CN110324227A - Data transmission method and vpn server in a kind of vpn server - Google Patents
Data transmission method and vpn server in a kind of vpn server Download PDFInfo
- Publication number
- CN110324227A CN110324227A CN201910560980.3A CN201910560980A CN110324227A CN 110324227 A CN110324227 A CN 110324227A CN 201910560980 A CN201910560980 A CN 201910560980A CN 110324227 A CN110324227 A CN 110324227A
- Authority
- CN
- China
- Prior art keywords
- message
- data
- vpn server
- user client
- vpn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 111
- 230000005540 biological transmission Effects 0.000 title claims abstract description 20
- 230000008569 process Effects 0.000 claims abstract description 83
- 238000005538 encapsulation Methods 0.000 claims description 29
- 230000004044 response Effects 0.000 claims description 26
- 230000015654 memory Effects 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 6
- 238000004806 packaging method and process Methods 0.000 claims 1
- 230000005641 tunneling Effects 0.000 description 17
- 230000006854 communication Effects 0.000 description 12
- 238000012545 processing Methods 0.000 description 12
- 238000004891 communication Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 5
- 238000012546 transfer Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 3
- 101100513046 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) eth-1 gene Proteins 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000009467 reduction Effects 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 206010038743 Restlessness Diseases 0.000 description 1
- 238000000151 deposition Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses the data transmission methods and vpn server in a kind of vpn server, wherein, it include message Dispatching Unit in the vpn server, and operation has control to flow into journey and data flow process in the vpn server, wherein: control message therein and data message are forwarded to the control respectively and flow into journey and the data flow process by the message Dispatching Unit for obtaining the request message that user client is sent;After the control flows into journey for negotiating with the user client, it is connect so that the vpn server establishes VPN with the user client, and collect the negotiation information generated in negotiations process, and the negotiation information is shared into the data flow process;The data flow process is used to the data message that the message Dispatching Unit forwards being reduced to initial data message, and the initial data message is sent to the intranet server being connected with the vpn server.Technical solution provided by the present application, can be improved data transmission efficiency.
Description
Technical field
Data transmission method and VPN clothes the present invention relates to Internet technical field, in particular in a kind of vpn server
Business device.
Background technique
Currently, in order to improve the safety of network data transmission, VPN (Virtual Private Network, it is virtual specially
With network) technology is used increasingly.Wherein, based on PPTP (Point to Point Tunneling Protocol,
Point to Point Tunnel Protocol) vpn server can pass through the methods of Password Authentication Protocol, Extensible Authentication Protocol and enhance data
Safety, therefore PPTP vpn server becomes a kind of vpn server of mainstream.
Existing PPTP vpn server is normally based on kernel state realization, when data message reaches network interface card, first
Data message can be copied in core system from from network interface card, then, then the data message in core system be copied into VPN and is answered
With in program, to be handled by vpn application data message.
Therefore existing PPTP vpn server can carry out the process of multiple copies to data message.When in face of Pang
When big customer flow, the quantity of the data message of duplication can also increase, and will increase the load of PPTP vpn server in this way, from
And data transmission efficiency and service quality can be reduced.
Summary of the invention
The data transmission method and vpn server of the application being designed to provide in a kind of vpn server, can be improved
Data transmission efficiency.
To achieve the above object, on the one hand the application provides a kind of vpn server, includes that message is distributed in vpn server
Unit, and the data flow process for having the control of kernel state to flow into journey and User space is run in vpn server, in which: message point
Bill member for obtaining the request message that user client is sent from the public network network interface of vpn server, and identifies request message
Type, and the control message that will identify that is forwarded to control and flows into journey, and the data message forwarding that will identify that is to data flow
Process;Control flows into journey, the control message for being forwarded according to message Dispatching Unit, after negotiating with user client, so that VPN
Server is established VPN with user client and is connect, and collects the negotiation information generated in negotiations process, and negotiation information is total to
It enjoys to data flow process;Data flow process forwards message Dispatching Unit for flowing into the shared negotiation information of journey according to control
Data message be reduced to initial data message, and initial data message is sent to the Intranet service being connected with vpn server
Device.
To achieve the above object, on the other hand the application also provides the data transmission method in a kind of vpn server, method
It include: to obtain the request message that user client is sent from the public network network interface of vpn server, and identify the type of request message,
The type of request message includes control message and data message;According to the control message identified, after negotiating with user client,
It is connect so that vpn server establishes VPN with user client, and collects the negotiation information generated in negotiations process;According to negotiation
Information, the data message that will identify that is reduced to initial data message, and initial data message is sent to and vpn server phase
Intranet server even.
