CN110891008A - IP proxy method based on L2TP/IPSEC - Google Patents
IP proxy method based on L2TP/IPSEC Download PDFInfo
- Publication number
- CN110891008A CN110891008A CN201911147481.8A CN201911147481A CN110891008A CN 110891008 A CN110891008 A CN 110891008A CN 201911147481 A CN201911147481 A CN 201911147481A CN 110891008 A CN110891008 A CN 110891008A
- Authority
- CN
- China
- Prior art keywords
- server
- ipsec
- l2tp
- socks5
- method based
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2521—Translation architectures other than single NAT servers
- H04L61/2528—Translation at a proxy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2592—Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/59—Network arrangements, protocols or services for addressing or naming using proxies for addressing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
- H04L69/162—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an IP proxy method based on L2TP/IPSEC, relating to a conversion server, comprising the following steps: s1, establishing VPN tunnel between the conversion server and the user terminal; s2, establishing connection with a SOCKS5 server, and waiting for connection at a local binding port; s3, forwarding the VPN traffic to a SOCKS5 server: on the PREROUTING chain, packets whose source addresses are peer IPs are all redirected to the bound port. The present invention adds a conversion server between the user terminal and the SOCKS5 server. The user terminal sends the traffic to the conversion server via L2TP/IPSEC protocol, and the conversion server forwards the traffic to the SOCKS5 server.
Description
Technical Field
The invention relates to the technical field of communication, in particular to an IP proxy method based on L2 TP/IPSEC.
Background
The proxy services provided by current IP proxy services are mainly HTTP proxies and SOCKS5 proxies. The software such as a browser and the like supporting the HTTP proxy and the SOCKS5 proxy is convenient to use, but most of the software does not support, such as common various game clients. For this case, the current solution is to install a global proxy software on the client, intercept all traffic of the client, then convert the traffic into SOCKS5 protocol, and then send to the proxy server.
While the global proxy software has the following disadvantages: 1. agent software is required to be installed on a terminal of a user, the types of terminal operation methods are different, especially Android, fragmentation is serious, and a large amount of adaptation work is involved. 2. The operation methods of the client are various in types, common methods such as Android, IOS, macOS, Windows, Linux and the like need to develop global agent software for each method, and the workload is huge. 3. The agent software is installed on a terminal of a user, needs to be jointly debugged with the user after a problem occurs, and a client is generally a non-professional person and is difficult to debug and maintain.
Disclosure of Invention
In order to solve the problems, the invention provides an IP proxy method based on L2TP/IPSEC, and a conversion server is added between a user terminal and a SOCKS5 server. The user terminal sends the traffic to the conversion server via L2TP/IPSEC protocol, and the conversion server forwards the traffic to the SOCKS5 server.
The invention adopts the following technical scheme:
an IP proxy method based on L2TP/IPSEC relates to a conversion server, and comprises the following steps:
s1, establishing VPN tunnel between the conversion server and the user terminal;
s2, establishing connection with a SOCKS5 server, and waiting for connection at a local binding port;
s3, forwarding the VPN traffic to a SOCKS5 server: on the PREROUTING chain, packets whose source addresses are peer IPs are all redirected to the bound port.
Preferably, in step S1, the VPN tunnel is established using xl2tpd software, and the ipsec encryption service is implemented using libreswan software.
Preferably, in step S2, establishing connection with the SOCKS5 server is implemented by using redclocks software on Linux.
Preferably, in step S3, forwarding the VPN traffic to the SOCKS5 server is implemented by an iptables tool on Linux.
The invention has the beneficial effects that:
1. the invention can directly use the built-in VPN client provided by the operating system to use the IP proxy service, thereby avoiding the installation of third-party software on the operating system of the client terminal and facilitating the use of the client.
2. By using the VPN client end built in the operating system, the full flow agent is directly realized, and all software on the system can be directly used.
3. L2TP/IPSEC is a common VPN protocol, almost all operating systems support by default, so that all common operating systems on the market, IP proxy service providers can be covered, and independent proxy software does not need to be developed for each operating system, thereby greatly reducing the development workload.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings of the embodiments will be briefly described below, and it is apparent that the drawings in the following description only relate to some embodiments of the present invention and are not limiting on the present invention.
FIG. 1 is a schematic flow diagram of the present invention;
FIG. 2 is a diagram illustrating a structural framework of a PREROUTING chain according to the present invention;
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the drawings of the embodiments of the present invention. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the described embodiments of the invention without any inventive step, are within the scope of protection of the invention.
Unless otherwise defined, technical or scientific terms used herein shall have the ordinary meaning as understood by one of ordinary skill in the art to which this disclosure belongs. The use of the word "comprising" or "comprises", and the like, in this disclosure is intended to mean that the elements or items listed before that word, include the elements or items listed after that word, and their equivalents, without excluding other elements or items. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
The invention is further illustrated with reference to the following figures and examples.
