[go: up one dir, main page]

CN112019571B - VPN connection implementation method and system - Google Patents

VPN connection implementation method and system Download PDF

Info

Publication number
CN112019571B
CN112019571B CN202011135163.2A CN202011135163A CN112019571B CN 112019571 B CN112019571 B CN 112019571B CN 202011135163 A CN202011135163 A CN 202011135163A CN 112019571 B CN112019571 B CN 112019571B
Authority
CN
China
Prior art keywords
vpn
server
dynamic password
maintenance management
connection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011135163.2A
Other languages
Chinese (zh)
Other versions
CN112019571A (en
Inventor
张澄宇
韩丙江
王振凯
吴松巧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qieyun Shanghai Internet Of Things Technology Co ltd
Original Assignee
Qieyun Shanghai Internet Of Things Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qieyun Shanghai Internet Of Things Technology Co ltd filed Critical Qieyun Shanghai Internet Of Things Technology Co ltd
Priority to CN202011135163.2A priority Critical patent/CN112019571B/en
Publication of CN112019571A publication Critical patent/CN112019571A/en
Application granted granted Critical
Publication of CN112019571B publication Critical patent/CN112019571B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0846Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/143Termination or inactivation of sessions, e.g. event-controlled end of session
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a VPN connection realization method and a system, wherein the method comprises the following steps: the control terminal initiates a VPN connection request; the operation and maintenance management server starts timing after monitoring that the VPN connection request generates a VPN dynamic password, and respectively issues the VPN dynamic password to the VPN server and the control terminal; the VPN server registers according to the VPN dynamic password; the method comprises the steps that when a wireless gateway meets a trigger condition, a VPN connecting channel between a controlled terminal and a VPN server is established; the controlled terminal is connected with the wireless gateway through a network cable in advance; the control terminal establishes VPN connection with the controlled terminal through a VPN server according to the VPN dynamic password; and when the timing reaches the effective duration, the operation and maintenance management server controls the VPN server to log off the VPN dynamic password and controls to disconnect the VPN connecting channel. The wireless gateway and the VPN server are connected immediately after use, and the VPN connection is disconnected after the timing is finished, so that the data security is improved.

