Cat.1 module-based virtual private network and networking method thereof

By integrating VPN functionality and multi-interface expansion capabilities into the Cat.1 module, the problems of high cost, poor adaptability, and insufficient security of existing LTE virtual networking solutions are solved, realizing a low-cost, widely adaptable, and highly secure virtual private network suitable for multi-scenario networking needs in the Internet of Things field.

CN121056210BActive Publication Date: 2026-06-30ZHEJIANG LIERDA INTERNET OF THINGS TECH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ZHEJIANG LIERDA INTERNET OF THINGS TECH
Filing Date
2025-09-04
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

Existing LTE virtual networking solutions are inadequate in terms of cost control, equipment compatibility, and deployment flexibility, and cannot meet the requirements of low cost, wide compatibility, and high security in the Internet of Things (IoT) field. In particular, they cannot effectively achieve network isolation and data transmission security in mobile terminals and distributed deployment scenarios.

Method used

Based on the Cat.1 module, VPN functionality is deeply integrated. End-to-end encryption is achieved through the L2TP+VxLAN VPN protocol stack. Combined with multi-interface expansion capabilities, it supports USB, WIFI and RJ45 interfaces, adapts to lightweight IoT terminals and mobile devices, and provides network sharing for multiple scenarios.

Benefits of technology

It achieves a low-cost, highly secure virtual private network with a wide range of adaptability, supports networking of multiple types of devices, reduces hardware procurement and maintenance costs, adapts to the needs of large-scale IoT deployment, and meets the data transmission requirements of industrial control and real-time monitoring scenarios.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN121056210B_ABST
    Figure CN121056210B_ABST
Patent Text Reader

Abstract

This invention discloses a virtual private network (VPN) based on Cat.1 modules and its networking method, aiming to solve the technical bottlenecks of existing LTE VPN solutions, such as high cost, narrow equipment compatibility, insufficient security, and poor deployment flexibility. This invention deeply integrates L2TP and VPN protocol stacks into the Cat.1 module hardware and firmware, constructing a "VPN server - Cat.1 module - client device" networking architecture. First, system initialization is completed, and L2TP dialing parameters are set through either batch configuration using AT commands or visual configuration via a web page. Then, the Cat.1 module actively initiates dialing to the VPN server, establishing an end-to-end encrypted L2TP tunnel through dual verification of device IMEI and user identity. Finally, relying on interfaces such as USB, WIFI, and RJ45, the virtual network is shared with various types of clients, including embedded devices and sensors. This invention does not rely on operator private network APN resources, reduces equipment hardware costs, shortens deployment cycles, and improves the economy, adaptability, and security of virtual networking.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of mobile communications, and more specifically to a virtual private network based on Cat.1 modules and its networking method. Background Technology

[0002] In today's era of deep integration between mobile communication and IoT technologies, building Virtual Private Networks (VPNs) based on public LTE networks to achieve secure device interconnection has become a core requirement in fields such as industrial control, smart agriculture, and consumer electronics. Currently, mainstream LTE VPN solutions are mainly divided into two categories, but both have significant technical problems and are unable to meet the networking requirements of low cost, wide adaptability, and high flexibility.

[0003] I. Existing Mainstream Technical Solutions

[0004] (1) The virtual networking scheme based on private network APNs builds a virtual private dial-up network (VPDN) by relying on the operator's customized dedicated access point name (APN). Through dedicated APN configuration, network isolation of different user groups is achieved, which can theoretically ensure the security and privacy of data transmission between devices. Its core logic is to use the operator's network slicing capabilities to allocate independent communication channels to users and avoid the risk of data leakage in public network environments.

[0005] (2) LTE network function extended virtual networking scheme, which enhances the private communication capabilities of the LTE network through additional hardware or protocol overlay, mainly includes two implementation paths:

[0006] (a) CPE Router Networking: Deploy Customer Premises Equipment (CPE) routers to convert LTE signals into local area network (LAN) signals (such as WIFI or RJ45 wired networks) to form a local virtual network. This solution relies on a fixed-location CPE device as the network hub and is suitable for device interconnection in scenarios such as homes and small offices.

[0007] (b) Secondary VPN Dial-up Networking: This method involves adding a secondary dial-up process using traditional VPN protocols such as IPsec and OpenVPN to the existing LTE network connection. Data encryption is achieved through software-level protocol encapsulation. This solution requires the installation of a dedicated VPN client on the terminal device and is commonly used in remote access scenarios for large devices such as PCs and servers.

[0008] II. Core defects of existing technical solutions

[0009] (1) The private network APN solution is highly tied to operator resources, resulting in high hardware costs. Users need to purchase operator-specific APN resources and matching private network cards, which increases the hardware investment per device compared to ordinary LTE modules. For IoT scenarios involving thousands or tens of thousands of terminals, the overall cost is unbearable. Furthermore, APN application requires multiple processes such as operator qualification review and network configuration debugging, which usually take several weeks or even months. This cannot meet the business needs of rapid deployment and flexible expansion. Later maintenance also depends on operator technical support, limiting response efficiency and autonomy.

