CN114615080B

CN114615080B - Remote communication method and device for industrial equipment and equipment

Info

Publication number: CN114615080B
Application number: CN202210334472.5A
Authority: CN
Inventors: 李林
Original assignee: Alibaba China Co Ltd
Current assignee: Alibaba China Co Ltd
Priority date: 2022-03-30
Filing date: 2022-03-30
Publication date: 2023-12-05
Anticipated expiration: 2042-03-30
Also published as: CN114615080A; WO2023185823A1

Abstract

The application provides a remote communication method, a remote communication device and remote communication equipment for industrial equipment. The method comprises the following steps: the edge device obtains a first data packet from the terminal device through the VPN channel, the first data packet comprises a destination address, the destination address in the first data packet is an IP address of a target industrial device in a first local area network, the target industrial device is one of at least one industrial device, and the first data packet is sent to the target industrial device. Under the condition that the industrial equipment is not exposed to the public network, the communication between the terminal equipment and the edge equipment is realized, and the safety of remote communication of the industrial equipment is improved.

Description

Remote communication method and device for industrial equipment and equipment

Technical Field

The present application relates to the field of cloud computing technologies, and in particular, to a remote communication method, apparatus, and device for an industrial device.

Background

In some industrial manufacturing scenarios, it is necessary to remotely control each industrial control device via a terminal device to achieve control of the industrial device. Currently, a remote communication scheme between a terminal device and an industrial device requires exposing the industrial device to a public network through a router in a port mapping manner to establish a communication link between the remote terminal device and the industrial device. In this case, a great potential safety hazard is brought to industrial production and maintenance. Therefore, how to implement remote communication of industrial equipment to ensure the safety of the remote communication of industrial equipment is a current urgent problem to be solved.

Disclosure of Invention

The embodiment of the application provides a remote communication method, a remote communication device and remote communication equipment for industrial equipment, which are used for improving the safety of remote communication of the industrial equipment.

In a first aspect, an embodiment of the present application provides a remote communication method of an industrial device, which is applied to an edge device, where the edge device and at least one industrial device implement a communication connection in a first local area network, and the method includes: acquiring a first data packet from a terminal device through a virtual private network (Virtual Private Network, VPN) channel, wherein the first data packet includes a destination address, the destination address in the first data packet is an internet protocol (Internet Protocol, IP) address of a target industrial device in the first local area network, and the target industrial device is one of the at least one industrial device; the first data packet is sent to the target industrial device.

In a second aspect, an embodiment of the present application provides a remote communication method for an industrial device, applied to a VPN server, including: transmitting first configuration information to the edge equipment, wherein the first configuration information carries information of a network segment of a second local area network, and the network segment of the second local area network is a local area network adopted when communication is carried out through a VPN channel; forwarding a first data packet from a terminal device to the edge device, wherein the first data packet comprises a source address and a destination address, the source address in the first data packet is an IP address of the terminal device in the second local area network, the destination address in the first data packet is an IP address of a target industrial device in the first local area network, and the target industrial device is one of at least one industrial device which is in communication connection with the edge device in the first local area network.

In a third aspect, an embodiment of the present application provides a remote communication method for an industrial device, applied to a terminal device, including: transmitting a first data packet to the edge equipment through the VPN channel, wherein the first data packet comprises a source address and a destination address, the source address in the first data packet is an IP address of the terminal equipment in a second local area network, the destination address in the first data packet is an IP address of target industrial equipment in the first local area network, and the target industrial equipment is one of at least one industrial equipment which is in communication connection with the edge equipment in the first local area network; and receiving a second data packet sent by the edge device through the VPN channel.

In a fourth aspect, an embodiment of the present application provides an edge device, where the edge device is communicatively connected to at least one industrial device in a first local area network, and the edge device includes: an obtaining unit, configured to obtain, through a VPN channel, a first data packet from a terminal device, where the first data packet includes a destination address, where the destination address in the first data packet is an IP address of a target industrial device in the first local area network, and the target industrial device is one of the at least one industrial device; and the receiving and transmitting unit is used for transmitting the first data packet to the target industrial equipment.

In a fifth aspect, an embodiment of the present application provides a server, including: the receiving and transmitting unit is used for transmitting first configuration information to the edge equipment, wherein the first configuration information carries information of a network segment of a second local area network, and the network segment of the second local area network is a local area network adopted when communication is carried out through a VPN channel; the transceiver unit is further configured to forward, to the edge device, a first data packet from the terminal device, where the first data packet includes a source address and a destination address, the source address in the first data packet is an IP address of the terminal device in the second local area network, the destination address in the first data packet is an IP address of a target industrial device in the first local area network, and the target industrial device is one of at least one industrial device that implements a communication connection with the edge device in the first local area network.

In a sixth aspect, an embodiment of the present application provides a terminal device, including: the receiving and transmitting unit is used for transmitting a first data packet to the edge equipment through the VPN channel, wherein the first data packet comprises a source address and a destination address, the source address in the first data packet is an IP address of the terminal equipment in a second local area network, the destination address in the first data packet is the IP address of target industrial equipment in the first local area network, and the target industrial equipment is one of at least one industrial equipment which is in communication connection with the edge equipment in the first local area network; the receiving and transmitting unit is further configured to receive, through the VPN tunnel, a second data packet sent by the edge device.