Description

VPN connection implementation method and system
Technical Field
The present invention relates to the field of data communication technologies, and in particular, to a method and a system for implementing VPN connection.
Background
VPN (Virtual Private Network) is a communication method commonly used to connect Private networks between medium and large enterprises or groups. The method utilizes a Tunneling Protocol (Tunneling Protocol) to achieve private message security effects such as confidentiality, sender authentication, message accuracy and the like, and the technology can use an insecure network (such as the Internet) to send reliable and secure messages. A VPN may be implemented in a number of ways, including server, hardware, software, etc.
At present, the connection established between the wireless gateway and the VPN server is a long connection, and the VPN password is a static password allocated to the VPN user by an administrator, and the way of logging in the VPN by the connection brings potential safety hazards.
Disclosure of Invention
The invention aims to provide a VPN connection implementation method and a VPN connection implementation system, which can be used for connecting a wireless gateway and a VPN server immediately and disconnecting the VPN connection after timing is finished, so that the data security is improved.
The technical scheme provided by the invention is as follows:
the invention provides a VPN connection implementation method, which comprises the following steps:
the control terminal initiates a VPN connection request;
the operation and maintenance management server starts timing after monitoring that a VPN connection request generates a VPN dynamic password, and respectively issues the VPN dynamic password to a VPN server and a control terminal;
the VPN server registers according to the VPN dynamic password;
the wireless gateway establishes a VPN connecting channel between the controlled terminal and the VPN server when meeting a triggering condition; the controlled terminal is connected with the wireless gateway in advance through a network cable;
the control terminal establishes VPN connection with the controlled terminal through the VPN server according to the VPN dynamic password;
and when the timing reaches the effective duration, the operation and maintenance management server controls the VPN server to log out the VPN dynamic password and controls to disconnect the VPN connecting channel.
Further, the operation and maintenance management server, after monitoring that the VPN connection request generates a VPN dynamic password, starts timing, includes the steps of:
the operation and maintenance management server acquires a communication message sent by the control terminal;
if the communication message comprises a preset key field, the operation and maintenance management server determines to monitor the VPN connection request; the VPN connection request includes identification information of the control terminal;
and the operation and maintenance management server generates a VPN dynamic password, sets the effective time length of the VPN dynamic password and starts timing.
Further, the registering of the VPN server according to the VPN dynamic password includes:
the VPN server receives a VPN dynamic password and identification information of a corresponding control terminal sent by the operation and maintenance management server;
and the VPN server stores the association relationship between the VPN dynamic password and the identification information to complete registration.
Further, the step of creating a VPN connection channel between the controlled terminal and the VPN server by the wireless gateway when the trigger condition is met includes:
the message server receives a connection instruction and a VPN dynamic password which are generated and sent by the operation and maintenance management server; the connection instruction is generated when the operation and maintenance management server receives the VPN connection request;
the message server forwards the connection instruction and the VPN dynamic password to the wireless gateway;
and the wireless gateway determines that a trigger condition is met when receiving the connection instruction and the VPN dynamic password, and maps the debugging private network address of the controlled terminal to the temporary public network address on the VPN server to complete the creation of the VPN connection channel.
Further, the step of controlling, by the operation and maintenance management server, the VPN server to log out the VPN dynamic password and to disconnect the VPN connection channel when the timing reaches the valid duration includes:
when the timing reaches the effective time length, the operation and maintenance management server generates and sends a password destroying instruction to the VPN server, so that the VPN server deletes the VPN dynamic password of which the timing reaches the effective time length;
and the operation and maintenance management server generates a mapping closing instruction while generating the password destroying instruction, and sends the mapping closing instruction to the wireless gateway, so that the wireless gateway closes a target mapping port to disconnect the VPN connecting channel.
The present invention also provides a VPN connection implementation system, including: the system comprises an operation and maintenance management server, a control terminal, a VPN server, a wireless gateway and a controlled terminal;
the control terminal is used for initiating a VPN connection request and establishing VPN connection with the controlled terminal through the VPN server according to a VPN dynamic password generated by the operation and maintenance management server;
the operation and maintenance management server is used for starting timing after monitoring that a VPN connection request generates a VPN dynamic password and respectively issuing the VPN dynamic password to a VPN server and a control terminal, and is also used for controlling the VPN server to cancel the VPN dynamic password and controlling to disconnect the VPN connection channel when the timing reaches an effective duration;
the VPN server is used for registering according to the VPN dynamic password;
and the wireless gateway is used for creating a VPN connecting channel between the controlled terminal and the VPN server when a trigger condition is met.
Further, the operation and maintenance management server includes:
the first communication module is used for acquiring a communication message sent by the control terminal;
the first analysis module is used for determining to monitor the VPN connection request if the communication message comprises a preset key field; the VPN connection request includes identification information of the control terminal;
the first processing module is used for generating a corresponding VPN dynamic password and setting the effective duration corresponding to the VPN dynamic password;
and the timing module is used for starting timing after the VPN dynamic password is generated.
Further, the VPN server includes:
the second communication module is used for receiving the VPN dynamic password sent by the operation and maintenance management server and the identification information of the corresponding control terminal;
and the second processing module is used for storing the association relationship between the VPN dynamic password and the identification information to complete registration.
Further, the method also comprises the following steps: a message server, the message server comprising:
the third communication module is used for receiving the connection instruction and the VPN dynamic password generated and sent by the operation and maintenance management server and forwarding the connection instruction and the VPN dynamic password to the wireless gateway; the connection instruction is generated when the operation and maintenance management server receives the VPN connection request;
the wireless gateway includes:
the fourth communication module is used for receiving the connection instruction and the VPN dynamic password;
and the third processing module is used for determining that a trigger condition is met when the connection instruction and the VPN dynamic password are received, and mapping the debugging private network address of the controlled terminal to the temporary public network address on the VPN server to complete the creation of the VPN connection channel.