[0010] (2) The LTE extended networking scheme lacks adaptability and flexibility. Both types of extended schemes have significant functional shortcomings and are difficult to cover the needs of multiple IoT scenarios.

[0011] (a) CPE router solution, fixed location and scenario. CPE devices rely on power and signal coverage, and need to be deployed in a fixed location. They cannot be adapted to mobile terminals (such as vehicle-mounted devices, portable sensors, etc.) or distributed deployment scenarios (such as smart agricultural field equipment, industrial workshop distributed controllers, etc.). Moreover, they can only cover local areas and lack the ability to remotely network across regions and networks.

[0012] (b) Secondary VPN dialing scheme, with narrow terminal compatibility. Traditional VPN clients only support large operating systems such as Windows and Linux, and cannot be compatible with embedded systems (such as RT-Thread, FreeRTOS, etc.) and lightweight IoT terminals (such as low-power sensors, small controllers, etc.) widely used in the Internet of Things (IoT) field. These small devices are limited by computing power (no independent CPU or insufficient computing power) and storage (only a few MB of memory), and cannot support the operation and data processing of complex VPN protocols, resulting in a large number of IoT terminals being excluded from the virtual networking system.

[0013] (3) Common security and efficiency issues. Existing solutions generally suffer from "shallow encryption layers" and "low data transmission efficiency". Although private network APNs achieve network isolation, data encryption relies solely on the operator's network layer protection, and the transmission link from the terminal to the APN node is still at risk of being stolen or tampered with. Secondary VPN dialing solutions result in too many data encapsulation layers due to protocol superposition, which increases transmission latency under LTE networks and is prone to problems such as data packet loss and link interruption, failing to meet the latency-sensitive requirements of scenarios such as industrial control and real-time monitoring.

[0014] In summary, existing LTE virtual private network solutions have technical problems in terms of cost control, equipment compatibility, and deployment flexibility, and a new virtual private network networking technology that is low-cost, widely adaptable, and highly secure is needed. Summary of the Invention

[0015] To address the aforementioned problems in existing technologies, this invention deeply integrates VPN functionality into LTE Cat.1 modules, enabling multi-scenario network sharing technology.

[0016] The first objective of this invention is to propose a virtual private network based on a Cat.1 module, comprising a VPN server, a Cat.1 module, and a client device connected in sequence.

[0017] VPN Server: This is the control node of the Virtual Private Network. It builds a general L2TP server based on a public network server and includes an authentication module, a tunnel parameter negotiation module, a data forwarding module, and a Dongle device compatibility module. The authentication module stores a username-password mapping table and unique device identifiers for legitimate access devices, supporting PAP or CHAP dual authentication mechanisms. The tunnel parameter negotiation module listens on a preset port and receives tunnel establishment requests from Cat.1 modules. The data forwarding module forwards data according to the set priority and the destination address of the data packets. The Dongle device compatibility module distinguishes different extended hardware and automatically matches forwarding strategies and protocol rules. The extended hardware includes USB interface hardware, WiFi interface hardware, and RJ45 interface hardware.

[0018] Cat.1 module: It is the connection hub of virtual private network, integrating a complete VPN protocol stack and multi-interface expansion capabilities. It has a built-in 4G wireless communication chip, baseband processing unit and interface circuit, and reserved USB, SPI and GPIO expansion interfaces. It has a built-in LWIP protocol stack, DHCP service, L2TP client, and integrates data verification algorithm and flow control module, VPN tunnel management module, multi-interface network sharing module and Dongle device adapter module.

[0019] Client devices are data generation and receiving terminals in a virtual private network, including direct access devices and Dongle extended access devices. The direct access devices are directly connected to the Cat.1 module through a hardware interface; the Dongle extended access devices are indirectly connected to the virtual network through a USB interface, a WiFi interface, or an RJ45 interface.

[0020] Preferably, the tunnel parameter negotiation module reads the pre-configured L2TP dialing parameters and actively initiates a dialing request to the VPN server to establish an end-to-end encrypted tunnel; the identity authentication module completes dual verification of device identification and user identity; and the multi-interface network sharing module realizes virtual network expansion through native interface combination.

[0021] Preferably, the Dongle device adapter module extends the virtual network through an external module, including:

[0022] (1) Virtual network expansion is achieved through the USB interface;

[0023] (2) Virtual network expansion is achieved by converting the WIFI interface into a WIFI hotspot;

[0024] (3) Virtual network expansion is achieved by connecting an external network card chip through the RJ45 interface.