In a seventh aspect, an embodiment of the present application provides an electronic device, including: at least one processor and memory; the memory stores computer-executable instructions; the at least one processor executing computer-executable instructions stored in the memory causes the at least one processor to perform the method as provided in the first, second or third aspects.

In an eighth aspect, an embodiment of the present application provides a computer-readable storage medium having stored therein computer-executable instructions which, when executed by a processor, implement a method as provided in the first, second or third aspects.

In a ninth aspect, embodiments of the present application provide a computer program product comprising computer instructions which, when executed by a processor, implement the method provided by the first, second or third aspects.

In the embodiment of the application, the edge equipment and the terminal equipment are in encrypted communication through the VPN channel, and the edge equipment sends the first data packet sent by the terminal equipment to the target industrial equipment in the first local area network, so that the communication between the terminal equipment and the edge equipment is realized under the condition that the industrial equipment is not exposed to the public network, and the safety of remote communication of the industrial equipment is improved.

Drawings

FIG. 1 is a schematic diagram of a telecommunications scenario 100 of an industrial device according to an embodiment of the present application;

fig. 2 is a schematic diagram of an interaction flow of a remote communication method 200 of an industrial device according to an embodiment of the present application;

fig. 3 is a schematic diagram of an interaction flow of a remote communication method 300 of an industrial device according to an embodiment of the present application;

FIG. 4 is a schematic block diagram of an electronic device 400 according to an embodiment of the present application;

fig. 5 is a schematic block diagram of an electronic device 500 according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of a cloud server 600 according to an exemplary embodiment of the present application.

Detailed Description

Industry (industry) is a material generation industry that exploits, collects, and processes various raw materials for natural resources. And may generally include, but are not limited to, the light industry, the heavy industry, and the chemical industry. The light industry may include, but is not limited to: light industry using agricultural products as raw materials, such as food manufacturing, tobacco processing, textile, paper making, printing, etc.; light industry using non-agricultural products as raw materials, such as cultural and educational sports goods, chemical manufacturing, synthetic fiber manufacturing, daily necessities manufacturing, hand tool manufacturing, medical appliance manufacturing, and the like. Heavy industry may include, but is not limited to, energy exploitation, metal smelting and processing, cement processing, electricity, and the like. The chemical industry may include, but is not limited to, plastic and rubber products, coatings, chemical waste treatment, and the like. The industrial equipment in the embodiment of the application can be applied to any industrial field to realize industrial production or maintenance. Industrial equipment includes, but is not limited to, computer numerical control machine tools (Computerised Numerical Control Machine, CNC)

In the current implementation of industrial automation, industrial equipment is often controlled by industrial control devices to implement industrial production or maintenance. It should be appreciated that the industrial control devices herein may be independent of the industrial equipment or may be integrated into the industrial equipment. When an industrial plant is integrated with an industrial control device, the industrial plant may be referred to as an industrial control device (i.e., industrial control device for short). The industrial control device can be, for example, a programmable logic controller (Programmable Logic Controller, PLC).

For ease of illustration, the industrial control device will be exemplified as an integrated industrial plant.

Aiming at the problem that in the current industrial manufacturing scene, the router exposes the industrial equipment to the public network to realize remote communication of the industrial equipment, so that the remote communication security of the industrial equipment is poor.

Also, since the remote communication of the industrial equipment is implemented by means of the router, configuration is required in the router to implement the routing relationship between the industrial equipment and the terminal equipment, however, when the number of the industrial equipment is large, the configuration process is complicated. In the embodiment of the application, different industrial equipment can multiplex the VPN channel established between the edge equipment and the terminal equipment, each industrial equipment does not need to be connected with the terminal equipment, the complexity of configuration is reduced, and the communication between the edge equipment and the terminal equipment realized based on the VPN channel has higher network penetrability.

Fig. 1 is a schematic diagram of a telecommunication scenario 100 of an industrial device according to an embodiment of the present application. As shown in connection with fig. 1, the edge device 110 is communicatively coupled to at least one industrial device 120 within a first local area network. Wherein the edge device 110 may be implemented as a gateway. The industrial equipment 120 may be implemented as the industrial control device described above, or the industrial equipment 120 may be replaced with the industrial control device described above.

The edge device 110 and the terminal device 130 are connected through a virtual private network (Virtual Private Network, VPN) tunnel, which is a private network established over a public network, which can enable encrypted communication between the edge device 110 and the terminal device 130.

In general, a VPN channel may be established between the edge device 110 and the terminal device 130 through the VPN server 140, and communication between the edge device 110 and the terminal device 130 may be implemented based on forwarding by the VPN server 140, where the terminal device 130 and the edge device 110 may use a second local area network when communicating through the VPN channel. Of course, the VPN server 140 may be integrated in the terminal device 130 or the edge device 110 in the form of a functional module, which is not limited in the present application.

The VPN server 140 may be implemented as a generic server, a server cluster, or a cloud server, a server cluster.

The number of terminal devices 130 may be one or more, and the present application is not limited in this regard. When the number of the terminal devices 130 is plural, the plural terminal devices 130 may communicate with the edge device 110 through the VPN server 140, specifically, the plural terminal devices 130 may perform encrypted communication with the edge device 110 in the same local area network (for example, the second local area network above), and the IP addresses of the plural terminal devices 130 all belong to the network segment of the second local area network.