To achieve the above object, on the other hand the application also provides a kind of vpn server, and vpn server includes memory
And processor, memory is for storing computer program, when computer program is executed by processor, realizes above-mentioned data transmission
Method.
Therefore technical solution provided by the present application, the vpn server of kernel state can be improved, so that changing
Vpn server after can support kernel state and User space simultaneously.Wherein, kernel state can flow into journey into line number by control
According to processing, User space can carry out data processing by data flow process.In this application, message Dispatching Unit can be from VPN
The public network network interface of server obtains the request message that user client is sent, and control control message therein can be transferred to flow
Process is handled, and transfers to data flow process to handle data message therein.Control flows into journey can be according to connecing
The control message received, holds consultation with user client, connect so that vpn server establishes VPN with user client,
And control flows into journey and may collect in the negotiation information generated in negotiations process.Data flow process can then be flowed into according to control
The shared negotiation information of journey, handles the data message received, so that data message is reduced to initial data message,
And the initial data message that reduction obtains can be sent to intranet server, to complete user client to intranet server
Access.Therefore technical solution provided by the present application, data message can be carried out directly by the data flow process of User space
Processing, without being subjected to the process of multiple data duplication, to dramatically reduce the load of vpn server.In addition, VPN takes
The control of business device while compatible kernel state flows into the data flow process of journey and User space, and the data message of data flow is led to
It crosses User space protocol stack to be handled, to improve the treatment effeciency of data message.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the invention, for
For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 is the data distribution schematic diagram of vpn server in embodiment of the present invention;
Fig. 2 is the functional block diagram of vpn server in embodiment of the present invention;
Fig. 3 is the step schematic diagram of data transmission method in embodiment of the present invention;
Fig. 4 is the structural schematic diagram of vpn server in embodiment of the present invention;
Fig. 5 is the structural schematic diagram of terminal in the present invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with attached drawing to embodiment party of the present invention
Formula is described in further detail.
Referring to Fig. 1, a kind of vpn server provided by the present application, especially PPTP vpn server.It can be existing
It is improved on the basis of the vpn server of kernel state.It specifically, as shown in Figure 1, can in vpn server provided by the present application
To include the core system of kernel state and the vpn application of User space.It is sent when vpn server receives user client
Request message when, these request messages can be routed directly to the vpn application of User space.In practical applications, Yong Huke
It may include control message and data message in the request message that family end is sent.Wherein, the vpn application of User space can be with
Data message is only handled, and transfers to core system to handle control message.In this way, passing through core system and vpn application phase
The mutually mode of separation and Collaboration, can be improved the treatment effeciency of data message.
Specifically, referring to Fig. 2, vpn server provided by the present application, may include message Dispatching Unit, and VPN takes
The data flow process for having the control comprising kernel module to flow into journey and User space is run in business device.In practical applications, it is taken in VPN
Dpdk (Data Plane Development Kit, data plane development kit) component, the dpdk group can be added in business device
Part can be responsible for receiving and dispatching message by the physical network card of vpn server, and above-mentioned message Dispatching Unit can be located at dpdk group
In part.Specifically, as shown in Fig. 2, the physical network card of vpn server may include public network network interface eth0 and Intranet network interface eth1.
Wherein, public network network interface can carry out data communication with the equipment in wide area network, and Intranet network interface can be with the Intranet in local area network
Server carries out data communication.Intranet server can be enterprises for storing the server of internal resource, in enterprise
Employee can access vpn server by user client, to further be accessed in intranet server by vpn server
Internal resource.
It in the present embodiment, can be by the public network network interface and Intranet network interface of vpn server in deployment vpn server
It is mutually bound with above-mentioned dpdk component.It can make dpdk component adapter tube NIC driver in this way, to pass through dpdk component
Message is received and dispatched directly from public network network interface and Intranet network interface, rather than message is received and dispatched by original NIC driver.This
The purpose of sample processing is, when original NIC driver obtains message, generally requires in the message that will acquire first is sent to
Core system, to will cause the multiple copies of message.And dpdk component can need not move through directly by Receive message to application layer
Core system to application layer multiple copies so that data transmission it is more efficient.
In the present embodiment, the message handled needed for vpn server can be divided into two major classes: one kind is VPN service
Between device and user client by the generic route encapsulation of wide area network transmission (Generic Routing Encapsulation,
GRE) message, another kind of is the initial data message for passing through local network transport between vpn server and Intranet equipment.In addition, right
For GRE message, control message and data message can also be subdivided into, in the present embodiment, due to vpn server into
It has gone User space transformation, therefore above-mentioned control the control message in GRE message can be transferred to flow into journey processing, and can be with
Above-mentioned data flow process is transferred to handle the data message in GRE message.