[0025] The second objective of this invention is to propose a virtual private network (VPN) networking method based on Cat.1 modules, comprising the following steps:

[0026] S1: System initialization, L2TP dialing parameter configuration;

[0027] S2: L2TP VPN tunnel established;

[0028] S3: Extend and share a virtual network with Dongle devices based on multiple interfaces; step S3 includes:

[0029] S31: Native USB interface network sharing and USB Dongle network sharing; the native USB interface uses ECM or RNDIS technology to simulate a virtual USB network card; the USB Dongle network sharing uses a combination of Cat.1 module and USB Dongle, and the Dongle has a built-in signal amplification module and a multi-USB interface expansion chip and supports local data caching.

[0030] S32: Native WIFI interface network sharing and WIFI Dongle network sharing; native WIFI interface can be converted into a hotspot; the WIFI Dongle network sharing dongle has a built-in high-gain antenna and Mesh networking function;

[0031] S33: Native RJ45 interface network sharing and RJ45 Dongle network sharing; native RJ45 interface external network card chip to expand network ports; RJ45 Dongle expansion sharing Dongle has multiple built-in RJ45 network ports and PoE power supply module.

[0032] Preferably, it also includes step S4: tunnel maintenance, anomaly handling, and Dongle equipment management; step S4 includes:

[0033] S41: The Cat.1 module provides real-time monitoring of the activity of tunnel and Dongle equipment;

[0034] S42: Automatic reconnection after tunnel disconnection, recovery from Dongle equipment failure;

[0035] S43: When data is abnormal, send a retransmission request, perform flow control, and record the operation log.

[0036] Preferably, step S1 includes:

[0037] S11: VPN server initialization. The VPN server initialization includes setting up a general L2TP server on a public network server, enabling the L2TP tunnel protocol and setting a customizable listening port, configuring PAP or CHAP authentication mechanism, enabling LAN data forwarding function, and reserving a Dongle device-specific identification field.

[0038] S12: Basic initialization of Cat.1 module; The basic initialization of Cat.1 module includes automatically executing the network attach process, initializing the built-in LWIP protocol stack and DHCP service, starting the Dongle device identification module, and feeding back the status through hardware indicator lights or AT commands after completion;

[0039] S13: L2TP dialing parameter configuration; the L2TP dialing parameter configuration includes:

[0040] (1) Batch configuration of AT commands: send AT commands to the Cat.1 module via serial port;

[0041] (2) Webpage visual configuration: connect to the local hotspot of the Cat.1 module, enter the configuration page in the browser, verify the parameters on the page and display the results.

[0042] Preferably, step S2 includes:

[0043] S21: Tunnel connection request initiation; The tunnel connection request initiation includes parameters configured based on S1. The Cat.1 module actively initiates a dial-up request to the VPN server. If no external Dongle device is connected, the module's built-in L2TP client sends a request message containing the module's unique IMEI code and negotiated encryption algorithm. If an external Dongle device is connected, the module first hands-on with the Dongle to obtain its hardware identifier, and then sends a request message containing the module's IMEI code and the Dongle SN code.

[0044] S22: Identity authentication and parameter negotiation; The identity authentication and parameter negotiation include verifying whether the device identifier is in the valid list and Dongle device compatibility, in which the Dongle device response message carries an additional encrypted certificate in the user identity authentication, and the parameter negotiation also includes data forwarding priority parameters for Dongle devices.

[0045] S23: Tunnel establishment and status confirmation, which includes the server sending a confirmation message containing Dongle adaptation parameters, the Cat.1 module creating a tunnel and obtaining the VLAN IP address, synchronizing the adaptation parameters to the Dongle device, and querying the status of the tunnel and Dongle device through AT commands.

[0046] Preferably, the dongle device in step S3 includes multiple application scenarios: the USB dongle is adapted for networking multiple POS machines in a shopping mall; the WIFI dongle is adapted for smart agricultural greenhouses and large exhibition halls; and the RJ45 dongle is adapted for industrial computer rooms and security monitoring scenarios. In the smart agricultural greenhouse scenario, one Cat.1 module is deployed at the edge of the greenhouse area, and 2-3 WIFI dongles cover the entire greenhouse area. Each dongle connects to multiple soil sensors and irrigation controllers. Data between dongles is exchanged through Mesh technology and then aggregated to the Cat.1 module for transmission to the server. In the security monitoring scenario, one Cat.1 module connects to multiple cameras through an RJ45 dongle. Camera data is aggregated by the dongles and transmitted to the Cat.1 module, and then uploaded to the monitoring server in real time through an L2TP tunnel. At the same time, the dongle supports port isolation function.

[0047] Preferably, the encryption algorithm negotiated in step S2 is AES-128 by default; the maximum transmission unit is 1400 bytes by default; and the link hold interval is 30 seconds by default.