The edge device 110 may forward the received data packet from the terminal device 130 to at least one of the industrial devices 120, or may forward the received data packet from the industrial device 120 to the terminal device 130, so as to implement communication between the terminal device 130 and the industrial device 120.

Illustratively, clients of VPN are deployed in both edge device 110 and terminal device 130; the VPN server 140 is provided with a VPN server.

The first and second local area networks are used for distinguishing different local area networks, and are not represented in sequence, and are not limited to different types of the first local area network and the second local area network.

It should be noted that the scenario shown in fig. 1 is only given as an example to illustrate the relevant components of the scenario according to the embodiment of the present application, and the present application is not limited in any way.

The following describes in detail a remote communication method of an industrial device according to an embodiment of the present application with reference to the accompanying drawings.

It should be understood that the following is only for ease of understanding and description, and the method provided by the embodiment of the present application is described in detail by taking interaction among the terminal device, the edge device, and the industrial device as an example. The terminal device may be, for example, terminal device 130 of fig. 1, the edge device may be, for example, edge device 110 of fig. 1, and the industrial device may be, for example, industrial device 120 of fig. 1. In some embodiments, a VPN server, such as VPN server 140 in fig. 1, also participates in interactions to implement the methods provided by embodiments of the present application.

It should be understood that this should not constitute any limitation as to the subject matter of the execution of the method provided by the present application. The method provided by the embodiment of the present application can be implemented as an execution subject of the method provided by the embodiment of the present application as long as the method provided by the embodiment of the present application can be implemented by executing a program in which a code of the method provided by the embodiment of the present application is recorded. For example, the terminal device shown in the following embodiments may be replaced with a component in the terminal device, such as a chip, a chip system, or other functional modules capable of calling a program and executing a program, the edge device may be replaced with a component in the edge device, such as a chip, a chip system, or other functional modules capable of calling a program and executing a program, the industrial device may be replaced with a component in the industrial device, such as a chip, a chip system, or other functional modules capable of calling a program and executing a program, and the VPN server may be replaced with a component in the VPN server, such as a chip, a chip system, or other functional modules capable of calling a program and executing a program.

Fig. 2 is a schematic diagram of an interaction flow of a remote communication method 200 of an industrial device according to an embodiment of the present application. As shown in fig. 2, the method 200 includes some or all of the following:

s210, the terminal equipment sends a first data packet to the edge equipment through the VPN channel.

Correspondingly, the edge device acquires a first data packet from the terminal device through the VPN channel.

S220, the edge device sends the first data packet to the target industrial device.

In the embodiment of the present application, the first data packet at least includes a destination address, where the destination address in the first data packet is an IP address of the target industrial device in the first local area network. As previously described, the industrial device is communicatively coupled to the edge device within the first local area network, and the target industrial device may be any one of the at least one industrial device that is communicatively coupled to the edge device within the first local area network, and the terminal device indicates the target industrial device via the target address in the first data packet.

The edge device sends the first data packet to a target industrial device indicated by a destination address in the first data packet. For example, the edge device and the target industrial device may communicate over the first local area network based on their IP addresses.

The data in the first data packet may be used to control or maintain the target industrial device. The number of target industrial devices may be one or more, and the application is not limited in this regard. When the number of the target industrial devices is more than one, the terminal device can send the first data packets corresponding to each target industrial device to the edge device, and then the edge device forwards each first data packet to the corresponding target industrial device.

Therefore, in the above steps S210 and S220, the edge device and the terminal device perform encrypted communication through the VPN channel, and then the edge device sends the first data packet sent by the terminal device to the target industrial device in the first local area network, so that the communication between the terminal device and the edge device is realized without exposing the industrial device to the public network, and the security of remote communication of the industrial device is improved.

It will be appreciated that the first data packet may include a source address in addition to the destination address and data, and after the target industrial device receives the first data packet, the source address in the first data packet may be used as the destination address, and the data packet (hereinafter, the second data packet) may be sent to the destination address, so as to implement information interaction. The source address in the first data packet is the IP address of the terminal device in the second local area network, that is, the virtual IP address under VPN, in which case the target industrial device connected to the first local area network cannot send the second data packet to the terminal device. Thus, in some embodiments, to ensure that after sending the first data packet to the target industrial device, the edge device can forward the second data packet from the target industrial device to the terminal device, the source address in the first data packet may be modified to the IP address of the edge device in the first local area network before forwarding the first data packet, and then the modified data packet is sent to the target industrial device, so that the target industrial device sends the second data packet using the IP address of the edge device in the first local area network as the destination address.

The modification of the source address in the first data packet by the edge device may include the following possible implementations: after the edge device receives the first data packet sent by the terminal device, it may determine whether the first data packet is from the VPN tunnel, for example, the edge device determines whether the first data packet belongs to a network segment of the second local area network according to a network segment to which a source address in the first data packet belongs, if the network segment to which the source address in the first data packet belongs to a network segment of the second local area network, the first data packet is from the VPN tunnel, or the terminal device sends the first data packet through the VPN client, where the edge device may modify the source address in the first data packet. For example, the second lan segment is 192.168.40.X, and the source address in the first data packet is 192.168.40.4, the edge device determines that the source address in the first data packet belongs to the second lan segment, and then modifies the source address in the first data packet.