In the present embodiment, in order to enable control message normally can be transferred to kernel state, dpdk group from User space
Part can be created and public network network interface eth0 and Intranet by KNI (Kernel NIC Interface, kernel network card interface) mechanism
The corresponding virtual public network network interface of network interface eth1 and virtual Intranet network interface.Then, control flow into journey can be with virtual public network net
Mouthful and virtual Intranet network interface mutually bind, in this way, control flow into Cheng Houxu can be by virtual public network network interface and virtual Intranet
Network interface is communicated with the message Dispatching Unit in dpdk component, to realize the message transmissions of User space and kernel state.
Specifically, inside vpn server, kernel state and User space can be divided into.As shown in Fig. 2, in kernel state,
Above-mentioned control can be run and flow into journey accel-pptpd, and in User space, the number based on User space protocol stack can be run
According to flowing into journey pptp.Since the received message of vpn server directly can get application layer, user visitor by dpdk component
The request message that family end is sent by the public network network interface of vpn server after being received, the report that can be directly transferred in dpdk component
In literary Dispatching Unit.Message Dispatching Unit gets the request message that user client is sent from the public network network interface of vpn server
Afterwards, the type that can identify request message can forward the control message identified by above-mentioned virtual public network network interface
Journey is flowed into control, and the data message for identifying, data flow process can be forwarded directly to.Specifically, it is asked in identification
It, on the one hand can be by the sending port of discrimination request message, if sending port is preset when seeking the type of message
Particular port, then can be determined that the request message for control message.On the other hand, the head of identification request message can also be passed through
Type field in portion's information, the type field can indicate the type of request message.
In practical applications, after vpn server is completed to dispose, can receive that user client sends for establishing
The request message of VPN connection.After the request message is received by the public network network interface of vpn server, above-mentioned report can be transmitted to
Literary Dispatching Unit, message Dispatching Unit can identify that the type of the request message is control message, therefore can be by the control
The control that message is sent to kernel state flows into journey.Control flows into the control message that journey can be forwarded according to message Dispatching Unit, with
User client carries out communication negotiation, connect so that vpn server establishes VPN with user client.The communication protocols
Quotient's process is determined for the communication protocol used between vpn server and user client, the encapsulation mode of agreement, encryption
The information such as the shared key of data and the life cycle of key are protected in algorithm, specific stream.
In one embodiment, message Dispatching Unit can be by above-mentioned virtual public network network interface, the control that will identify that
Message processed is forwarded to control and flows into journey.Control flows into the control that the forwarding of message Dispatching Unit is received at the virtual public network network interface of Cheng Cong
After message processed, by parsing the content of the control message, the stage for establishing connection that is currently at can be known, therefore can pass through
Virtual public network network interface, to message Dispatching Unit feedback for the response message of control message.The response message can be by message point
Bill member is sent to user client by the public network network interface of vpn server.In this way, in the stage for establishing connection, user client
The control message held and interacted between vpn server can be flowed into journey processing, by control so as to complete entirely to negotiate
Journey.
In the present embodiment, it can produce negotiation information in negotiations process, negotiation information for example may include user
The information such as certification code key, cryptographic protocol between client and vpn server.These negotiation informations can be flowed into journey receipts by control
Collection.Control flows into journey after having collected negotiation information, negotiation information can be shared to the data flow process of User space, to make
Obtaining data flow process can use these negotiation informations, the corresponding gre tunneling of creation user client.
Specifically, control flow into journey can by IPC (InterProcess Communication, interprocess communication) side
The negotiation information collected in negotiations process is shared to data flow process by formula, and data flow process can be established according to negotiation information
The gre tunneling of user client, and can initialize for processes such as the enciphering and deciphering algorithms of data message.In practical applications,
Data flow process the example in the tunnel can be written in connection example table after creating the gre tunneling of user client.?
In the connection example table, the every terms of information of gre tunneling may include.For example, may include data encryption/decryption method, routing plan
The every terms of information such as the Microsoft Loopback Adapter that identity information that summary, Intranet network segment, client network segment, client use, client use.This
Outside, in the connection example table, the every terms of information of gre tunneling can be associated with the IP address of corresponding user client to be deposited
Storage.In this way, by the IP address of user client the corresponding GRE of user client can be inquired in connection example table
The every terms of information in tunnel and the gre tunneling.It should be noted that the IP address of user client, can be user client
With vpn server in negotiations process, the virtual ip address of user client, subsequent, user client are distributed to by vpn server
The virtual ip address can be carried by holding in the message of transmitting-receiving, so as to distinguish different user visitors by virtual ip address
Family end.