[0048] The present invention has the following beneficial effects:

[0049] (1) The L2TP+VxLAN VPN protocol stack is deeply integrated into the Cat.1 module hardware and firmware. The entire data link from the sub-device (such as industrial controller, sensor) through the module to the VPN server is protected by encryption algorithms such as AES-128, which completely avoids the risk of data theft and tampering in public LTE networks and achieves end-to-end encryption protection. During the tunnel establishment phase, not only is the user account password verified by PAP / CHAP protocol, but the device identity is also authenticated by the unique IMEI code of the Cat.1 module, forming a "user + device" dual verification, preventing unauthorized devices from accessing the virtual network, and providing more comprehensive security protection.

[0050] (2) It does not rely on operator-dedicated APN resources and private network cards, and fully utilizes the native characteristics of Cat.1 modules of "low cost and low power consumption", reducing the hardware investment per device compared to traditional private network APN solutions. At the same time, the built-in VPN function of the module replaces external encryption devices and CPE routers, further reducing hardware procurement costs, making it particularly suitable for large-scale deployment scenarios with thousands or tens of thousands of terminals in the Internet of Things field. The technical solution of this invention eliminates the cumbersome processes such as operator qualification review and network debugging in private network APN solutions, and subsequent maintenance does not require operator technical support, reducing maintenance manpower and time costs.

[0051] (3) It solves the shortcomings of traditional secondary VPN dialing solutions that only support large operating systems such as Windows and Linux. Through a lightweight protocol stack design, it is compatible with embedded systems such as LWIP and FreeRTOS, and can be compatible with mainstream lightweight terminals in the Internet of Things field, including low-power sensors, small controllers (such as PLCs), and embedded hosts. Through interfaces such as USB, WIFI, and RJ45, it can realize "one module to network multiple devices", which can be adapted to mobile devices such as mobile phones and tablets, and can also meet the networking needs of smart home and industrial wired devices. There is no need to design separate networks for different types of terminals, and the device compatibility range is wide.

[0052] (4) Based on multi-interface expansion technology, portable Cat.1 Dongle devices (such as Cat.1+VLAN+USB / WIFI / RJ45) can be derived, providing customized hardware solutions for different scenarios. For example, USB Dongle is adapted for mobile networking of laptops, WIFI Dongle is adapted for smart home devices, and RJ45 Dongle is adapted for traditional wired terminals, further expanding the application boundaries of virtual networking.

[0053] The present invention provides a virtual private network based on Cat.1 modules and its networking method, which features low cost, strong adaptability and high security. Attached Figure Description

[0054] Figure 1 This is a block diagram of the virtual private network (VPN) according to an embodiment of the present invention.

[0055] Figure 2 This is a schematic diagram illustrating data sharing from a virtual network to a terminal device according to an embodiment of the present invention. Detailed Implementation

[0056] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0057] Cat.1 is one of the "UE-Category" classifications in the LTE standard for fourth-generation mobile communication technology. A Cat.1 module is a hardware module that supports Category 1 access capability. It integrates a 4G wireless communication chip, baseband processing unit, and necessary interface circuits, enabling stable connections between the device and the LTE public network. It also features a lightweight hardware architecture, adapting to the IoT field's requirements for "low power consumption, low cost, and wide connectivity." A dongle device is a small hardware device that connects to a host device via a physical interface (such as USB) to extend its functionality. It is primarily used in areas such as wireless audio transmission, network connectivity, device adaptation, and security encryption.

[0058] Example 1

[0059] This embodiment describes a virtual private network based on Cat.1 modules. It revolves around a three-layer architecture of "VPN server - Cat.1 module - client device," clearly defining the hardware composition, functional positioning, and coordination mechanism of each component to achieve secure interconnection of multiple types of devices under a public LTE network. The architecture is as follows: Figure 1 , Figure 2 As shown, it includes:

[0060] 1. VPN Server. As the core control node of the entire Virtual Private Network, it is built on a public network server to provide a general L2TP server, undertaking the key responsibilities of identity authentication, tunnel management, and data forwarding.

[0061] The functional modules of a VPN server include:

[0062] (1) Identity Authentication Module. Stores the identity information of legitimate access devices (including Cat.1 modules and various derivative Dongle devices), including a "username-password" mapping table and a whitelist of unique device identifiers (module IMEI code, Dongle SN code). It supports PAP / CHAP dual authentication mechanisms, which can accurately verify the legitimacy of access devices and prevent unauthorized terminal intrusion.

[0063] (2) Tunnel parameter negotiation module. Listens to the preset port (default port 1701, supports custom modification). Receives tunnel establishment requests initiated by the Cat.1 module and negotiates key parameters with the client, such as encryption algorithm (default AES-128), maximum transmission unit (MTU, default 1400 bytes, adapted to LTE network), link hold interval (default 30 seconds), to ensure that tunnel communication adapts to different scenario requirements.

[0064] (3) Data forwarding module. Enable the local area network data forwarding function, which can accurately forward data from different client devices, such as industrial controllers and sensors, to the corresponding terminal according to the target address in the data packet (such as the virtual IP of the sub-device). At the same time, it supports setting forwarding priority according to device type, such as "industrial equipment" and "consumer electronic devices", to ensure the smooth transmission of critical business data.