As shown in fig. 1 to 2, an IP proxy method based on L2TP/IPSEC includes the following steps:
s1, establishing VPN tunnel between the conversion server and the user terminal: an L2TP/IPSEC service is established on a conversion server, an xl2tpd is used for establishing a VPN tunnel, and libreswan is used for realizing an IPSEC encryption service (configuration of a communication key between a forwarding server and a user terminal); a user terminal establishes a VPN tunnel with a forwarding server by using a VPN client end built in a client operating system; the VPN client end built in the operating system is used, so that the full-flow agent is directly realized, all software on the operating system of the client end can be directly used, the installation of third-party software on the operating system of a client terminal is avoided, and the use of a client is facilitated.
After the VPN tunnel is successfully established, a point-to-point network interface is generated on the forwarding server, and because the VPN tunnel is a point-to-point interface, the destination IP address is the IP address of the client.
S2, establishing connection with a SOCKS5 server by using redclocks software on Linux, and waiting for connection at a local binding port;
s3, forwarding the VPN flow to a SOCKS5 server through an iptables tool on Linux: on the PREROUTING chain, packets whose source addresses are the peer IPs are all redirected to the redclocks software bound ports.
As shown in fig. 2, for the IPv4 protocol, 5 hook (hook) functions are defined at 5 key positions of the IP packet processing flow in the forwarding chain. When a packet flows through these critical locations, the corresponding hook function is called. The data packet enters the IP protocol stack from the left side, after IP verification, the data packet is processed by the first hook function PRE _ ROUTING, and then enters the ROUTING module, which determines whether the data packet is forwarded or sent to the local machine.
If the data packet is sent to the LOCAL machine, the data packet is processed by a hook function LOCAL _ IN and then is transmitted to an upper layer protocol of the LOCAL machine; if the packet should be forwarded, it will be processed by the hook function FORWARD and then processed by the hook function POST ROUTING before being transmitted to the network. Data packets generated by the native process are processed by a hook function LOCAL _ OUT, then are subjected to ROUTING processing, and then are sent to a network after being processed by a hook function POST _ ROUTING.
The present invention adds a conversion server between the user terminal and the SOCKS5 server. The user terminal sends the traffic to the conversion server via L2TP/IPSEC protocol, and the conversion server forwards the traffic to the SOCKS5 server.
Although the present invention has been described with reference to a preferred embodiment, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (4)
1. An IP proxy method based on L2TP/IPSEC is characterized in that, relating to a conversion server, the steps are as follows:
s1, establishing VPN tunnel between the conversion server and the user terminal;
s2, establishing connection with a SOCKS5 server, and waiting for connection at a local binding port;
s3, forwarding the VPN traffic to a SOCKS5 server: on the PREROUTING chain, packets whose source addresses are peer IPs are all redirected to the bound port.
2. The IP proxy method based on L2TP/IPSEC as claimed in claim 1, wherein in step S1, the VPN tunnel is established using xl2tpd software and IPSEC encryption service is implemented using libreswan software.
3. The IP proxy method based on L2TP/IPSEC as claimed in claim 1, wherein in step S2, establishing connection with SOCKS5 server is implemented by using redclocks software on Linux.
4. The IP proxy method based on L2TP/IPSEC as claimed in claim 1, wherein the step S3 of forwarding VPN traffic to SOCKS5 server is implemented by iptables tool on Linux.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911147481.8A CN110891008A (en) | 2019-11-21 | 2019-11-21 | IP proxy method based on L2TP/IPSEC |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911147481.8A CN110891008A (en) | 2019-11-21 | 2019-11-21 | IP proxy method based on L2TP/IPSEC |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110891008A true CN110891008A (en) | 2020-03-17 |
Family
ID=69748249
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911147481.8A Pending CN110891008A (en) | 2019-11-21 | 2019-11-21 | IP proxy method based on L2TP/IPSEC |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110891008A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114545860A (en) * | 2022-03-07 | 2022-05-27 | 河钢数字技术股份有限公司 | Remote PLC maintenance method based on gateway of Internet of things |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1941738A (en) * | 2005-09-29 | 2007-04-04 | 腾讯科技(深圳)有限公司 | Device and method for telecommunicating between customer end application component and object server |
CN102035904A (en) * | 2010-12-10 | 2011-04-27 | 北京中科大洋科技发展股份有限公司 | Method for converting TCP network communication server into client |