Continuing with the possible implementation described above, the edge device may modify the source address in the first data packet to an IP address of the edge device within the second local area network according to a preconfigured source network address translation (Source Network Address Translation, snap) entry. It should be noted that, the SNAT entry is used to indicate that the source address of the network segment belonging to the second local area network is modified to be the IP address of the edge device, and the SNAT entry may be understood as a SNAT policy, where a mapping relationship between the IP address of the edge device in the first local area network and the network segment of the second local area network may be included.

By combining the VPN channel and the SNAT mode, a network tunnel between the terminal equipment and the industrial equipment is established, so that communication is carried out in a transmission control protocol (Transmission Control Protocol, TCP)/IP network layer without influencing networks above three layers of networks.

Of course, in the above possible implementation manner, the edge device modifies the source address in the first data packet, which is only an example and not a limiting illustration. For example, the edge device may also add an IP address of the edge device within the first local area network as an additional source address to the first data packet. The modification of the source address in the first data packet based on the SNAT is also merely an example and not a limitation, and for example, the edge device may modify the source address in the first data packet based on a mapping relationship between a predetermined network segment of the second local area network and an IP address of the edge device in the first local area network.

In some embodiments, the method 200 further includes the following steps S230 and S240.

And S230, the target industrial equipment sends a second data packet to the edge equipment.

Correspondingly, the edge device receives the second data packet sent by the target industrial device.

And S240, the edge device sends the second data packet to the terminal device through the VPN channel.

Correspondingly, the terminal equipment receives the second data packet through the VPN channel.

It should be noted that, the above process of transmitting the first data packet and the process of transmitting the second data packet may overlap in time, for example, the edge device forwards the first data packet sent by the terminal device to the target industrial device, and forwards the second data packet sent by the target industrial device to the terminal device at the same time; alternatively, the above-mentioned process of transmitting the first data packet and the process of transmitting the second data packet may not overlap in time, for example, the second data packet is generated based on the data in the first data packet, in which case the edge device may forward the first data packet from the terminal device to the target industrial device, and forward the second data packet from the target industrial device to the terminal device. The application is not limited in this regard.

Similar to the first data packet, the second data packet may include a destination address, a source address, and data. The destination address of the second data packet may be the source address of the received first data packet and the source address of the second data packet may be the destination address of the received first data packet. In particular, the destination address of the second data packet may be an IP address of the edge device within the first local area network, and the source address of the second data packet may be an IP address of the target industrial device within the first local area network. The target industrial device transmits the second data packet within the first local area network.

After the edge device receives the second data packet sent by the target industrial device, the destination address in the second data packet can be modified into the IP address of the terminal device in the second local area network, and then the second data packet is forwarded to the terminal device through the VPN channel. For example, when modifying the source address of the first data packet, the edge device may maintain a source address modification record of the first data packet, where the source address modification record of the first data packet may include at least an original source address (i.e., an IP address of the terminal device in the second local area network) and a destination address (i.e., an IP address of the target industrial device in the first local area network) of the first data packet, and further, the edge device may modify the destination address of the second data packet to an IP address of the terminal device in the second local area network according to the source address modification record of the first data packet and the source address of the second data packet (i.e., the IP address of the target industrial device in the first local area network), for example, when the source address of the second data packet is consistent with the destination address in the source address modification record of the first data packet, the edge device may modify the destination address of the second data packet to the IP address of the terminal device in the second local area network. Furthermore, the edge device may send the second data packet to the terminal device via the VPN tunnel based on the IP address of the terminal device within the second local area network.

In this embodiment, the edge device receives the second data packet sent by the target industrial device through the first local area network, and sends the second data packet to the terminal device through the VPN channel, so that communication between the terminal device and the edge device is realized without exposing the industrial device to the public network, and the security of remote communication of the industrial device is improved.

The VPN tunnel in the above embodiment may be a network tunnel that establishes and implements communication based on a VPN server. The following is a description with reference to fig. 3.

Fig. 3 is a schematic diagram of an interaction flow of a remote communication method 300 of an industrial device according to an embodiment of the present application. The method 300 may include some or all of the following:

first, a VPN environment in which a VPN server configures a terminal device will be exemplarily described.

The VPN server may obtain the second client configuration request, e.g., as shown in fig. 3, and the VPN server obtains the second client configuration request entered by the user. The second client configuration request is used for requesting to configure VPN environments corresponding to the at least one terminal device respectively, for example, the second client configuration request may carry the number and/or the identity of the terminal device. The VPN server may determine, in response to the second client configuration request, a network segment of the second local area network and VPN certificates corresponding to each terminal device, respectively. Further, the VPN server carries information of a network segment of the second local area network and at least one VPN certificate in at least one third configuration information, or carries an IP address of a network segment belonging to the second local area network and one VPN certificate in one third configuration information, where, compared with the first mode, the terminal device can determine its own IP address from the third configuration information, without the terminal device determining its own IP address from the network segment of the second local area network.

And continuing the VPN environment deployment mode of the terminal equipment, the VPN server can send the third configuration information to the terminal equipment, and when the VPN server is connected with a plurality of terminal equipment, the VPN server can respectively send the third configuration information to the corresponding terminal equipment. Furthermore, the terminal device may determine, according to the third configuration information, an IP address of itself in the second local area network, and perform certificate installation, so as to complete configuration of the VPN environment.