[0065] (4) Dongle device compatibility module. A dedicated identification field for Dongle devices is reserved, which can distinguish different extended hardware by device type identifiers, such as "USB-Dongle", "WIFI-Dongle", "RJ45-Dongle", etc., and automatically match the corresponding forwarding strategy and protocol rules to improve the communication efficiency after multiple types of Dongle devices are connected.

[0066] VPN server deployment requires a stable public IP address or support for intranet penetration. Hardware configuration must meet concurrent access requirements, such as supporting ≥100 Cat.1 modules online simultaneously on a single server. Linux is recommended as the operating system to ensure stable operation of the L2TP server.

[0067] II. Cat.1 Module. Serving as the intermediary hub connecting the VPN server and client devices, it integrates a complete VPN protocol stack and multiple interface expansion capabilities, making it a key hardware component for achieving "virtual network sharing" and "Dongle device adaptation".

[0068] The basic hardware components of the Cat.1 module include: a built-in 4G wireless communication chip, baseband processing unit and interface circuit, supporting LTE network access, and reserving expansion interfaces such as USB (supporting ECM / RNDIS technology), SPI (for external WIFI module), and GPIO (for external network card chip) to adapt to different types of Dongle devices and sub-devices.

[0069] The Cat.1 module's core protocol stack includes a fixed LWIP protocol stack (providing the foundation for TCP / IP communication), DHCP service (assigning virtual LAN IPs to sub-devices and Dongle devices), and L2TP client (initiating VPN dialing and maintaining the tunnel). It also integrates a CRC32 data verification algorithm and a flow control module to ensure data transmission integrity and tunnel stability.

[0070] The Cat.1 module features include:

[0071] (1) VPN tunnel management: Read the pre-configured L2TP dialing parameters, including server IP, authentication information, etc., actively initiate a dialing request to the VPN server, complete the dual verification of "device identification verification + user identity authentication", and establish an end-to-end encrypted tunnel; after the tunnel is established, send link detection messages at 30-second intervals, monitor the tunnel status in real time, and trigger automatic reconnection when an abnormality is detected.

[0072] (2) Multi-interface network sharing: Virtual network expansion is achieved by combining native interfaces with external modules.

[0073] (a) USB interface: It simulates itself as a "virtual USB network card" through ECM / RNDIS technology. After the sub-devices such as computers and tablets are connected through USB cable, they automatically obtain virtual LAN IP and access the virtual network.

[0074] (b) WIFI interface: It can be connected to an ESP32 WIFI module based on MIFI technology to convert the virtual network into a WIFI hotspot. It supports 2.4G / 5G dual bands for smart home devices, mobile phones and other WIFI terminals to access.

[0075] (c) RJ45 interface: External CH390 network card chip, expand standard RJ45 network port, support adaptive rate of 10 / 100Mbps, etc., to meet the access needs of wired devices such as industrial controllers (such as PLC) and desktop computers.

[0076] (3) Dongle device adaptation: The built-in Dongle device identification and driver loading module detects external Dongle hardware (such as USB Dongle and WIFI Dongle) through interfaces such as USB and SPI, automatically loads the corresponding driver (such as ECM driver and ESP32 communication driver), and synchronizes the virtual network configuration parameters to realize the rapid access of Dongle devices.

[0077] The status feedback mechanism of the Cat.1 module can be achieved through hardware indicator lights, such as a solid "Network Ready" light indicating normal LTE network attachment, and a flashing "Dongle Adapter" light indicating that the Dongle device has been identified and feedback has been initiated. Alternatively, AT commands can be used, such as "AT+SYSSTAT=READY,DONGLE_SUPPORT" to indicate that the system is ready and supports Dongle extensions, providing feedback on the operating status to the user or management platform for easier troubleshooting.

[0078] III. Client Devices. These are the final data generation and receiving terminals in the virtual network. Based on different access methods, they are divided into two categories: "Direct Access" (Terminal Device A) and "Dongle Extended Access" (Terminal Device B). The specific types and access logic are as follows:

[0079] (1) Terminal device A: Direct access type. Device types include lightweight terminals that only require simple data acquisition or control functions, such as IoT sensors (temperature and humidity sensors, light sensors) and small controllers (such as Arduino development boards, low-power PLCs). These devices usually do not have an independent operating system or are only equipped with embedded systems such as FreeRTOS and RT-Thread, and have limited computing power and storage resources.

[0080] Access method: The device connects directly to the Cat.1 module via a hardware interface (such as UART or I2C), eliminating the need for additional expansion equipment. The Cat.1 module assigns a virtual LAN IP address (e.g., 10.0.0.3) through its built-in DHCP service. Data generated by the device is encapsulated by the module and encrypted before being transmitted to the VPN server via an L2TP tunnel, achieving end-to-end communication between the terminal, module, and server. Typical application scenarios include smart agriculture field sensor networking and industrial workshop distributed controller interconnection, among other cost-sensitive and geographically dispersed scenarios.