Further, the operation and maintenance management server further includes:
the command generation module is used for generating a password destruction command and a mapping closing command when the timing reaches the effective duration;
the first communication module is further configured to send the password destruction instruction to the VPN server, so that the VPN server deletes the VPN dynamic password timed to reach the valid duration;
the first communication module is further configured to send the mapping closing instruction to the wireless gateway, so that the wireless gateway closes the target mapping port to disconnect the VPN connection channel.
The VPN connection implementation method and the system provided by the invention can be used for connecting the wireless gateway and the VPN server immediately after use, and disconnecting the VPN connection after the timing is finished, thereby improving the data security.
Drawings
The above features, technical features, advantages and implementations of a VPN connection implementation method and system will be further described in the following detailed description of preferred embodiments in a clearly understandable manner, with reference to the accompanying drawings.
Fig. 1 is a flow chart of one embodiment of a VPN connection implementation method of the present invention;
fig. 2 is a flowchart of another embodiment of a VPN connection implementation method of the present invention;
fig. 3 is a schematic structural diagram of an embodiment of a VPN connection implementation system according to the present invention.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. However, it will be apparent to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
For the sake of simplicity, the drawings only schematically show the parts relevant to the present invention, and they do not represent the actual structure as a product. In addition, in order to make the drawings concise and understandable, components having the same structure or function in some of the drawings are only schematically illustrated or only labeled. In this document, "one" means not only "only one" but also a case of "more than one".
It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
In addition, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not intended to indicate or imply relative importance.
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following description will be made with reference to the accompanying drawings. It is obvious that the drawings in the following description are only some examples of the invention, and that for a person skilled in the art, other drawings and embodiments can be derived from them without inventive effort.
A VPN is a secure, secure connection established over a public network, typically the internet, and is a secure, stable tunnel through a chaotic public network. In general, a VPN is an extension to an enterprise intranet whereby remote users, corporate branches, business partners and suppliers are facilitated to establish trusted secure connections with the corporate intranet and to ensure secure transfer of data.
The VPN architecture adopts various security mechanisms, such as Tunneling, Encryption/decryption, key management, Authentication, etc., and through the above network security technologies, it is ensured that data is not stolen during transmission in the public network, or even if stolen, the other party cannot read the data transmitted in the data packet.
In accordance with an embodiment of the present invention, there is provided an embodiment of a VPN connection implementation method, it should be noted that the steps illustrated in the flowchart of the accompanying drawings may be implemented in a computer system such as a set of computer executable instructions, and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than that herein.
An embodiment of the present invention, as shown in fig. 1, is a method for implementing VPN connection, including:
s100, a control terminal initiates a VPN connection request;
specifically, the control terminal may be a notebook or a desktop computer used by a maintenance person, or may even be a smart phone or a tablet. And after the control terminal is started, a maintenance worker clicks the VPN connection control, and after the VPN connection control is clicked, the control terminal is triggered to generate a VPN connection request. Then, the control terminal transmits the generated VPN connection request to the operation and maintenance management server.
S200, the operation and maintenance management server starts timing after monitoring that the VPN connection request generates a VPN dynamic password, and respectively issues the VPN dynamic password to the VPN server and the control terminal;
specifically, the operation and maintenance management server starts a background thread to monitor in real time, and if the VPN connection request is monitored, the operation and maintenance management server generates a VPN dynamic password in real time according to a built-in random code generator, wherein the VPN dynamic password is disposable and has timeliness. And the operation and maintenance management server respectively sends the generated VPN dynamic password to the VPN server and the control terminal initiating the VPN connection request. The VPN dynamic password is a VPN login password which changes at any time, the existing VPN connection modes are all static passwords, and the VPN is logged in and connected according to the static passwords, so that the security of the mode is extremely low, and data information of enterprises or companies is easily leaked. Here, the operation and maintenance management server generates the VPN dynamic password upon receiving the VPN connection request, and even if the same control terminal initiates the VPN connection request, the operation and maintenance management server regenerates a new VPN dynamic password as long as the validity period is exceeded.
S300, registering the VPN server according to the VPN dynamic password;
s400, the wireless gateway creates a VPN connecting channel between the controlled terminal and the VPN server when meeting the triggering condition;
specifically, if a remote VPN maintenance or detection environment needs to be established, the controlled terminal needs to be connected with the wireless gateway through a wired network cable. The controlled terminal includes, but is not limited to, office terminals (e.g., computers, notebooks, etc. of office buildings), and numerical control machines (Computer numerical control, abbreviated as CNC, which is a Computer numerical control automatic machine tool controlled by a program, including, but not limited to, numerical control lathes, numerical control milling machines, numerical control hydraulic machines, etc. for various purposes).
After receiving the VPN dynamic password issued by the operation and maintenance management server, the VPN server registers the VPN dynamic password in the database, and forms an index configuration file by the VPN dynamic password and the corresponding index field thereof to be stored in the corresponding partition path to complete registration to obtain a registration record. Then, when the wireless gateway determines that the triggering condition is met, the wireless gateway creates a VPN connecting channel between the controlled terminal and the VPN server. Therefore, the operation and maintenance management server, the VPN server, the wireless gateway and the controlled terminal have completed the environment construction of the VPN connecting channel for the remote access of the control terminal.
S500, the control terminal establishes VPN connection with the controlled terminal through a VPN server according to the VPN dynamic password;
s600, when the timing reaches the effective duration, the operation and maintenance management server controls the VPN server to cancel the VPN dynamic password and controls to disconnect the VPN connecting channel.