The server deployed in the VPN server may be set to a bridging (TAP) mode, such that the server is implemented as a secure socket protocol (Secure Sockets Layer, SSL) server. Accordingly, the client deployed in the terminal device may be an SSL client.

An exemplary description is made of a VPN environment in which a VPN server configures an edge device.

As shown in connection with fig. 3, the VPN server receives a first client configuration request sent by the edge device, where the first client configuration request is used to request the VPN server to send second configuration information. The first client configuration request may be sent by the edge device at the time of initial power-up, which should not be construed as limiting the present application, for example, the first client configuration request may also be a request sent by the edge device in response to an instruction input by the user.

It should be noted that the second configuration information may include: at least one of VPN client installation package, VPN certificate, VPN initiation instructions. For example, the edge device may install the VPN client by running a VPN client installation package in the second configuration information; the edge device may install the VPN certificate in the second configuration information; the edge device may also launch the VPN client in response to the VPN launch instruction in the second configuration information.

In some embodiments, the edge device needs to configure the snap entry. The edge device may perform configuration of the snap entry according to the network segment of the second local area network, so as to establish a mapping relationship between the network segment of the second local area network and the IP address of the edge device in the first local area network.

The network segment of the second local area network may be preset in the edge device, or the edge device may receive the VPN server transmission. For example, the VPN server determines a network segment of the second local area network in response to the second client configuration request, and sends information of the network segment of the second local area network to the edge device, where the information carries the first configuration information.

The deployment of the VPN environment described above in connection with fig. 3 is only an exemplary illustration and is not limiting of the present application, as some or all of the processes in the deployment of the VPN environment described above may also be accomplished in response to user entered configurations.

After the terminal equipment and the edge equipment deploy the VPN service end, data transmission on a VPN channel can be realized between the terminal equipment and the edge equipment through a VPN server. For example, the terminal device may send the first data packet to the VPN server, where the VPN server forwards the first data packet sent by the terminal device to the edge device, so as to enable the terminal device to send the first data to the edge device through the VPN channel; and/or the edge device sends the second data packet to the VPN server, and the VPN server forwards the received second data packet to the terminal device so as to realize that the edge device sends the second data packet to the terminal device through the VPN channel.

In the embodiment shown in fig. 3, the communication between the edge device and the target industrial device is still implemented through the first local area network, and the implementation manner can be referred to the communication manner between the edge device and the target industrial device in any of the above embodiments. For example, after the edge device modifies the source address in the first data packet into the IP address of the edge device in the first local area network, the edge device sends the first data packet to the target industrial device, and for example, after the edge device receives the second data packet sent by the target industrial device, the edge device modifies the destination address in the second data packet into the IP address of the terminal device in the second local area network, and then sends the modified IP address to the terminal device through the VPN channel.

In the embodiment of the application, when the number of the industrial equipment is more than one, a plurality of industrial equipment and the edge equipment can be deployed in the same local area network, namely, the remote communication can be realized through the VPN channel between the edge equipment and the terminal equipment. Compared with the prior art that a communication link is established for each industrial device, the remote deployment convenience is improved.

It should be noted that, the descriptions of "first", "second", "third", and the like herein are used to distinguish different local area networks, data packets, configuration information, requests, and the like, and do not represent the sequence, nor do they limit that "first" and "second" are different types.

In various embodiments of the application, where terminology and/or descriptions of the various embodiments are consistent and may be referred to each other, unless specifically indicated as such and where logical conflict, features of different embodiments may be combined to form new embodiments in accordance with their inherent logical relationships.

Fig. 4 is a schematic block diagram of an electronic device 400 according to an embodiment of the present application. As shown in fig. 4, the electronic device 300 may be implemented as an execution body in the above-described method embodiment, for example, an edge device, a VPN server, or a terminal device. The electronic device 400 comprises at least a transceiver unit 410, and in some embodiments the electronic device 400 may further comprise an acquisition unit 420 and/or a processing unit 430.

Alternatively, the electronic device 400 may correspond to the edge device in the above method embodiments, and may be, for example, an implementation of the edge device, or a component (such as a chip or a chip system) configured in the edge device.

The obtaining unit 420 may be configured to obtain, through a VPN channel, a first data packet from a terminal device, where the first data packet includes a destination address, where the destination address in the first data packet is an IP address of a target industrial device in the first local area network, and the target industrial device is one of the at least one industrial device; the transceiver unit 410 is configured to send the first data packet to the target industrial device.

In some embodiments, the first data packet further includes a source address, where the source address in the first data packet is an IP address of the terminal device in a second local area network, and the second local area network is a local area network used when communicating through a VPN channel; the transceiver unit 410 is specifically configured to: modifying a source address in the first data packet to be an IP address of the edge device in the first local area network; the first data packet is sent to the target industrial device.

In some embodiments, the transceiver unit 410 is specifically configured to: and under the condition that the source address in the first data packet belongs to the network segment of the second local area network, converting an SNAT (network address translation) item according to the preconfigured source network address, wherein the SNAT item is used for indicating that the source address of the network segment belonging to the second local area network is modified to the IP address of the edge equipment.

In some embodiments, the transceiver unit 420 is further configured to: receiving first configuration information sent by the VPN server, wherein the first configuration information carries information of network segments of the second local area network; the processing unit 430 is configured to configure the snap entry according to the first configuration information.