[0081] (2) Terminal Device B: Dongle Extended Access Type. Device types include terminals that need to access the network through a specific interface, such as portable testing instruments that rely on USB, smart home devices that support WIFI (such as smart cameras and robot vacuum cleaners), and industrial equipment that requires wired connection (such as machine tools and monitoring hosts). These devices usually have independent operating systems (such as Windows, Linux, and Android) or dedicated control programs.

[0082] Access can be achieved indirectly through the corresponding Cat.1 Dongle device to the virtual network. The specific adaptation logic is as follows:

[0083] (a) USB Dongle Adapter: Terminal devices (such as laptops and POS machines) connect to the Cat.1 USB Dongle via a USB cable. The Dongle has a built-in signal amplification module and an ECM / RNDIS protocol conversion unit to transmit terminal data to the Cat.1 module, which then forwards it through the L2TP tunnel.

[0084] (b) WIFI Dongle Adaptation: Terminal devices such as smart cameras connect to the hotspot released by the Cat.1 WIFI Dongle. The Dongle extends the coverage area through high-gain antennas and Mesh networking function, and aggregates terminal data to the Cat.1 module.

[0085] (c) RJ45 Dongle Adaptation: Terminal devices such as industrial machine tools can be connected to the network port of the Cat.1 RJ45 Dongle via a network cable. The Dongle supports PoE power supply and port isolation functions based on the IEEE 802.3af standard, providing power to the terminal while transmitting data, ensuring stability in industrial scenarios.

[0086] Typical application scenarios include networking of POS machines in shopping malls, interconnection of equipment in large-scale smart agricultural greenhouses, and networking of monitoring equipment in industrial computer rooms, which require expansion of interfaces or coverage.

[0087] This embodiment, through the above three-layer architecture design, realizes the virtual private network networking logic of "centralized management and control of VPN server, core forwarding of Cat.1 module, and flexible access of client devices". It is compatible with lightweight embedded terminals and supports multiple types of extended devices, laying the hardware foundation for subsequent networking processes such as parameter configuration, tunnel establishment, and operation and maintenance support.

[0088] Example 2

[0089] This embodiment presents a networking method for a virtual private network based on Cat.1 modules. It revolves around the core logic of "deep integration of VPN function into Cat.1 modules + multi-scenario network sharing + Dongle device derivation". Through the entire process of "parameter configuration - dial-up tunneling - network expansion and Dongle adaptation - operation and maintenance support", it realizes secure networking of devices under public LTE networks, while meeting the customized hardware requirements of different scenarios.

[0090] The specific steps in this embodiment are as follows:

[0091] S1: System Initialization and L2TP Dial-up Parameter Configuration. Before starting the VPN network, basic initialization of the Cat.1 module and VPN server needs to be completed. Key L2TP dial-up parameters should be configured conveniently, while reserving parameter compatibility space for subsequent Dongle device adaptation. This lays the foundation for tunnel establishment and hardware expansion. Specific steps are as follows:

[0092] S11: VPN Server Initialization. Set up a general-purpose L2TP server on a public network server, complete the core function configuration, and ensure compatibility with Dongle devices. This includes:

[0093] (1) Enable L2TP tunnel protocol and set the tunnel listening port. The default port is 1701. Custom modification is supported to adapt to the communication needs of different Dongle devices.

[0094] (2) Configure PAP / CHAP authentication mechanism and store legitimate clients, including username-password mapping tables for Cat.1 modules and various Dongle devices;

[0095] (3) Enable the local area network data forwarding function to ensure that the data of the sub-devices connected to different Dongle devices can be forwarded to the target device in a targeted manner.

[0096] (4) Reserve a dedicated identification field for Dongle devices, which can be used to distinguish different extended hardware by device type identification, such as “USB-Dongle” or “WIFI-Dongle”, and optimize data forwarding efficiency.

[0097] S12: Cat.1 Module Basic Initialization. After the Cat.1 module is powered on, it automatically executes the network attach process and completes the initialization of the underlying protocol for interfacing with the Dongle device, including:

[0098] (1) Register with the operator's base station through the LTE network to obtain a public IP address or an intranet penetration address assigned by the operator.

[0099] (2) Initialize the built-in LWIP protocol stack (providing the foundation for TCP / IP communication) and DHCP service (assigning internal network IPs to sub-devices and Dongle devices).

[0100] (3) Start the Dongle device identification module, which supports the detection of external Dongle hardware through interfaces such as USB and SPI, and automatically loads the corresponding drivers, such as the ECM / RNDIS driver for USB Dongle and the ESP32 communication driver for WIFI Dongle.

[0101] (4) After initialization is complete, the system will use hardware indicator lights, such as “Network Ready light is always on + Dongle adapter light is flashing”, or AT commands such as “AT+SYSSTAT=READY,DONGLE_SUPPORT”, to provide feedback that “Network is ready and Dongle extension is supported”.