In the present embodiment, data flow process is after creating the gre tunneling of user client, user client
The request message for accessing Intranet resource is sent to vpn server by the gre tunneling.User client it is to be sent can
To be raw requests message, which can be encapsulated as GRE message by user client.Specifically, it is encapsulating
When GRE message, GRE header information can be added in user client in initial data message, and determines according in negotiations process
Encryption Algorithm, the initial data message that joined GRE header information is encrypted, thus the GRE message after being encapsulated.
Then, user client can transmit the GRE message after encapsulation by gre tunneling.
In the present embodiment, after vpn server receives the GRE message that user client is sent by public network network interface,
It can determine that the GRE message belongs to data message by message Dispatching Unit, therefore, which can be forwarded to data flow
Process.Data flow process can flow into the shared negotiation information of journey according to control, and data message is reduced to initial data message.
Specifically, data flow process can initialize after receiving control and flowing into the shared negotiation information of journey according to the negotiation information
Enciphering and deciphering algorithm.At this point, data flow process can be to removal data after the data message for receiving the forwarding of message Dispatching Unit
The header information of message, and the data message for eliminating header information can be decrypted, to restore original datagram
Text.Then, initial data message can be sent to the intranet server being connected with vpn server by data flow process.Specifically,
Initial data message can be sent to intranet server by the Intranet network interface of vpn server by data flow process.
In the present embodiment, it after intranet server receives the initial data message that vpn server is sent, can be directed to
The initial data message feedback data response message, the data response message can be received by the Intranet network interface of vpn server.
After vpn server receives the data response message, the data can be responded and reported by IP divert (IP transfer) mechanism
At text guidance to the data flow process of User space.In this way, data flow process can receive the data of intranet server feedback
Response message.In the data response message, the virtual ip address of user client can be carried.Data flow process in order to
Correctly the data response message is encrypted and encapsulated, can identify the virtual ip address in the data response message, and
The corresponding gre tunneling of the virtual ip address and every letter of the gre tunneling can be inquired from above-mentioned connection example table
Breath.These information inquired can be used as the corresponding client-side information of the virtual ip address.From the above description it can be seen that
Client's segment information can be used for limiting encryption and the packaged type of data response message.In this way, data flow process is inquiring
After corresponding client-side information, data response message can be encrypted and be encapsulated, and can will be after encryption and encapsulation
Data response message is sent at user client by the corresponding gre tunneling of user client.In this way, can complete to use
Data communication process between family client and intranet server.
In practical applications, for above-mentioned GRE message, vpn server can create network on User space protocol stack
Socket raw_socket carries out transmitting-receiving process, and the initial data message for being sent to intranet server, vpn server
Web socket raw_sender can be created on User space protocol stack to send, the data that intranet server is sent are rung
Answer message, can by the IP divert mechanism of User space protocol stack, by data response message be redirected to data flow process into
Row processing.
In original unmodified vpn server, the GRE message that is transmitted in gre tunneling (including control message and datagram
Text), it is usually all to be responsible for transmitting-receiving by the same process, which uniformly can distribute sequence number for each GRE message, should
Sequence number can be used for distinguishing different GRE messages, and can characterize the distribution order of each GRE message.However, right
After vpn server carries out User space transformation, the GRE message transmitted in gre tunneling can flow into journey and data flow process by control
It handles respectively, at this point, if being likely to occurrence sequence unrest respectively to GRE message assigned sequence number by the two processes
The case where sequence.In consideration of it, in the present embodiment, the process of assigned sequence number can be by above-mentioned message Dispatching Unit Lai real
It is existing.Specifically, the GRE message that control flows into journey and data flow process is sent out, requires to summarize to message Dispatching Unit,
In this way, message Dispatching Unit can receive the GRE message that control flows into journey and data flow process is sent.At this point, message is distributed
The GRE message assigned sequence number that unit can be received uniformly, to avoid the phenomenon of sequence number random ordering.Certainly, one
In a little application scenarios, journey and data flow process first can also be flowed into respectively to respective GRE message assigned sequence number by control, after
It is continuous when summarizing to message Dispatching Unit, then sequence number is adjusted by message Dispatching Unit, so that it is out-of-order to solve sequence number
Situation.