In some embodiments, the obtaining unit 420 is specifically configured to: the first data packet forwarded by the VPN server is received.

The transceiver unit 410 is further configured to receive a second data packet sent by the target industrial device, where the second data packet includes a source address and a destination address, and the destination address in the second data packet is an IP address of the edge device in the first lan; the processing unit 430 is further configured to modify, according to the source address modification record of the first data packet and the source address of the second data packet, the destination address of the second data packet to an IP address of the terminal device in the second local area network; the transceiver unit 410 is further configured to send the second data packet to the terminal device through the VPN tunnel.

In some embodiments, the transceiver unit 410 is further configured to receive second configuration information sent by the VPN server, where the second configuration information carries at least one of a VPN client installation package, a VPN certificate, and a VPN initiation instruction; the processing unit 430 is further configured to configure a VPN environment according to the second configuration information, so as to build the VPN tunnel.

In some embodiments, before the receiving the second configuration information sent by the VPN server, the transceiver unit 410 is further configured to: and when the VPN server is powered on for the first time, a first client configuration request is sent to the VPN server, and the first client configuration request is used for requesting the VPN server to send the second configuration information.

Alternatively, the electronic device 400 may correspond to the VPN server in the above method embodiment, for example, may be an implementation of the VPN server, or a component (such as a chip or a chip system) configured in the VPN server.

Wherein the transceiver unit 410 may be configured to: transmitting first configuration information to the edge equipment, wherein the first configuration information carries information of a network segment of a second local area network, and the network segment of the second local area network is a local area network adopted when communication is carried out through a VPN channel; forwarding a first data packet from a terminal device to the edge device, wherein the first data packet comprises a source address and a destination address, the source address in the first data packet is an IP address of the terminal device in the second local area network, the destination address in the first data packet is an IP address of a target industrial device in the first local area network, and the target industrial device is one of at least one industrial device which is in communication connection with the edge device in the first local area network.

In some embodiments, the transceiver unit 410 is further configured to: and sending second configuration information to the edge equipment, wherein the second configuration information carries at least one of a VPN client installation package, a VPN certificate and a VPN starting instruction.

In some embodiments, the transceiver unit 410 is further configured to: and receiving a first client configuration request sent by the edge equipment when the edge equipment is powered on for the first time, wherein the first client configuration request is used for requesting the VPN server to send the second configuration information.

In some embodiments, the obtaining unit 420 is configured to obtain a second client configuration request, where the second client request is used to request to configure a VPN environment corresponding to at least one terminal device respectively; the processing unit 430 is configured to generate, according to the second client configuration request, the first configuration information and/or at least one third configuration information corresponding to the at least one terminal device, where the third configuration information includes a network segment of the second local area network and/or a VPN certificate corresponding to the terminal device; the transceiver unit 410 is further configured to send the third configuration information to the at least one terminal device, respectively.

In some embodiments, the VPN server is configured in a bridge mode.

Alternatively, the electronic device 400 may correspond to the terminal device in the above method embodiment, for example, may be an implementation of the terminal device, or a component (such as a chip or a chip system) configured in the terminal device.

Wherein the transceiver unit 410 may be configured to: transmitting a first data packet to the edge equipment through the VPN channel, wherein the first data packet comprises a source address and a destination address, the source address in the first data packet is an IP address of the terminal equipment in a second local area network, the destination address in the first data packet is an IP address of target industrial equipment in the first local area network, and the target industrial equipment is one of at least one industrial equipment which is in communication connection with the edge equipment in the first local area network; and receiving a second data packet sent by the edge device through the VPN channel.

It should be understood that the specific process of each unit performing the corresponding steps has been described in detail in the above method embodiments, and is not described herein for brevity.

Fig. 5 is a schematic block diagram of an electronic device 500 according to an embodiment of the present application. The electronic device 500 shown in fig. 5 may be implemented as a terminal device, an edge device or a VPN server, for implementing the steps performed by the terminal device, the edge device or the VPN server in the above method embodiments. The electronic device 500 comprises a processor 520, from which processor 520 may call and run a computer program to implement the method in embodiments of the application.

In some embodiments, as shown in fig. 5, electronic device 500 may also include memory 530. Wherein the processor 520 may call and run a computer program from the memory 530 to implement the method in an embodiment of the present application.

Wherein the memory 530 may be a separate device from the processor 520 or may be integrated into the processor 520.

In some embodiments, as shown in fig. 5, the electronic device 500 may further include a transceiver 510, and the processor 520 may control the transceiver 510 to communicate with other devices, and in particular, may transmit information or data to other devices, or receive information or data transmitted by other devices.

Among other things, transceiver 510 may include a transmitter and a receiver. The transceiver 510 may further include antennas, the number of which may be one or more.

In some embodiments, the electronic device 500 may implement corresponding flows of the methods on the terminal device, the edge device, or the VPN server side in the embodiments of the present application, which are not described herein for brevity.

Fig. 6 is a schematic structural diagram of a cloud server 600 according to an exemplary embodiment of the present application. The cloud server 600 may be an implementation of the VPN server in the method embodiment above. As shown in fig. 6, the VPN server 600 includes: a memory 610 and a processor 620.

Memory 610, for storing computer programs, may be configured to store various other data to support operations on the VPN server. The memory 610 may be an object store (Object Storage Service, OSS).