[0102] S13: L2TP dialing parameter configuration. Supports two configuration methods. Configuration parameters are automatically stored in the module's file system and are not lost after power failure.

[0103] (1) Batch configuration of AT commands: For batch deployment scenarios, such as networking multiple Dongle devices in an industrial workshop, a unified AT command can be sent to multiple Cat.1 modules via serial port. The format example is "AT+L2TPCFG=server IP, port number, username, password, authentication method, DONGLE_TYPE=USB". The binding configuration of dialing parameters and Dongle device type can be completed at one time, improving configuration efficiency and suitable for standardized hardware batch networking scenarios.

[0104] (2) Web-based Visual Configuration: For configuration of a single unit or a small number of devices, such as the deployment of a WIFI Dongle in a home scenario, connect to the local hotspot of the Cat.1 module via computer / mobile phone (the initial hotspot name / password is preset in the module firmware), enter the module's default local IP address such as 192.168.1.1 in the browser, and enter the built-in HTML configuration page. In addition to the "Server Information", "Authentication Information", and "Tunnel Parameters" modules, the page adds a "Dongle Adaptation Configuration" module. Users can select the dongle type to connect to: USB / WIFI / RJ45. The system automatically matches the corresponding communication protocol and parameters, such as the hotspot frequency band of the WIFI dongle and the network port speed of the RJ45 dongle. After submission, the module automatically verifies the parameter format and hardware compatibility, and prompts "Configuration successful, dongle device can be connected".

[0105] S2: L2TP VPN Tunnel Establishment. Based on the parameters configured in S1, the Cat.1 module (including when an external Dongle device is connected) actively initiates a dial-up request to the VPN server. Through authentication and parameter negotiation, an encrypted L2TP tunnel is established, while ensuring the stability of the tunnel after the Dongle device connects. The specific process is as follows:

[0106] S21: Tunnel connection request initiated. If no external Dongle device is connected, the L2TP client built into the Cat.1 module reads the dialing parameters in the file system and sends a "tunnel establishment request message" to the listening port of the VPN server. The message contains the client identifier (the module's unique IMEI code) and the negotiated encryption algorithm (default AES-128, which can be configured as needed).

[0107] If an external Dongle device is connected, the module first completes a handshake with the Dongle device through a preset interface (such as USB or SPI) to obtain the hardware identifier (such as the SN code) of the Dongle device. Then, the "module IMEI code + Dongle SN code" is used as a joint client identifier and written into the tunnel establishment request message to realize the dual device identity binding of "module + Dongle" and improve access security.

[0108] S22: Authentication and Parameter Negotiation. After receiving the request, the VPN server processes it according to the "Device Identifier Verification → User Authentication → Parameter Negotiation" process, while also adapting to the communication requirements of the Dongle device.

[0109] (1) Device identification verification: The server first verifies whether the "module IMEI code + Dongle SN code" (or the module IMEI code alone) is in the valid list. If the Dongle device is a new type, it automatically verifies its hardware compatibility, such as whether it supports the ECM protocol and whether the WIFI frequency band is matched. If the verification is successful, proceed to the next step.

[0110] (2) User authentication: The server sends a "CHAP challenge message" or PAP authentication request to the client, and the client generates a response message based on the configured password. If it is a Dongle device, the response message also carries the encrypted certificate of the Dongle device (pre-burned into the Dongle firmware) to achieve dual authentication of "user password + device certificate".

[0111] (3) Parameter negotiation: After the authentication is passed, both parties negotiate the tunnel parameters. In addition to the usual maximum transmission unit and tunnel keep-alive interval, a "data forwarding priority" parameter can be added for the dongle device. For example, the data priority of industrial equipment connected by RJ45 dongle is set to "high", and the data priority of consumer electronic devices connected by USB dongle is set to "medium" to ensure smooth data transmission of critical business data.

[0112] S23: Tunnel Establishment and Status Confirmation. After parameter negotiation, the VPN server sends a "Tunnel Establishment Confirmation Message" to the Cat.1 module. This message contains the dongle device's adaptation parameters, such as the hotspot configuration information for the Wi-Fi dongle and the IP address allocation range for the RJ45 dongle's network port. Upon receiving this message, the module creates an L2TP logical tunnel and automatically obtains the VLAN IP address assigned by the server, such as 10.0.0.2. It also synchronizes the dongle adaptation parameters to the external dongle device, completing the dongle device's network initialization. The module can query the tunnel and dongle device status using the AT command "AT+L2TPSTAT". A return message indicating "Tunnel established, dongle device (USB type) ready, link quality excellent" signifies that the overall network is ready and data transmission can begin.