In one embodiment, after completing to communicate between user client and vpn server, in order to save VPN clothes
The resource of business device, journey can be flowed by the control in vpn server or user client initiates the connection disconnection message, the connection
Disconnecting message can be received by message Dispatching Unit, and is transmitted to control and is flowed into journey or user client.In this way, user client
End flows into journey with according to the step similar with the negotiations process for establishing connection with control, completes the negotiations process disconnected.?
It completes that the VPN connection between vpn server and user client can be disconnected after negotiating.
In the present embodiment, after VPN connection disconnection, control flows into journey can send notice letter to data flow process
Breath so that notification data, which flows into journey, destroys the gre tunneling of user client, and recycles the related resource of gre tunneling.So far, VPN
This communication between server and user client can stop.
Referring to Fig. 3, the application also provides the data transmission method in a kind of vpn server, this method comprises:
S1: the request message that user client is sent is obtained from the public network network interface of vpn server, and identifies request message
Type, the type of request message include control message and data message;
S3: according to the control message identified, after negotiating with user client, so that vpn server and user client
VPN connection is established, and collects the negotiation information generated in negotiations process;
S5: according to negotiation information, the data message that will identify that is reduced to initial data message, and by initial data message
It is sent to the intranet server being connected with vpn server.
In one embodiment, after the negotiation information generated in collecting negotiations process, method further include:
According to negotiation information, the corresponding generic routing encapsulation tunnel of user client is established, and initialization is directed to data
The enciphering and deciphering algorithm of message;
The generic route encapsulation header information of data message is removed, and according to the enciphering and deciphering algorithm of initialization, it is logical to removal
It is decrypted with the data message of routed encapsulation header information, to restore initial data message.
In one embodiment, this method further include:
The data response message that intranet server is directed to initial data message feedback is received, and data response message is carried out
After encryption and encapsulation, the data response message after encryption and encapsulation is passed through into the corresponding generic route encapsulation tunnel of user client
Road is sent at user client.
In one embodiment, this method further include:
The generic routing encapsulation message that the control in vpn server flows into journey and data flow process is sent is received, and is
Received generic routing encapsulation message assigned sequence number.
Referring to Fig. 4, the application also provides a kind of vpn server, vpn server includes memory and processor, storage
When computer program is executed by processor, above-mentioned data transmission method may be implemented for storing computer program in device.
Referring to Fig. 5, in this application, the technical solution in above-described embodiment can be applied to calculating as shown in Figure 5
In machine terminal 10.Terminal 10 may include one or more (one is only shown in figure) (processors 102 of processor 102
Can include but is not limited to the processing unit of Micro-processor MCV or programmable logic device FPGA etc.), depositing for storing data
Reservoir 104 and transmission module 106 for communication function.It will appreciated by the skilled person that knot shown in fig. 5
Structure is only to illustrate, and does not cause to limit to the structure of above-mentioned electronic device.For example, terminal 10, which may also include, compares Fig. 5
Shown in more perhaps less component or with the configuration different from shown in Fig. 5.
Memory 104 can be used for storing the software program and module of application software, and processor 102 is stored in by operation
Software program and module in memory 104, thereby executing various function application and data processing.Memory 104 can wrap
Include high speed random access memory, may also include nonvolatile memory, as one or more magnetic storage device, flash memory or
Other non-volatile solid state memories.In some instances, memory 104 can further comprise long-range relative to processor 102
The memory of setting, these remote memories can pass through network connection to terminal 10.The example of above-mentioned network includes
But be not limited to internet, intranet, local area network, mobile radio communication and combinations thereof.
Transmitting device 106 is used to that data to be received or sent via a network.Above-mentioned network specific example may include
The wireless network that the communication providers of terminal 10 provide.In an example, transmitting device 106 includes that a network is suitable
Orchestration (Network Interface Controller, NIC), can be connected by base station with other network equipments so as to
Internet is communicated.In an example, transmitting device 106 can be radio frequency (Radio Frequency, RF) module,
For wirelessly being communicated with internet.
