CN110891008A - IP proxy method based on L2TP/IPSEC - Google Patents

IP proxy method based on L2TP/IPSEC Download PDF

Info

Publication number
CN110891008A
CN110891008A CN201911147481.8A CN201911147481A CN110891008A CN 110891008 A CN110891008 A CN 110891008A CN 201911147481 A CN201911147481 A CN 201911147481A CN 110891008 A CN110891008 A CN 110891008A
Authority
CN
China
Prior art keywords
server
ipsec
l2tp
socks5
method based
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911147481.8A
Other languages
Chinese (zh)
Inventor
周正军
丁从军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Yunzhitianxia Technology Co Ltd
Original Assignee
Chengdu Yunzhitianxia Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Yunzhitianxia Technology Co Ltd filed Critical Chengdu Yunzhitianxia Technology Co Ltd
Priority to CN201911147481.8A priority Critical patent/CN110891008A/en
Publication of CN110891008A publication Critical patent/CN110891008A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2521Translation architectures other than single NAT servers
    • H04L61/2528Translation at a proxy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2592Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/59Network arrangements, protocols or services for addressing or naming using proxies for addressing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • H04L69/162Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an IP proxy method based on L2TP/IPSEC, relating to a conversion server, comprising the following steps: s1, establishing VPN tunnel between the conversion server and the user terminal; s2, establishing connection with a SOCKS5 server, and waiting for connection at a local binding port; s3, forwarding the VPN traffic to a SOCKS5 server: on the PREROUTING chain, packets whose source addresses are peer IPs are all redirected to the bound port. The present invention adds a conversion server between the user terminal and the SOCKS5 server. The user terminal sends the traffic to the conversion server via L2TP/IPSEC protocol, and the conversion server forwards the traffic to the SOCKS5 server.

Description

IP proxy method based on L2TP/IPSEC
Technical Field
The invention relates to the technical field of communication, in particular to an IP proxy method based on L2 TP/IPSEC.
Background
The proxy services provided by current IP proxy services are mainly HTTP proxies and SOCKS5 proxies. The software such as a browser and the like supporting the HTTP proxy and the SOCKS5 proxy is convenient to use, but most of the software does not support, such as common various game clients. For this case, the current solution is to install a global proxy software on the client, intercept all traffic of the client, then convert the traffic into SOCKS5 protocol, and then send to the proxy server.
While the global proxy software has the following disadvantages: 1. agent software is required to be installed on a terminal of a user, the types of terminal operation methods are different, especially Android, fragmentation is serious, and a large amount of adaptation work is involved. 2. The operation methods of the client are various in types, common methods such as Android, IOS, macOS, Windows, Linux and the like need to develop global agent software for each method, and the workload is huge. 3. The agent software is installed on a terminal of a user, needs to be jointly debugged with the user after a problem occurs, and a client is generally a non-professional person and is difficult to debug and maintain.
Disclosure of Invention
In order to solve the problems, the invention provides an IP proxy method based on L2TP/IPSEC, and a conversion server is added between a user terminal and a SOCKS5 server. The user terminal sends the traffic to the conversion server via L2TP/IPSEC protocol, and the conversion server forwards the traffic to the SOCKS5 server.
The invention adopts the following technical scheme:
an IP proxy method based on L2TP/IPSEC relates to a conversion server, and comprises the following steps:
s1, establishing VPN tunnel between the conversion server and the user terminal;
s2, establishing connection with a SOCKS5 server, and waiting for connection at a local binding port;
s3, forwarding the VPN traffic to a SOCKS5 server: on the PREROUTING chain, packets whose source addresses are peer IPs are all redirected to the bound port.
Preferably, in step S1, the VPN tunnel is established using xl2tpd software, and the ipsec encryption service is implemented using libreswan software.
Preferably, in step S2, establishing connection with the SOCKS5 server is implemented by using redclocks software on Linux.
Preferably, in step S3, forwarding the VPN traffic to the SOCKS5 server is implemented by an iptables tool on Linux.
The invention has the beneficial effects that:
1. the invention can directly use the built-in VPN client provided by the operating system to use the IP proxy service, thereby avoiding the installation of third-party software on the operating system of the client terminal and facilitating the use of the client.
2. By using the VPN client end built in the operating system, the full flow agent is directly realized, and all software on the system can be directly used.
3. L2TP/IPSEC is a common VPN protocol, almost all operating systems support by default, so that all common operating systems on the market, IP proxy service providers can be covered, and independent proxy software does not need to be developed for each operating system, thereby greatly reducing the development workload.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings of the embodiments will be briefly described below, and it is apparent that the drawings in the following description only relate to some embodiments of the present invention and are not limiting on the present invention.
FIG. 1 is a schematic flow diagram of the present invention;
FIG. 2 is a diagram illustrating a structural framework of a PREROUTING chain according to the present invention;
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the drawings of the embodiments of the present invention. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the described embodiments of the invention without any inventive step, are within the scope of protection of the invention.
Unless otherwise defined, technical or scientific terms used herein shall have the ordinary meaning as understood by one of ordinary skill in the art to which this disclosure belongs. The use of the word "comprising" or "comprises", and the like, in this disclosure is intended to mean that the elements or items listed before that word, include the elements or items listed after that word, and their equivalents, without excluding other elements or items. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
The invention is further illustrated with reference to the following figures and examples.
As shown in fig. 1 to 2, an IP proxy method based on L2TP/IPSEC includes the following steps:
s1, establishing VPN tunnel between the conversion server and the user terminal: an L2TP/IPSEC service is established on a conversion server, an xl2tpd is used for establishing a VPN tunnel, and libreswan is used for realizing an IPSEC encryption service (configuration of a communication key between a forwarding server and a user terminal); a user terminal establishes a VPN tunnel with a forwarding server by using a VPN client end built in a client operating system; the VPN client end built in the operating system is used, so that the full-flow agent is directly realized, all software on the operating system of the client end can be directly used, the installation of third-party software on the operating system of a client terminal is avoided, and the use of a client is facilitated.
After the VPN tunnel is successfully established, a point-to-point network interface is generated on the forwarding server, and because the VPN tunnel is a point-to-point interface, the destination IP address is the IP address of the client.
S2, establishing connection with a SOCKS5 server by using redclocks software on Linux, and waiting for connection at a local binding port;
s3, forwarding the VPN flow to a SOCKS5 server through an iptables tool on Linux: on the PREROUTING chain, packets whose source addresses are the peer IPs are all redirected to the redclocks software bound ports.
As shown in fig. 2, for the IPv4 protocol, 5 hook (hook) functions are defined at 5 key positions of the IP packet processing flow in the forwarding chain. When a packet flows through these critical locations, the corresponding hook function is called. The data packet enters the IP protocol stack from the left side, after IP verification, the data packet is processed by the first hook function PRE _ ROUTING, and then enters the ROUTING module, which determines whether the data packet is forwarded or sent to the local machine.
If the data packet is sent to the LOCAL machine, the data packet is processed by a hook function LOCAL _ IN and then is transmitted to an upper layer protocol of the LOCAL machine; if the packet should be forwarded, it will be processed by the hook function FORWARD and then processed by the hook function POST ROUTING before being transmitted to the network. Data packets generated by the native process are processed by a hook function LOCAL _ OUT, then are subjected to ROUTING processing, and then are sent to a network after being processed by a hook function POST _ ROUTING.
The present invention adds a conversion server between the user terminal and the SOCKS5 server. The user terminal sends the traffic to the conversion server via L2TP/IPSEC protocol, and the conversion server forwards the traffic to the SOCKS5 server.
Although the present invention has been described with reference to a preferred embodiment, it should be understood that various changes, substitutions and alterations can be made herein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (4)