Specifically, the control terminal receives a VPN dynamic password corresponding to a VPN connection request sent by the operation and maintenance management server before, at this time, the control terminal sends feedback data including the VPN dynamic password to the VPN server, the VPN server queries a registration record for the VPN dynamic password in the feedback data, if the registration record includes the VPN dynamic password, the control terminal and the VPN server successfully establish a connection, and then the control terminal can establish a VPN connection with the controlled terminal through the VPN server. Of course, if the VPN dynamic password does not exist in the registration record, the control terminal cannot establish connection with the VPN server, and further the control terminal cannot establish VPN connection with the controlled terminal through the VPN server. After the control terminal successfully establishes the VPN connection with the controlled terminal, the control terminal may perform remote interactive work (including but not limited to remote diagnosis and maintenance, remote fault detection, remote fault removal, and remote data access) on the controlled terminal through a diagnostic program according to service requirements.
Once the timing reaches the effective duration, the operation and maintenance management server controls the VPN server to log out the VPN dynamic password and controls to disconnect a VPN connecting channel, so that the VPN connection is prevented from being kept all the time, the connection between the wireless gateway and the VPN server is connected in a real-time mode, the connection between the control terminal and the controlled terminal is also connected in a real-time mode, the safety of data in the remote interactive working process is improved, the trust of an enterprise company is greatly improved, meanwhile, the working efficiency is improved, and the service is more standard.
Illustratively, when a local worker uses a controlled terminal to work, if the worker has no skill for fault detection and maintenance of the controlled terminal, once the controlled terminal has a fault, the worker cannot timely repair and eliminate the fault of the controlled terminal, and cannot timely judge whether the fault can be remotely removed, so that the use of the controlled terminal by the worker is influenced, the worker initiates a VPN connection request by the maintainer at the control terminal, so that VPN connection is established with the controlled terminal through a VPN dynamic password, the remote detection and judgment of the fault reason of the controlled terminal are realized, whether the fault can be remotely removed can be judged, if yes, the maintainer directly repairs the fault of the controlled terminal through the control terminal, and if not, other maintainers can be additionally arranged to go to the site of the worker for fault repair, so that the labor travel cost is greatly saved, the work efficiency of both the working personnel and the maintenance personnel is improved, and the service is more standard and effective.
An embodiment of the present invention, as shown in fig. 2, is a method for implementing VPN connection, including:
s100, a control terminal initiates a VPN connection request;
s210, the operation and maintenance management server acquires a communication message sent by the control terminal;
s220, if the communication message comprises a preset key field, the operation and maintenance management server determines to monitor the VPN connection request; the VPN connection request includes identification information of the control terminal;
s230, the operation and maintenance management server generates a VPN dynamic password, sets the effective time length of the VPN dynamic password, starts timing and respectively issues the VPN dynamic password to the VPN server and the control terminal;
specifically, the operation and maintenance management server creates a background process to monitor the communication message sent from the control terminal in real time, and since the communication message sent from the control terminal may not necessarily be a VPN connection request, for example, the communication message may be a VPN account message or an attack message, the operation and maintenance management server needs to analyze the communication message, determine whether the communication message includes a preset key field, if the communication message includes the preset key field, it indicates that the communication message sent from the control terminal at the current time is a VPN connection request, and if the communication message does not include the preset key field, it indicates that the communication message sent from the control terminal at the current time is not a VPN connection request. Once the VPN connection request is determined to be monitored, the operation and maintenance management server generates a VPN dynamic password in real time through a built-in random code generator, sets effective duration for the generated VPN dynamic password, and starts timing at the moment when the operation and maintenance management server generates the VPN dynamic password. And the operation and maintenance management server sends the VPN dynamic password to the VPN server and sends the VPN dynamic password to the control terminal corresponding to the identification information in the VPN connection request.
S310, the VPN server receives a VPN dynamic password and identification information of a corresponding control terminal sent by the operation and maintenance management server;
s320, the VPN server stores the association relationship between the VPN dynamic password and the identification information to complete registration;
specifically, after receiving the VPN dynamic password sent by the operation and maintenance management server, the VPN server completes registration in the manner of the above embodiment. Certainly, in order to further improve the security of the remote interactive work, the operation and maintenance management server sends the VPN dynamic password to the VPN server, and the operation and maintenance management server also sends the identification information of the control terminal to the VPN server according to the VPN connection request, so that the VPN server can store the VPN dynamic password and the identification information of the control terminal corresponding to the VPN dynamic password, form an index configuration file by the VPN dynamic password and the identification information of the control terminal corresponding to the VPN dynamic password, and then store the index configuration file in the corresponding partition path to complete registration to obtain a registration record. The identification information of the control terminal includes an IP address and a port number of the control terminal.
S410, the message server receives a connection instruction and a VPN dynamic password which are generated and sent by the operation and maintenance management server; the connection instruction is generated when the operation and maintenance management server receives a VPN connection request;
s420, the message server forwards the connection instruction and the VPN dynamic password to the wireless gateway;
specifically, the message server is used as a node of the network, and is dedicated to store and forward data and information on the network, and a common message server includes a RabbitMQ.
S430, when receiving the connection instruction and the VPN dynamic password, the wireless gateway determines that the triggering condition is met, and maps the debugging private network address of the controlled terminal to the temporary public network address on the VPN server to complete the creation of a VPN connection channel;
specifically, if the control terminal needs to perform remote interactive work with a remote controlled terminal, the control terminal and the controlled terminal are often located in different private networks (local area networks or internal networks), so that the control terminal cannot directly access the controlled terminal. As is well known, a Local Area Network (LAN) is an interconnected network of computers in a small area. The "small scope" may be a family, a school, a company, or a government agency.
The debugging private network address comprises a private network IP address and a debugging port number of the controlled terminal, and the temporary public network address comprises a public network mapping IP address and a temporary port number of the controlled terminal, wherein the public network mapping IP address and the temporary port number are mapped on the VPN server.