Therefore technical solution provided by the present application, the vpn server of kernel state can be improved, so that changing
Vpn server after can support kernel state and User space simultaneously.Wherein, kernel state can flow into journey into line number by control
According to processing, User space can carry out data processing by data flow process.In this application, message Dispatching Unit can be from VPN
The public network network interface of server obtains the request message that user client is sent, and control control message therein can be transferred to flow
Process is handled, and transfers to data flow process to handle data message therein.Control flows into journey can be according to connecing
The control message received, holds consultation with user client, connect so that vpn server establishes VPN with user client,
And control flows into journey and may collect in the negotiation information generated in negotiations process.Data flow process can then be flowed into according to control
The shared negotiation information of journey, handles the data message received, so that data message is reduced to initial data message,
And the initial data message that reduction obtains can be sent to intranet server, to complete user client to intranet server
Access.Therefore technical solution provided by the present application, data message can be carried out directly by the data flow process of User space
Processing, without being subjected to the process of multiple data duplication, to dramatically reduce the load of vpn server.In addition, VPN takes
The control of business device while compatible kernel state flows into the data flow process of journey and User space, and the data message of data flow is led to
It crosses User space protocol stack to be handled, to improve the treatment effeciency of data message.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It realizes by means of software and necessary general hardware platform, naturally it is also possible to be realized by hardware.Based on such
Understand, substantially the part that contributes to existing technology can embody above-mentioned technical proposal in the form of software products in other words
Out, which may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, packet
Some instructions are included to use so that a computer equipment (can be personal computer, server or the network equipment etc.) executes
The method of certain parts of each embodiment or embodiment.
The foregoing is merely a prefered embodiment of the invention, is not intended to limit the invention, all in the spirit and principles in the present invention
Within, any modification, equivalent replacement, improvement and so on should all be included in the protection scope of the present invention.
Claims (15)
1. a kind of vpn server, which is characterized in that include message Dispatching Unit in the vpn server, and the VPN takes
The data flow process for having the control of kernel state to flow into journey and User space is run in business device, in which:
The message Dispatching Unit, for obtaining the request report that user client is sent from the public network network interface of the vpn server
Text, and the control message that identifies the type of the request message, and will identify that is forwarded to the control and flows into journey, and will know
Not Chu data message forwarding to the data flow process;
The control flows into journey, the control message for being forwarded according to the message Dispatching Unit, assists with the user client
Shang Hou is connect so that the vpn server establishes VPN with the user client, and collects the negotiation generated in negotiations process
Information, and the negotiation information is shared into the data flow process;
The data flow process turns the message Dispatching Unit for flowing into the shared negotiation information of journey according to the control
The data message of hair is reduced to initial data message, and the initial data message is sent to and is connected with the vpn server
Intranet server.
2. vpn server according to claim 1, which is characterized in that it further include dpdk component in the vpn server,
The message Dispatching Unit is in the dpdk component, and the dpdk component is for the public network network interface with the vpn server
And Intranet network interface is mutually bound, to receive and dispatch message from the public network network interface and the Intranet network interface.
3. vpn server according to claim 2, which is characterized in that the dkdp component is also used to create and the public affairs
Net network interface and the corresponding virtual public network network interface of the Intranet network interface and virtual Intranet network interface;Correspondingly, the control flows into
Journey is also used to mutually bind with the virtual public network network interface and the virtual Intranet network interface, with by the virtual public network network interface and
The virtual Intranet network interface is communicated with the message Dispatching Unit.
4. vpn server according to claim 3, which is characterized in that the control flows into journey and is used for from the virtual public affairs
The control message of the message Dispatching Unit forwarding is received at net network interface, and passes through the virtual public network network interface, Xiang Suoshu message
Dispatching Unit feedback is for the response message for controlling message, so that the message Dispatching Unit leads to the response message
It crosses the public network network interface and is sent to the user client.
5. vpn server according to claim 1, which is characterized in that the data flow process is receiving the control
After flowing into the shared negotiation information of journey, it is also used to establish the corresponding general road of the user client according to the negotiation information
The enciphering and deciphering algorithm of data message is directed to by encapsulation tunnel, and initialization.
6. vpn server according to claim 5, which is characterized in that the data flow process is receiving the message
After the data message of Dispatching Unit forwarding, it is also used to remove the generic route encapsulation header information of the data message, and according to
The enciphering and deciphering algorithm of initialization is decrypted the data message of removal generic route encapsulation header information, to restore
The initial data message.
7. vpn server according to claim 1 or 5, which is characterized in that the data flow process is also used to receive described
Intranet server is directed to the data response message of initial data message feedback, and encrypts to the data response message
After encapsulation, the data response message after encryption and encapsulation is passed through into the corresponding generic route encapsulation tunnel of the user client
Road is sent at the user client.
8. vpn server according to claim 7, which is characterized in that the data flow process is receiving the Intranet clothes
It is engaged in after the data response message of device feedback, is also used to identify virtual ip address from the data response message, and described in inquiry
The corresponding client-side information of virtual ip address;Wherein, the client-side information is used to limit the encryption of the data response message
And packaged type, when the vpn server is established VPN with the user client and connect, the virtual ip address is by described
Vpn server distributes to the user client.