1. An IP proxy method based on L2TP/IPSEC is characterized in that, relating to a conversion server, the steps are as follows:
s1, establishing VPN tunnel between the conversion server and the user terminal;
s2, establishing connection with a SOCKS5 server, and waiting for connection at a local binding port;
s3, forwarding the VPN traffic to a SOCKS5 server: on the PREROUTING chain, packets whose source addresses are peer IPs are all redirected to the bound port.
2. The IP proxy method based on L2TP/IPSEC as claimed in claim 1, wherein in step S1, the VPN tunnel is established using xl2tpd software and IPSEC encryption service is implemented using libreswan software.
3. The IP proxy method based on L2TP/IPSEC as claimed in claim 1, wherein in step S2, establishing connection with SOCKS5 server is implemented by using redclocks software on Linux.
4. The IP proxy method based on L2TP/IPSEC as claimed in claim 1, wherein the step S3 of forwarding VPN traffic to SOCKS5 server is implemented by iptables tool on Linux.
CN201911147481.8A 2019-11-21 2019-11-21 IP proxy method based on L2TP/IPSEC Pending CN110891008A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911147481.8A CN110891008A (en) 2019-11-21 2019-11-21 IP proxy method based on L2TP/IPSEC

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911147481.8A CN110891008A (en) 2019-11-21 2019-11-21 IP proxy method based on L2TP/IPSEC

Publications (1)

Publication Number Publication Date
CN110891008A true CN110891008A (en) 2020-03-17

Family

ID=69748249

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911147481.8A Pending CN110891008A (en) 2019-11-21 2019-11-21 IP proxy method based on L2TP/IPSEC

Country Status (1)

Country Link
CN (1) CN110891008A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114545860A (en) * 2022-03-07 2022-05-27 河钢数字技术股份有限公司 Remote PLC maintenance method based on gateway of Internet of things