A processor 620 coupled to the memory 610 for executing the computer program in the memory 610 for implementing the method implemented by the VPN server in the method embodiment above.

Further, as shown in fig. 6, the VPN server further includes: firewall 630, load balancer 640, communication component 650, power component 660, and other components. Only some of the components are schematically shown in fig. 6, which does not mean that the VPN server only comprises the components shown in fig. 6.

It should be appreciated that VPN server 500 shown in fig. 6 is capable of implementing the various processes described above in connection with VPN server embodiments of the method. The operations and/or functions of the respective modules in the VPN server 500 are respectively for implementing the respective flows in the above-described method embodiments. Reference is specifically made to the description in the above method embodiments, and detailed descriptions are omitted here as appropriate to avoid repetition.

The application also provides a processing device, which comprises at least one processor, wherein the at least one processor is used for executing the computer program stored in the memory, so that the processing device executes the method executed by the terminal equipment, the edge equipment or the VPN server in the embodiment of the method.

The embodiment of the application also provides a processing device which comprises a processor and an input/output interface. The input-output interface is coupled with the processor. The input/output interface is used for inputting and/or outputting information. The information includes at least one of instructions and data. The processor is configured to execute a computer program, so that the processing apparatus executes a method executed by the terminal device, the edge device, or the VPN server in the foregoing method embodiment.

The embodiment of the application also provides a processing device which comprises a processor and a memory. The memory is used for storing a computer program, and the processor is used for calling and running the computer program from the memory, so that the processing device executes the method executed by the terminal device, the edge device or the VPN server in the method embodiment.

It should be understood that the processing means described above may be one or more chips. For example, the processing device may be a field programmable gate array (field programmable gate array, FPGA), an application specific integrated chip (application specific integrated circuit, ASIC), a system on chip (SoC), a processor (central processor unit, CPU), a network processor (network processor, NP), a digital signal processing circuit (digital signal processor, DSP), a microcontroller (micro controller unit, MCU), a programmable controller (programmable logic device, PLD) or other integrated chip.

In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or by instructions in the form of software. The steps of a method disclosed in connection with the embodiments of the present application may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in the processor for execution. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory, and the processor reads the information in the memory and, in combination with its hardware, performs the steps of the above method. To avoid repetition, a detailed description is not provided herein.

It should be noted that the processor in the embodiments of the present application may be an integrated circuit chip with signal processing capability. In implementation, the steps of the above method embodiments may be implemented by integrated logic circuits of hardware in a processor or instructions in software form. The processor may be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, or discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be embodied directly in the execution of a hardware decoding processor, or in the execution of a combination of hardware and software modules in a decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory, and the processor reads the information in the memory and, in combination with its hardware, performs the steps of the above method.

It will be appreciated that the memory in embodiments of the application may be volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The nonvolatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. The volatile memory may be random access memory (random access memory, RAM) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), synchronous DRAM (SLDRAM), and direct memory bus RAM (DR RAM). It should be noted that the memory of the systems and methods described herein is intended to comprise, without being limited to, these and any other suitable types of memory.

According to a method provided by an embodiment of the present application, the present application also provides a computer program product, including: computer program code which, when run on a computer, causes the computer to perform the method performed by the terminal device, the edge device or the VPN server in the method embodiments described above.

According to the method provided by the embodiment of the application, the application further provides a computer readable storage medium, wherein the computer readable storage medium stores program codes, and when the program codes run on a computer, the computer is caused to execute the method executed by the terminal device, the edge device or the VPN server in the embodiment of the method.

The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A method of remote communication of industrial equipment, characterized by being applied to an edge device, said edge device being communicatively connected to at least one industrial equipment within a first local area network, comprising:

Acquiring a first data packet from terminal equipment through a VPN channel, wherein the first data packet comprises a destination address, the destination address in the first data packet is an Internet Protocol (IP) address of target industrial equipment in the first local area network, and the target industrial equipment is one of the at least one industrial equipment;

transmitting the first data packet to the target industrial device;

the first data packet further comprises a source address, the source address in the first data packet is an IP address of the terminal equipment in a second local area network, and the second local area network is a local area network adopted when communication is carried out through a VPN channel;

the sending the first data packet to the target industrial device includes:

under the condition that the source address in the first data packet belongs to a network segment of a second local area network, converting an SNAT (network address translation) item according to a preconfigured source network address, wherein the SNAT item is used for indicating that the source address of the network segment belonging to the second local area network is modified to be the IP address of the edge equipment;

and sending the first data packet to the target industrial equipment.

2. The method according to claim 1, wherein the obtaining the first data packet from the terminal device through the VPN tunnel includes:

and receiving the first data packet forwarded by the VPN server.

3. The method according to any one of claims 1 to 2, further comprising:

receiving a second data packet sent by the target industrial equipment, wherein the second data packet comprises a source address and a destination address, and the destination address in the second data packet is the IP address of the edge equipment in the first local area network;

modifying the destination address of the second data packet into the IP address of the terminal equipment in the second local area network according to the source address modification record of the first data packet and the source address of the second data packet;

and sending the second data packet to the terminal equipment through the VPN channel.