9. vpn server according to claim 1, which is characterized in that the message Dispatching Unit is also used to receive described
The generic routing encapsulation message that control flows into journey and the data flow process is sent, and be the received generic route encapsulation
Message assigned sequence number.
10. vpn server according to claim 1, which is characterized in that the message Dispatching Unit is also used to the control
System flows into journey or user client forwarding connection disconnects message, so that the control flows into journey and the user client
After end is negotiated, the VPN connection is disconnected;
Correspondingly, after VPN connection disconnection, the control flows into journey and is also used to send notice letter to the data flow process
Breath, so that the data flow process destroys the generic routing encapsulation tunnel of the user client, and recycles the general road
By the resource of encapsulation tunnel.
11. the data transmission method in a kind of vpn server, which is characterized in that the described method includes:
The request message that user client is sent is obtained from the public network network interface of the vpn server, and identifies the request message
Type, the type of the request message includes control message and data message;
According to the control message identified, after negotiating with the user client, so that the vpn server and user visitor
VPN connection is established at family end, and collects the negotiation information generated in negotiations process;
According to the negotiation information, the data message that will identify that is reduced to initial data message, and by the original datagram
Text is sent to the intranet server being connected with the vpn server.
12. according to the method for claim 11, which is characterized in that in collecting negotiations process the negotiation information that generates it
Afterwards, the method also includes:
According to the negotiation information, the corresponding generic routing encapsulation tunnel of the user client is established, and initialization is directed to
The enciphering and deciphering algorithm of data message;
The generic route encapsulation header information of the data message is removed, and according to the enciphering and deciphering algorithm of initialization, to going
Except the data message of generic route encapsulation header information is decrypted, to restore the initial data message.
13. method according to claim 11 or 12, which is characterized in that the method also includes:
The data response message that the intranet server is directed to initial data message feedback is received, and the data are responded
It is after message is encrypted and encapsulated, the data response message after encryption and encapsulation is corresponding general by the user client
Router packaging tunnel is sent at the user client.
14. according to the method for claim 11, which is characterized in that the method also includes:
The generic routing encapsulation message that the control in the vpn server flows into journey and data flow process is sent is received, and is
The received generic routing encapsulation message assigned sequence number.
15. a kind of vpn server, which is characterized in that the vpn server includes memory and processor, and the memory is used
In storage computer program, when the computer program is executed by the processor, realize as any in claim 11 to 14
The data transmission method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910560980.3A CN110324227A (en) | 2019-06-26 | 2019-06-26 | Data transmission method and vpn server in a kind of vpn server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910560980.3A CN110324227A (en) | 2019-06-26 | 2019-06-26 | Data transmission method and vpn server in a kind of vpn server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110324227A true CN110324227A (en) | 2019-10-11 |
Family
ID=68120391
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910560980.3A Pending CN110324227A (en) | 2019-06-26 | 2019-06-26 | Data transmission method and vpn server in a kind of vpn server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110324227A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110932890A (en) * | 2019-11-20 | 2020-03-27 | 厦门网宿有限公司 | Data transmission method, server and computer readable storage medium |
| CN111447132A (en) * | 2020-03-16 | 2020-07-24 | 广州华多网络科技有限公司 | Data transmission method, device, system and computer storage medium |
| CN113055269A (en) * | 2019-12-27 | 2021-06-29 | 厦门网宿有限公司 | Virtual private network data transmission method and device |
| CN113382014A (en) * | 2021-06-23 | 2021-09-10 | 中移(杭州)信息技术有限公司 | Negotiation processing method, device, terminal equipment and storage medium |
| CN113572688A (en) * | 2021-01-21 | 2021-10-29 | 深圳市中网信安技术有限公司 | Message forwarding method, terminal equipment and computer storage medium |
| CN113810397A (en) * | 2021-09-09 | 2021-12-17 | 山石网科通信技术股份有限公司 | Protocol data processing method and device |