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1941738A (en) * 2005-09-29 2007-04-04 腾讯科技(深圳)有限公司 Device and method for telecommunicating between customer end application component and object server
CN102035904A (en) * 2010-12-10 2011-04-27 北京中科大洋科技发展股份有限公司 Method for converting TCP network communication server into client
US20160359812A1 (en) * 2005-06-03 2016-12-08 Asavie R&D Limited Secure network communication system and method
CN106375493A (en) * 2016-10-10 2017-02-01 腾讯科技(深圳)有限公司 Cross-network communication method and proxy servers
CN106534319A (en) * 2016-11-22 2017-03-22 深圳市掌世界网络科技有限公司 Method for direct access to target server through proxy server
CN106685785A (en) * 2016-12-27 2017-05-17 北京航空航天大学 Intranet access system based on IPsec VPN proxy
CN106713320A (en) * 2016-12-23 2017-05-24 腾讯科技(深圳)有限公司 Terminal data transmission method and device
CN107231426A (en) * 2017-06-15 2017-10-03 郑州云海信息技术有限公司 A kind of multiple data centers access method, proxy server and system
CN109347817A (en) * 2018-10-12 2019-02-15 厦门安胜网络科技有限公司 A kind of method and device that network security redirects
CN110177128A (en) * 2019-04-15 2019-08-27 深圳前海达闼云端智能科技有限公司 Data transmission system and method for establishing VPN connection, terminal and VPN proxy thereof

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160359812A1 (en) * 2005-06-03 2016-12-08 Asavie R&D Limited Secure network communication system and method
CN1941738A (en) * 2005-09-29 2007-04-04 腾讯科技(深圳)有限公司 Device and method for telecommunicating between customer end application component and object server
CN102035904A (en) * 2010-12-10 2011-04-27 北京中科大洋科技发展股份有限公司 Method for converting TCP network communication server into client
CN106375493A (en) * 2016-10-10 2017-02-01 腾讯科技(深圳)有限公司 Cross-network communication method and proxy servers
CN106534319A (en) * 2016-11-22 2017-03-22 深圳市掌世界网络科技有限公司 Method for direct access to target server through proxy server
CN106713320A (en) * 2016-12-23 2017-05-24 腾讯科技(深圳)有限公司 Terminal data transmission method and device
CN106685785A (en) * 2016-12-27 2017-05-17 北京航空航天大学 Intranet access system based on IPsec VPN proxy
CN107231426A (en) * 2017-06-15 2017-10-03 郑州云海信息技术有限公司 A kind of multiple data centers access method, proxy server and system
CN109347817A (en) * 2018-10-12 2019-02-15 厦门安胜网络科技有限公司 A kind of method and device that network security redirects
CN110177128A (en) * 2019-04-15 2019-08-27 深圳前海达闼云端智能科技有限公司 Data transmission system and method for establishing VPN connection, terminal and VPN proxy thereof

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
程思: "VPN中的隧道技术研究", 《计算机技术与发展》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114545860A (en) * 2022-03-07 2022-05-27 河钢数字技术股份有限公司 Remote PLC maintenance method based on gateway of Internet of things

Similar Documents

Publication Publication Date Title
US9288188B2 (en) Computer communication system for communication via public networks
US8250643B2 (en) Communication device, communication system, communication method, and program
US8995453B2 (en) Systems and methods for providing a VPN solution
CA2545496C (en) Virtual private network with pseudo server
CN107786613B (en) Broadband remote access server BRAS forwarding implementation method and device
US7643416B2 (en) Method and system for adaptively applying performance enhancing functions
US8699500B2 (en) Method and apparatus to perform network routing
US7398552B2 (en) Method and system for integrating performance enhancing functions in a virtual private network (VPN)
CN102340447B (en) Remote port mirroring realization system and method
US20030172264A1 (en) Method and system for providing security in performance enhanced network
WO2014082577A1 (en) Remote debugging method and system
WO2015143802A1 (en) Service function chaining processing method and device
US20160285976A1 (en) Methods and systems for forwarding data
JP5679343B2 (en) Cloud system, gateway device, communication control method, and communication control program
US7467229B1 (en) Method and apparatus for routing of network addresses
US20220311701A1 (en) Methods and systems for sending packets through a plurality of tunnels
EP3796601A1 (en) Method and apparatus for managing virtual private network
US20160156742A1 (en) Relaying system and method of transmitting ip address of client to server using encapsulation protocol
CN101026547A (en) Method and system for accessing Intranct IPv6 host into global IPv6 network
CN110891008A (en) IP proxy method based on L2TP/IPSEC
CN112839355B (en) IPSEC testing system and method in network of 5G network
Cisco Release Notes for Cisco 3200MARC Series Routers for IOS Release 12.2(11)YQ
Cisco Configuring SNA Frame Relay Access Support
WO2014063357A1 (en) Method for processing service message on remote access terminal and remote access terminal
WO2021192008A1 (en) Packet transfer device, packet transfer method, and packet transfer program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200317