US20160359812A1 (en) * | 2005-06-03 | 2016-12-08 | Asavie R&D Limited | Secure network communication system and method |
CN106375493A (en) * | 2016-10-10 | 2017-02-01 | 腾讯科技(深圳)有限公司 | Cross-network communication method and proxy servers |
CN106534319A (en) * | 2016-11-22 | 2017-03-22 | 深圳市掌世界网络科技有限公司 | Method for direct access to target server through proxy server |
CN106685785A (en) * | 2016-12-27 | 2017-05-17 | 北京航空航天大学 | Intranet access system based on IPsec VPN proxy |
CN106713320A (en) * | 2016-12-23 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Terminal data transmission method and device |
CN107231426A (en) * | 2017-06-15 | 2017-10-03 | 郑州云海信息技术有限公司 | A kind of multiple data centers access method, proxy server and system |
CN109347817A (en) * | 2018-10-12 | 2019-02-15 | 厦门安胜网络科技有限公司 | A kind of method and device that network security redirects |
CN110177128A (en) * | 2019-04-15 | 2019-08-27 | 深圳前海达闼云端智能科技有限公司 | Data transmission system and method for establishing VPN connection, terminal and VPN proxy thereof |
-
2019
- 2019-11-21 CN CN201911147481.8A patent/CN110891008A/en active Pending
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160359812A1 (en) * | 2005-06-03 | 2016-12-08 | Asavie R&D Limited | Secure network communication system and method |
CN1941738A (en) * | 2005-09-29 | 2007-04-04 | 腾讯科技(深圳)有限公司 | Device and method for telecommunicating between customer end application component and object server |
CN102035904A (en) * | 2010-12-10 | 2011-04-27 | 北京中科大洋科技发展股份有限公司 | Method for converting TCP network communication server into client |
CN106375493A (en) * | 2016-10-10 | 2017-02-01 | 腾讯科技(深圳)有限公司 | Cross-network communication method and proxy servers |
CN106534319A (en) * | 2016-11-22 | 2017-03-22 | 深圳市掌世界网络科技有限公司 | Method for direct access to target server through proxy server |
CN106713320A (en) * | 2016-12-23 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Terminal data transmission method and device |
CN106685785A (en) * | 2016-12-27 | 2017-05-17 | 北京航空航天大学 | Intranet access system based on IPsec VPN proxy |
CN107231426A (en) * | 2017-06-15 | 2017-10-03 | 郑州云海信息技术有限公司 | A kind of multiple data centers access method, proxy server and system |
CN109347817A (en) * | 2018-10-12 | 2019-02-15 | 厦门安胜网络科技有限公司 | A kind of method and device that network security redirects |
CN110177128A (en) * | 2019-04-15 | 2019-08-27 | 深圳前海达闼云端智能科技有限公司 | Data transmission system and method for establishing VPN connection, terminal and VPN proxy thereof |
Non-Patent Citations (1)
Title |
---|
程思: "VPN中的隧道技术研究", 《计算机技术与发展》 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114545860A (en) * | 2022-03-07 | 2022-05-27 | 河钢数字技术股份有限公司 | Remote PLC maintenance method based on gateway of Internet of things |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9288188B2 (en) | Computer communication system for communication via public networks | |
US8250643B2 (en) | Communication device, communication system, communication method, and program | |
US8995453B2 (en) | Systems and methods for providing a VPN solution | |
CA2545496C (en) | Virtual private network with pseudo server | |
CN107786613B (en) | Broadband remote access server BRAS forwarding implementation method and device | |
US7643416B2 (en) | Method and system for adaptively applying performance enhancing functions | |
US8699500B2 (en) | Method and apparatus to perform network routing | |
US7398552B2 (en) | Method and system for integrating performance enhancing functions in a virtual private network (VPN) | |
CN102340447B (en) | Remote port mirroring realization system and method | |
US20030172264A1 (en) | Method and system for providing security in performance enhanced network | |
WO2014082577A1 (en) | Remote debugging method and system | |
WO2015143802A1 (en) | Service function chaining processing method and device | |
US20160285976A1 (en) | Methods and systems for forwarding data | |
JP5679343B2 (en) | Cloud system, gateway device, communication control method, and communication control program | |
US7467229B1 (en) | Method and apparatus for routing of network addresses | |
US20220311701A1 (en) | Methods and systems for sending packets through a plurality of tunnels | |
EP3796601A1 (en) | Method and apparatus for managing virtual private network | |
US20160156742A1 (en) | Relaying system and method of transmitting ip address of client to server using encapsulation protocol | |
CN101026547A (en) | Method and system for accessing Intranct IPv6 host into global IPv6 network | |
CN110891008A (en) | IP proxy method based on L2TP/IPSEC | |
CN112839355B (en) | IPSEC testing system and method in network of 5G network | |
Cisco | Release Notes for Cisco 3200MARC Series Routers for IOS Release 12.2(11)YQ | |
Cisco | Configuring SNA Frame Relay Access Support | |
WO2014063357A1 (en) | Method for processing service message on remote access terminal and remote access terminal | |
WO2021192008A1 (en) | Packet transfer device, packet transfer method, and packet transfer program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200317 |