| CN114205186A (en) * | 2021-11-25 | 2022-03-18 | 锐捷网络股份有限公司 | Message processing method, device and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453314A (en) * | 2016-10-14 | 2017-02-22 | 东软集团股份有限公司 | Data encryption and decryption method and device |
| CN108880885A (en) * | 2018-06-19 | 2018-11-23 | 杭州迪普科技股份有限公司 | A kind of message processing method and device |
| CN108924157A (en) * | 2018-07-25 | 2018-11-30 | 杭州迪普科技股份有限公司 | A kind of message forwarding method and device based on IPSec VPN |
| CN109150688A (en) * | 2018-10-22 | 2019-01-04 | 网宿科技股份有限公司 | IPSec VPN data transmission method and device |
-
2019
- 2019-06-26 CN CN201910560980.3A patent/CN110324227A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453314A (en) * | 2016-10-14 | 2017-02-22 | 东软集团股份有限公司 | Data encryption and decryption method and device |
| CN108880885A (en) * | 2018-06-19 | 2018-11-23 | 杭州迪普科技股份有限公司 | A kind of message processing method and device |
| CN108924157A (en) * | 2018-07-25 | 2018-11-30 | 杭州迪普科技股份有限公司 | A kind of message forwarding method and device based on IPSec VPN |
| CN109150688A (en) * | 2018-10-22 | 2019-01-04 | 网宿科技股份有限公司 | IPSec VPN data transmission method and device |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110932890A (en) * | 2019-11-20 | 2020-03-27 | 厦门网宿有限公司 | Data transmission method, server and computer readable storage medium |
| CN110932890B (en) * | 2019-11-20 | 2022-09-09 | 厦门网宿有限公司 | Data transmission method, server and computer readable storage medium |
| CN113055269A (en) * | 2019-12-27 | 2021-06-29 | 厦门网宿有限公司 | Virtual private network data transmission method and device |
| CN113055269B (en) * | 2019-12-27 | 2023-03-07 | 厦门网宿有限公司 | Virtual private network data transmission method and device |
| CN111447132A (en) * | 2020-03-16 | 2020-07-24 | 广州华多网络科技有限公司 | Data transmission method, device, system and computer storage medium |
| CN111447132B (en) * | 2020-03-16 | 2021-12-21 | 广州方硅信息技术有限公司 | Data transmission method, device, system and computer storage medium |
| CN113572688A (en) * | 2021-01-21 | 2021-10-29 | 深圳市中网信安技术有限公司 | Message forwarding method, terminal equipment and computer storage medium |
| CN113572688B (en) * | 2021-01-21 | 2023-03-14 | 深圳市中网信安技术有限公司 | Message forwarding method, terminal device and computer storage medium |
| CN113382014A (en) * | 2021-06-23 | 2021-09-10 | 中移(杭州)信息技术有限公司 | Negotiation processing method, device, terminal equipment and storage medium |
| CN113810397A (en) * | 2021-09-09 | 2021-12-17 | 山石网科通信技术股份有限公司 | Protocol data processing method and device |
| CN114205186A (en) * | 2021-11-25 | 2022-03-18 | 锐捷网络股份有限公司 | Message processing method, device and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110324227A (en) | Data transmission method and vpn server in a kind of vpn server | |
| CN100437543C (en) | Method and apparatus for implementing a layer 3/layer 7 firewall in an l2 device | |
| KR101097548B1 (en) | Digital object title authentication | |
| US8250624B2 (en) | Portable device for securing packet traffic in a host platform | |
| CN106790420B (en) | A kind of more session channel method for building up and system | |
| CN109361606B (en) | Message processing system and network equipment | |
| US20030105953A1 (en) | Offload processing for secure data transfer | |
| US20030105951A1 (en) | Policy-driven kernel-based security implementation | |
| CN103036784A (en) | Methods and apparatus for a self-organized layer-2 enterprise network architecture | |
| JP2004524768A (en) | System and method for distributing protection processing functions for network applications | |
| KR20030019356A (en) | Secure dynamic link allocation system for mobile data communication | |
| CN107948086A (en) | A kind of data packet sending method, device and mixed cloud network system | |
| CN106790675A (en) | Load-balancing method, equipment and system in a kind of cluster | |
| CN105939240B (en) | Load-balancing method and device | |
| US20040168049A1 (en) | Method for encrypting data of an access virtual private network (VPN) | |
| JP3515551B2 (en) | Electronic device having wireless data communication relay function | |
| CN108964880A (en) | A kind of data transmission method and device | |
| CN112449751A (en) | Data transmission method, switch and station | |
| US6757734B1 (en) | Method of communication | |
| KR101116109B1 (en) | Digital object title and transmission information | |
| CN101471839A (en) | Method for asynchronously implementing IPSec vpn through multi-nuclear | |
| CN110519259A (en) | Communication encryption configuration method, device and readable storage medium storing program for executing between cloud platform object | |
| CN110086798A (en) | A kind of method and device communicated based on common virtual interface | |
| CN105991755A (en) | Service message distribution method and service message distribution device | |
| CN113709091B (en) | Method, apparatus and system for policy-based packet processing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191011 |
|
| RJ01 | Rejection of invention patent application after publication |