4. A telecommunications method for an industrial device, applied to a VPN server, comprising:

transmitting first configuration information to the edge equipment, wherein the first configuration information carries information of a network segment of a second local area network, and the network segment of the second local area network is a local area network adopted when communication is carried out through a VPN channel;

Forwarding a first data packet from a terminal device to the edge device, wherein the first data packet comprises a source address and a destination address, the source address in the first data packet is an IP address of the terminal device in the second local area network, the destination address in the first data packet is an IP address of a target industrial device in the first local area network, and the target industrial device is one of at least one industrial device which is in communication connection with the edge device in the first local area network; the first data packet further comprises a source address, the source address in the first data packet is an IP address of the terminal equipment in a second local area network, and the second local area network is a local area network adopted when communication is carried out through a VPN channel;

after a first data packet from the terminal equipment is acquired through a VPN channel, an edge server converts an SNAT (network address translation) item according to a preconfigured source network address under the condition that the source address in the first data packet belongs to a network segment of a second local area network, the source address in the first data packet is modified into an IP (Internet protocol) address of the edge equipment in the second local area network, and the SNAT item is used for indicating that the source address of the network segment belonging to the second local area network is modified into the IP address of the edge equipment; and sending the first data packet to the target industrial equipment.

5. The method of claim 4, wherein prior to said forwarding the first data packet from the terminal device to the edge device, the method further comprises:

and sending second configuration information to the edge equipment, wherein the second configuration information carries at least one of a VPN client installation package, a VPN certificate and a VPN starting instruction.

6. The method of claim 5, wherein prior to said sending the second configuration information to the edge device, the method further comprises:

and receiving a first client configuration request sent by the edge equipment when the edge equipment is powered on for the first time, wherein the first client configuration request is used for requesting the VPN server to send the second configuration information.

7. The method according to any one of claims 4 to 6, further comprising:

acquiring a second client configuration request, wherein the second client request is used for requesting configuration of VPN environments respectively corresponding to at least one terminal device;

generating at least one third configuration information corresponding to the first configuration information and/or the at least one terminal device according to the second client configuration request, wherein the third configuration information comprises a network segment of the second local area network and/or a VPN certificate corresponding to the terminal device;

And respectively sending the third configuration information to the at least one terminal device.

8. A telecommunication method for an industrial device, applied to a terminal device, comprising:

transmitting a first data packet to an edge device through a VPN channel, wherein the first data packet comprises a source address and a destination address, the source address in the first data packet is an IP address of the terminal device in a second local area network, the destination address in the first data packet is an IP address of target industrial equipment in the first local area network, and the target industrial equipment is one of at least one industrial equipment which is in communication connection with the edge device in the first local area network;

receiving a second data packet sent by the edge equipment through the VPN channel;

after the first data packet is acquired, the edge server converts an SNAT (network address translation) item according to a preconfigured source network address under the condition that the source address in the first data packet belongs to a network segment of a second local area network, the source address in the first data packet is modified into an IP (Internet protocol) address of the edge device in the second local area network, and the SNAT item is used for indicating that the source address of the network segment belonging to the second local area network is modified into the IP address of the edge device; and sending the first data packet to the target industrial equipment.

9. An edge device for communication connection with at least one industrial device within a first local area network, the edge device comprising:

an obtaining unit, configured to obtain, through a VPN channel, a first data packet from a terminal device, where the first data packet includes a destination address, where the destination address in the first data packet is an internet protocol IP address of a target industrial device in the first local area network, and the target industrial device is one of the at least one industrial device;

the receiving and transmitting unit is used for transmitting the first data packet to the target industrial equipment;

the transceiver unit is specifically configured to, when the source address in the first data packet belongs to a network segment of the second local area network, convert an SNAT entry according to a preconfigured source network address, modify the source address in the first data packet to an IP address of the edge device in the second local area network, where the SNAT entry is used to indicate that the source address of the network segment belonging to the second local area network is modified to the IP address of the edge device;

And sending the first data packet to the target industrial equipment.

10. A server, comprising:

the receiving and transmitting unit is used for transmitting first configuration information to the edge equipment, wherein the first configuration information carries information of a network segment of a second local area network, and the network segment of the second local area network is a local area network adopted when communication is carried out through a VPN channel;

the receiving and transmitting unit is further configured to forward a first data packet from a terminal device to the edge device, where the first data packet includes a source address and a destination address, the source address in the first data packet is an IP address of the terminal device in the second local area network, the destination address in the first data packet is an IP address of a target industrial device in the first local area network, and the target industrial device is one of at least one industrial device that implements communication connection with the edge device in the first local area network; the first data packet further comprises a source address, the source address in the first data packet is an IP address of the terminal equipment in a second local area network, and the second local area network is a local area network adopted when communication is carried out through a VPN channel;

11. A terminal device, comprising:

the receiving and transmitting unit is used for transmitting a first data packet to the edge equipment through the VPN channel, wherein the first data packet comprises a source address and a destination address, the source address in the first data packet is an IP address of the terminal equipment in a second local area network, the destination address in the first data packet is an IP address of target industrial equipment in the first local area network, and the target industrial equipment is one of at least one industrial equipment which is in communication connection with the edge equipment in the first local area network;

the receiving and transmitting unit is further configured to receive, through the VPN tunnel, a second data packet sent by the edge device;

12. An electronic device, comprising: at least one processor and memory;

the memory stores computer-executable instructions;

the at least one processor executing computer-executable instructions stored in the memory causes the at least one processor to perform the method of any one of claims 1 to 8.