The operation and maintenance management server generates a connection instruction after receiving the VPN connection request sent by the control terminal, and then sends the connection instruction and the VPN dynamic password to the message server. The message server forwards the connection instruction and the VPN dynamic password to the wireless gateway, and once the wireless gateway receives the connection instruction and the VPN dynamic password, the wireless gateway starts an NAT function to perform NAT network address conversion so as to map a debugging private network address of the controlled terminal to a temporary public network address on the VPN server to complete the creation of a VPN connection channel. The method comprises the steps that a wireless gateway converts a private network IP address and a debugging port number of a controlled terminal into a public network mapping IP address and a temporary port number of the controlled terminal on a VPN server, then the wireless gateway sends the public network mapping IP address and the temporary port number of the controlled terminal on the VPN server to the VPN server, the VPN server responds to the wireless gateway, and the controlled terminal is connected with the wireless gateway, so that the establishment of a VPN connecting channel between the controlled terminal and the VPN server is completed, namely the VPN server and the controlled terminal establish a first VPN connecting channel.
S500, the control terminal establishes VPN connection with the controlled terminal through a VPN server according to the VPN dynamic password;
specifically, the control terminal generates VPN login information according to a VPN dynamic password sent by the operation and maintenance management server, that is, the VPN login information includes the VPN dynamic password generated by the operation and maintenance management server, and then the control terminal sends the VPN login information to the VPN server to request login connection. Since the VPN server receives and stores the VPN dynamic password from the wireless gateway, after the VPN server receives the VPN login information sent by the control terminal, the VPN server compares the VPN dynamic password in the VPN login information with the stored VPN dynamic password to determine whether the VPN dynamic password in the VPN login information is consistent with the stored VPN dynamic password, and if the VPN dynamic password in the VPN login information is not consistent with the stored VPN dynamic password, the VPN server cannot be connected. Of course, if the VPN dynamic password in the VPN registration information is consistent with the stored VPN dynamic password, the VPN server and the control terminal establish a second VPN connection path. Since the first VPN connection channel is established between the VPN server and the controlled terminal, the control terminal obtains the public network mapping IP address and the temporary port number of the controlled terminal from the VPN server.
If the control terminal sends an operation instruction with a target address of a public network mapping IP address and a temporary port number of the controlled terminal to the VPN server, after the VPN server receives the control instruction, the VPN server converts the public network mapping IP address and the temporary port number of the controlled terminal in a control instruction message into a private network IP address and a debugging port number of the controlled terminal, and then sends the control instruction to the corresponding controlled terminal, and after the controlled terminal receives the control instruction forwarded by the VPN server, corresponding operations (including but not limited to fault detection and data search) are executed according to the control instruction. Certainly, after receiving the control instruction, the controlled terminal generates feedback information (including but not limited to instruction response, fault detection result, and data sharing) if a response needs to be fed back to the control terminal, the controlled terminal sends the feedback information to the VPN server, the feedback information includes sending the feedback information to the control terminal through the VN server, the feedback information includes a private network IP address and a debugging port number of the controlled terminal, after receiving the feedback information sent by the controlled terminal, the VPN server converts the private network IP address and the debugging port number of the controlled terminal in the feedback information into a public network mapping IP address and a temporary port number of the controlled terminal, and then the VPN server sends the feedback information including the public network mapping IP address and the temporary port number of the controlled terminal to the control terminal.
After the wireless gateway maps the debugging private network address of the controlled terminal to the temporary public network address on the VPN server, the connection between the VPN server and the wireless gateway is established, and the first connection channel is established between the VPN server and the controlled terminal because the controlled terminal is connected with the wireless gateway. Once the VPN server completes verification of the VPN dynamic password sent by the control terminal, the control terminal can directly access the controlled terminal to perform remote interactive work with the assistance of the wireless gateway, the VPN server, the operation and maintenance management server and the message server after the control terminal and the VPN server establish a second VPN connection channel.
S610, when the timing reaches the effective time length, the operation and maintenance management server generates and sends a password destroying instruction to the VPN server, so that the VPN server deletes the VPN dynamic password which reaches the effective time length;
s620, the operation and maintenance management server generates a mapping closing instruction while generating a password destroying instruction, and sends the mapping closing instruction to the wireless gateway, so that the wireless gateway closes the target mapping port to disconnect the VPN connecting channel.
Specifically, after the operation and maintenance management server generates the VPN dynamic password, the operation and maintenance management server sets an overtime timer, and the subsequent operation and maintenance management server can determine the generation duration of the VPN dynamic password generated by the operation and maintenance management server by reading the statistical time of the overtime timer. For example, after the operation and maintenance management server generates the VPN dynamic password "xxxxxx" and sets the corresponding timeout timer, assuming that the operation and maintenance management server sets the corresponding effective duration to be 5s, if 5 seconds pass, the operation and maintenance management server generates and sends a password destruction instruction to the VPN server, so that the VPN server deletes the VPN dynamic password "xxxxxx" whose timing reaches the effective duration. Meanwhile, the operation and maintenance management server further generates a mapping closing instruction, and sends the mapping closing instruction to the wireless gateway, so that the wireless gateway closes a target mapping port, wherein the target mapping port is a debugging port number of the controlled terminal, which is correspondingly allocated to the VPN dynamic password "xxxxxx" by the VPN server, so as to disconnect a first VPN connection channel between the controlled terminal and the VPN server.
Preferably, if the operation and maintenance management server reaches a time point of a preset time length before the effective time length is timed, a prompt message is sent to the control terminal, the prompt message is displayed on a display interface of the control terminal to inform operation and maintenance personnel that the effective time length of the VPN dynamic password is about to exceed the time length, and the operation and maintenance personnel is inquired whether to select time delay, if the operation and maintenance personnel selects time delay before the effective time length is timed, the control terminal sends a time delay request to the operation and maintenance management server, and the operation and maintenance management server updates the effective time length of the corresponding VPN dynamic password. Of course, if the operation and maintenance personnel choose not to delay before the timing reaches the effective duration, or the operation and maintenance personnel choose not to receive the operation and maintenance personnel when the timing reaches the effective duration, the operation and maintenance management server still keeps the initially set effective duration to perform the operation of timing and instruction generation.
