device in the The Internet Protocol IP address in the first local area network, the target industrial device is one of the at least one industrial device;

A transceiver unit, configured to send the first data packet to the target industrial equipment.
A server, characterized by including:

A transceiver unit configured to send first configuration information to the edge device, where the first configuration information carries information about a network segment of a second local area network, and the network segment of the second local area network is a local area network used when communicating through a VPN channel;

The transceiver unit is also configured to forward a first data packet from a terminal device to the edge device. The first data packet includes a source address and a destination address. The source address in the first data packet is the terminal device. The IP address of the device in the second local area network. The destination address in the first data packet is the IP address of the target industrial equipment in the first local area network. The target industrial equipment is in the first local area network and is connected to the first local area network. An edge device implements a communication connection to one of at least one industrial device.
A terminal device, characterized by including:

A transceiver unit configured to send a first data packet to the edge device through the VPN channel, where the first data packet includes a source address and a destination address, and the source address in the first data packet is the second data packet of the terminal device. The IP address in the local area network. The destination address in the first data packet is the IP address of the target industrial equipment in the first local area network. The target industrial equipment is at least one that implements communication connection with the edge device in the first local area network. a piece of industrial equipment;

The transceiver unit is also configured to receive the second data packet sent by the edge device through the VPN channel.
An electronic device, characterized by including: at least one processor and memory;

The memory stores computer execution instructions;

The at least one processor executes computer-executable instructions stored in the memory, such that the at least one processor executes the method of any one of claims 1 to 10.