If the method is applied to an equipment maintenance scene, after the control terminal is powered on, a VPN connection request is firstly initiated to the operation and maintenance management server to detect whether the VPN is connected, if the VPN connection is normal, the control terminal enters a detection state, the control terminal initiates the VPN connection request through the operation and maintenance management server, and then the message server triggers a wireless gateway at a different place through the Internet to build a VPN connection channel. For example, the control terminal may send a test instruction to the controlled terminal through the wireless gateway and the VPN server for testing. Similarly, the controlled terminal can send the working log and the fault information to the control terminal through the wireless gateway and the VPN server, and the control terminal can analyze and diagnose the received information in time and quickly return the solution to remove the fault in time and effectively. In addition, when the control terminal selects different controlled terminals, different information is detected, only different VPN connection requests need to be sent, and different VPN connection channels are created by the VPN server for distributing different temporary public network addresses for different controlled terminals, so that the control terminal can perform information interaction with different controlled terminals through different VPN connection channels.
According to the embodiment, under the assistance of the wireless gateway, the VPN server, the operation and maintenance management server and the message server, the maintenance personnel can use the control terminal to carry out remote interaction with the controlled terminal, and can remotely access the controlled terminal by means of the control terminal to quickly find out the reason of the fault and process the solution, so that the maintenance personnel can quickly and timely solve the field fault. The VPN dynamic password of the control terminal operation and maintenance management server accesses the controlled terminal through the VPN server to remotely maintain the controlled terminal, so that the timeliness of the repair of the controlled terminal is improved, and the labor and the traffic cost of running at different places are reduced.
In an embodiment of the present invention, as shown in fig. 3, a VPN connection implementation system includes: the system comprises an operation and maintenance management server, a control terminal, a VPN server, a wireless gateway and a controlled terminal;
the control terminal is used for initiating a VPN connection request and establishing VPN connection with the controlled terminal through the VPN server according to the VPN dynamic password generated by the operation and maintenance management server;
the operation and maintenance management server is used for starting timing after monitoring that the VPN connection request generates a VPN dynamic password and respectively issuing the VPN dynamic password to the VPN server and the control terminal, and is also used for controlling the VPN server to cancel the VPN dynamic password and controlling the VPN connection channel to be disconnected when the timing reaches effective duration;
the VPN server is used for registering according to the VPN dynamic password;
and the wireless gateway is used for creating a VPN connecting channel between the controlled terminal and the VPN server when the triggering condition is met.
Specifically, this embodiment is a system embodiment corresponding to the above method embodiment, and specific effects refer to the above method embodiment, which is not described in detail herein.
Based on the foregoing embodiment, the operation and maintenance management server includes:
the first communication module is used for acquiring a communication message sent by the control terminal;
the first analysis module is used for determining that the VPN connection request is monitored if the communication message comprises a preset key field; the VPN connection request includes identification information of the control terminal;
the first processing module is used for generating a corresponding VPN dynamic password and setting the effective duration corresponding to the VPN dynamic password;
and the timing module is used for starting timing after the VPN dynamic password is generated.
Specifically, this embodiment is a system embodiment corresponding to the above method embodiment, and specific effects refer to the above method embodiment, which is not described in detail herein.
Based on the foregoing embodiments, the VPN server includes:
the second communication module is used for receiving the VPN dynamic password sent by the operation and maintenance management server and the identification information of the corresponding control terminal;
and the second processing module is used for storing the association relationship between the VPN dynamic password and the identification information to complete registration.
Specifically, this embodiment is a system embodiment corresponding to the above method embodiment, and specific effects refer to the above method embodiment, which is not described in detail herein.
Based on the foregoing embodiment, further comprising: a message server, the message server comprising:
the third communication module is used for receiving the connection instruction and the VPN dynamic password generated and sent by the operation and maintenance management server and forwarding the connection instruction and the VPN dynamic password to the wireless gateway; the connection instruction is generated when the operation and maintenance management server receives a VPN connection request;
the wireless gateway includes:
the fourth communication module is used for receiving a connection instruction and a VPN dynamic password;
and the third processing module is used for determining that the trigger condition is met when the connection instruction and the VPN dynamic password are received, and mapping the debugging private network address of the controlled terminal to the temporary public network address on the VPN server to complete the creation of a VPN connection channel.
Based on the foregoing embodiment, the operation and maintenance management server further includes:
the command generation module is used for generating a password destruction command and a mapping closing command when the timing reaches the effective duration;
the first communication module is also used for sending a password destroying instruction to the VPN server so that the VPN server deletes the VPN dynamic password which reaches the effective time length in timing;
the first communication module is further configured to send a mapping closing instruction to the wireless gateway, so that the wireless gateway closes the target mapping port to disconnect the VPN connection channel.
Specifically, this embodiment is a system embodiment corresponding to the above method embodiment, and specific effects refer to the above method embodiment, which is not described in detail herein.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of program modules is illustrated, and in practical applications, the above-described distribution of functions may be performed by different program modules, that is, the internal structure of the apparatus may be divided into different program units or modules to perform all or part of the above-described functions. Each program module in the embodiments may be integrated in one processing unit, or each unit may exist alone physically, or two or more units are integrated in one processing unit, and the integrated unit may be implemented in a form of hardware, or may be implemented in a form of software program unit. In addition, the specific names of the program modules are only used for distinguishing the program modules from one another, and are not used for limiting the protection scope of the application.
It should be noted that the above embodiments can be freely combined as necessary. The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims (10)

1. A VPN connection implementation method is characterized by comprising the following steps:
the control terminal initiates a VPN connection request;
if the operation and maintenance management server monitors the VPN connection request, a VPN dynamic password is generated, then timing is started, and the VPN dynamic password is respectively issued to a VPN server and a control terminal;
the VPN server registers according to the VPN dynamic password;
the wireless gateway establishes a VPN connecting channel between the controlled terminal and the VPN server when meeting a triggering condition; the controlled terminal is connected with the wireless gateway in advance through a network cable; the triggering condition is that the wireless gateway receives a connection instruction and a VPN dynamic password forwarded by a message server, and the connection instruction is generated by the operation and maintenance management server;
the control terminal establishes VPN connection with the controlled terminal through the VPN server according to the VPN dynamic password;
and when the timing reaches the effective duration, the operation and maintenance management server controls the VPN server to log out the VPN dynamic password and controls to disconnect the VPN connecting channel.
2. The VPN connection implementation method according to claim 1, wherein the operation and maintenance management server generates a VPN dynamic password if it monitors the VPN connection request, and then starts timing, including the steps of:
the operation and maintenance management server acquires a communication message sent by the control terminal;
if the communication message comprises a preset key field, the operation and maintenance management server determines to monitor the VPN connection request; the VPN connection request includes identification information of the control terminal;
and the operation and maintenance management server generates a VPN dynamic password, sets the effective time length of the VPN dynamic password and starts timing.
3. The VPN connection implementation method according to claim 1, wherein said registering by said VPN server according to said VPN dynamic password comprises the steps of:
the VPN server receives a VPN dynamic password and identification information of a corresponding control terminal sent by the operation and maintenance management server;
and the VPN server stores the association relationship between the VPN dynamic password and the identification information to complete registration.
4. The VPN connection implementation method according to claim 1, wherein the step of creating a VPN connection path between the controlled terminal and the VPN server by the wireless gateway when the trigger condition is satisfied comprises the steps of:
the message server receives a connection instruction and a VPN dynamic password which are generated and sent by the operation and maintenance management server; the connection instruction is generated when the operation and maintenance management server receives the VPN connection request;
the message server forwards the connection instruction and the VPN dynamic password to the wireless gateway;
and the wireless gateway determines that a trigger condition is met when receiving the connection instruction and the VPN dynamic password, and maps the debugging private network address of the controlled terminal to the temporary public network address on the VPN server to complete the creation of the VPN connection channel.
5. The VPN connection implementation method according to any of claims 1-4, wherein the operation and maintenance management server controls the VPN server to log out the VPN dynamic password and to disconnect the VPN connection channel when the time reaches a valid duration, comprising the steps of:
when the timing reaches the effective time length, the operation and maintenance management server generates and sends a password destroying instruction to the VPN server, so that the VPN server deletes the VPN dynamic password of which the timing reaches the effective time length;
the operation and maintenance management server generates a mapping closing instruction while generating the password destroying instruction, and sends the mapping closing instruction to the wireless gateway, so that the wireless gateway closes a target mapping port to disconnect the VPN connecting channel.
6. A VPN connection implementation system, comprising: the system comprises an operation and maintenance management server, a control terminal, a VPN server, a wireless gateway, a message server and a controlled terminal;
the control terminal is used for initiating a VPN connection request and establishing VPN connection with the controlled terminal through the VPN server according to a VPN dynamic password generated by the operation and maintenance management server;
the operation and maintenance management server is used for generating a VPN dynamic password if a VPN connection request is monitored, then starting timing and respectively issuing the VPN dynamic password to a VPN server and a control terminal, and is also used for controlling the VPN server to cancel the VPN dynamic password and controlling the VPN connection channel to be disconnected when the timing reaches an effective duration;
the VPN server is used for registering according to the VPN dynamic password;
the wireless gateway is used for establishing a VPN connecting channel between the controlled terminal and the VPN server when a triggering condition is met; the triggering condition is that the wireless gateway receives a connection instruction and a VPN dynamic password forwarded by a message server, and the connection instruction is generated by the operation and maintenance management server.
7. The VPN connection implementation system of claim 6, wherein the operation and maintenance management server comprises:
the first communication module is used for acquiring a communication message sent by the control terminal;
the first analysis module is used for determining to monitor the VPN connection request if the communication message comprises a preset key field; the VPN connection request includes identification information of the control terminal;
the first processing module is used for generating a corresponding VPN dynamic password and setting the effective duration corresponding to the VPN dynamic password;
and the timing module is used for starting timing after the VPN dynamic password is generated.
8. The VPN connection implementation system according to claim 6, wherein said VPN server comprises:
the second communication module is used for receiving the VPN dynamic password sent by the operation and maintenance management server and the identification information of the corresponding control terminal;
and the second processing module is used for storing the association relationship between the VPN dynamic password and the identification information to complete registration.
9. The VPN connection implementation system according to claim 6, wherein the message server comprises:
the third communication module is used for receiving the connection instruction and the VPN dynamic password generated and sent by the operation and maintenance management server and forwarding the connection instruction and the VPN dynamic password to the wireless gateway; the connection instruction is generated when the operation and maintenance management server receives the VPN connection request;
the wireless gateway includes:
the fourth communication module is used for receiving the connection instruction and the VPN dynamic password;
and the third processing module is used for determining that a trigger condition is met when the connection instruction and the VPN dynamic password are received, and mapping the debugging private network address of the controlled terminal to the temporary public network address on the VPN server to complete the creation of the VPN connection channel.
10. The VPN connection implementation system according to claim 7, wherein the operation and maintenance management server further comprises:
the command generation module is used for generating a password destruction command and a mapping closing command when the timing reaches the effective duration;
the first communication module is further configured to send the password destruction instruction to the VPN server, so that the VPN server deletes the VPN dynamic password timed to reach the valid duration;
the first communication module is further configured to send the mapping closing instruction to the wireless gateway, so that the wireless gateway closes the target mapping port to disconnect the VPN connection channel.
CN202011135163.2A 2020-10-22 2020-10-22 VPN connection implementation method and system Active CN112019571B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011135163.2A CN112019571B (en) 2020-10-22 2020-10-22 VPN connection implementation method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011135163.2A CN112019571B (en) 2020-10-22 2020-10-22 VPN connection implementation method and system

Publications (2)

Publication Number Publication Date
CN112019571A CN112019571A (en) 2020-12-01
CN112019571B true CN112019571B (en) 2021-01-15

Family

ID=73527678

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011135163.2A Active CN112019571B (en) 2020-10-22 2020-10-22 VPN connection implementation method and system

Country Status (1)

Country Link
CN (1) CN112019571B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114629774A (en) * 2020-12-11 2022-06-14 北京发那科机电有限公司 Data transmission unit DTU equipment and network connection method
CN114866265B (en) * 2021-01-20 2024-04-19 晶晨半导体(上海)股份有限公司 Network connection method, router, administrator terminal device, and communication device
CN113839809B (en) * 2021-08-26 2024-07-12 上海探寻信息技术有限公司 Method, equipment and system for upgrading server
CN114157532A (en) * 2021-11-24 2022-03-08 浙江中控技术股份有限公司 Remote control method, system, electronic device and storage medium
CN114244900B (en) * 2021-12-14 2023-10-20 乾讯信息技术(无锡)有限公司 VPN cipher machine remote safety management method based on unstable channel connection
CN114257455A (en) * 2021-12-28 2022-03-29 北京爱学习博乐教育科技有限公司 Method and system for connecting enterprise VPN by using dynamic password
CN114650471B (en) * 2022-03-28 2023-12-26 洛阳萃泽信息科技有限公司 Numerical control machine tool acquisition system, centralized acquisition module and machine tool data acquisition method
CN114879646A (en) * 2022-06-09 2022-08-09 深圳市元征科技股份有限公司 Vehicle remote diagnosis method, vehicle connector, diagnostic instrument and system
CN116436956A (en) * 2023-04-12 2023-07-14 上海智引信息科技有限公司 Method, device, medium and equipment for VPN remote management of Internet of things equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1756148A (en) * 2004-09-30 2006-04-05 阿尔卡特公司 Mobile authentication for web access
CN101621503A (en) * 2008-06-30 2010-01-06 中华电信股份有限公司 Identity recognition system and method applied to virtual private network architecture
CN107566396A (en) * 2017-09-28 2018-01-09 郑州云海信息技术有限公司 A kind of method based on dynamic password enhancing server VPN protocol securitys
CN110290150A (en) * 2019-07-17 2019-09-27 秒针信息技术有限公司 A kind of login validation method and login authentication device of Virtual Private Network VPN
CN111133729A (en) * 2017-09-05 2020-05-08 思杰系统有限公司 Securing security of a data connection for communication between two endpoints
CN111683054A (en) * 2014-10-31 2020-09-18 华为技术有限公司 Method and apparatus for remote access

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102123305B (en) * 2011-02-16 2014-03-12 深圳市同洲电子股份有限公司 Method and system for realizing network transmission troubleshooting

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1756148A (en) * 2004-09-30 2006-04-05 阿尔卡特公司 Mobile authentication for web access
CN101621503A (en) * 2008-06-30 2010-01-06 中华电信股份有限公司 Identity recognition system and method applied to virtual private network architecture
CN111683054A (en) * 2014-10-31 2020-09-18 华为技术有限公司 Method and apparatus for remote access
CN111133729A (en) * 2017-09-05 2020-05-08 思杰系统有限公司 Securing security of a data connection for communication between two endpoints
CN107566396A (en) * 2017-09-28 2018-01-09 郑州云海信息技术有限公司 A kind of method based on dynamic password enhancing server VPN protocol securitys
CN110290150A (en) * 2019-07-17 2019-09-27 秒针信息技术有限公司 A kind of login validation method and login authentication device of Virtual Private Network VPN

Also Published As

Publication number Publication date
CN112019571A (en) 2020-12-01

Similar Documents

Publication Publication Date Title
CN112019571B (en) VPN connection implementation method and system
CN103297437B (en) A kind of method of mobile intelligent terminal secure access service device
US20020004847A1 (en) System for performing remote operation between firewall-equipped networks or devices
CN101242324B (en) A remote secure access method and system based on SSL protocol
US20140165182A1 (en) System for secure transfer of information from an industrial control system network
CN103179100B (en) A kind of method and apparatus preventing domain name system Tunnel Attack
GB2363548A (en) Computer systems, in particular virtual private networks
CN101138219A (en) Application of communication method between client computer
CN113114643B (en) Operation and maintenance access method and system of operation and maintenance auditing system
CN105071989A (en) Video content distribution quality monitoring system and monitoring method therefor
CN104113443A (en) Network equipment detection method, device and cloud detection system
CN102638472B (en) Portal authentication method and equipment
WO2016070633A1 (en) Network log generation method and device
CN109150661A (en) A kind of method for discovering equipment and device
CN113806447A (en) Data synchronization method, device, equipment and medium
CN113660356B (en) Network access method, system, electronic device and computer readable storage medium
US10419388B2 (en) Method and system for dark matter scanning
CN103001928A (en) Communication method of terminals interconnected among different networks
CN106470248A (en) The hot spare method of DNSSEC Digital signature service and system
CN109587134A (en) Method, apparatus, equipment and the medium of the safety certification of interface bus
CN117527840A (en) All-purpose card management platform system for resident service
CN114598507A (en) Attacker portrait generation method and device, terminal equipment and storage medium
KR20090014573A (en) JP tunnel management method and device
US20170019416A1 (en) Method and system for dark matter scanning
Yoon et al. Implementation of the automated network vulnerability assessment framework

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: A VPN Connection Implementation Method and System

Granted publication date: 20210115

Pledgee: CITIC Bank Limited by Share Ltd. Shanghai branch

Pledgor: Qieyun (Shanghai) Internet of things Technology Co.,Ltd.

Registration number: Y2024310000288