[0113] S3: Virtual network extension and sharing based on multiple interfaces and Dongle devices. Through three native interfaces—USB, WIFI, and RJ45—combined with derived Cat.1 Dongle devices, the virtual network is shared to various sub-devices, achieving flexible networking of "1 module + multiple types of Dongles + N sub-devices," covering device access needs in different scenarios. The specific implementation method is as follows:

[0114] S31: USB interface and USB Dongle network sharing.

[0115] Native USB Interface Sharing: The Cat.1 module uses ECM (Ethernet Control Model) or RNDIS (Remote Network Driver Interface Specification) network card technology to simulate itself as a "virtual USB network card." When a device, such as a Windows computer, Android tablet, or embedded host, connects directly to the module via USB, the module automatically pushes a DHCP configuration to the device, assigning an IP address (e.g., 10.0.0.3) within the virtual LAN. Data from the device is transmitted to the module via the USB interface, then encrypted and forwarded to the VPN server through an L2TP tunnel, adapting to mobile devices without Ethernet ports or Wi-Fi.

[0116] USB Dongle Extended Sharing: For scenarios requiring long-distance or multi-device USB expansion, such as networking multiple POS machines in a shopping mall, a hardware combination of "Cat.1 module + USB Dongle" is used. The USB Dongle has a built-in signal amplification module and a multi-USB interface expansion chip. After connecting to the Cat.1 module via USB cable, it can simultaneously connect 3-5 sub-devices, such as POS machines and barcode scanners. After receiving data from the sub-devices, the Dongle device transmits the data to the Cat.1 module through its built-in protocol conversion module (compatible with ECM / RNDIS), and then forwards it through an L2TP tunnel. The Dongle also supports local data caching, with a configurable cache capacity of 16MB, to prevent data loss due to network fluctuations.

[0117] S32: The WIFI interface is shared with the WIFI Dongle network.

[0118] Native Wi-Fi Interface Sharing: Connecting an ESP32 Wi-Fi module based on mature MiFi technology to the Cat.1 module allows the module to convert the virtual network signal into a Wi-Fi hotspot signal. Smart home devices, mobile phones, and other Wi-Fi-enabled devices connect to this hotspot and automatically obtain a virtual LAN IP address (e.g., 10.0.0.4) assigned by the module. Data is transmitted to the module via Wi-Fi and then encrypted through an L2TP tunnel, covering home and small office scenarios.

[0119] Extended WiFi Donle Sharing: For large-area or weak signal scenarios, such as smart agricultural greenhouses and large exhibition halls, the "Cat.1 WiFi Donle" device has been developed. This dongle features a built-in high-gain antenna with a transmission range of up to 100 meters and Mesh networking capabilities, allowing it to form a distributed WiFi network with Cat.1 modules. For example, in a smart agricultural greenhouse, one Cat.1 module is deployed at the edge of the greenhouse area, while 2-3 WiFi dongles cover the entire area. Each dongle connects to multiple soil sensors and irrigation controllers. Data exchange between dongles is achieved through Mesh technology, and then the data is aggregated and transmitted to the server via the Cat.1 module, solving the problem of limited coverage of a single WiFi module.

[0120] S33: The RJ45 interface is shared with the RJ45 Dongle network.

[0121] Native RJ45 Interface Sharing: A CH390 network card chip is connected to the Cat.1 module to extend a standard RJ45 network port, supporting adaptive speeds of 10 / 100Mbps. Sub-devices requiring wired connections, such as industrial controllers and desktop computers, can connect to the RJ45 port via network cable. The module then assigns a virtual LAN IP address (e.g., 10.0.0.5) through its built-in DHCP service. Data is transmitted to the module via a wired link and communicates with the server through an L2TP tunnel, meeting the high requirements for network stability and anti-interference in industrial scenarios, such as data transmission from machine tools in a workshop.

[0122] RJ45 Dongle Expansion and Sharing: Designed for scenarios requiring multiple network ports or PoE power supply, such as industrial data centers and security monitoring, the "Cat.1 RJ45 Dongle" device is presented. This dongle has 4-8 built-in RJ45 network ports and a PoE power supply module. It connects to a Cat.1 module via a single network cable, enabling both data transmission and power supply to the dongle and connected sub-devices. For example, in a security monitoring scenario, one Cat.1 module connects to four cameras via the RJ45 dongle. Camera data is aggregated by the dongle, transmitted to the module, and then uploaded to the monitoring server in real-time via an L2TP tunnel. The dongle also supports port isolation to prevent a single camera failure from affecting the overall network.

[0123] S4: Tunnel Maintenance, Anomaly Handling, and Dongle Device Management. To ensure the continuous and stable operation of the virtual network (including Dongle devices), the system monitors the tunnel status and Dongle device operating conditions in real time, and automatically handles issues such as network interruptions, data anomalies, and Dongle malfunctions. The specific mechanisms are as follows:

[0124] S41: Real-time monitoring of tunnel and dongle equipment activity.

[0125] Tunnel activity monitoring: The Cat.1 module sends a "link detection message" to the VPN server according to the "keep alive interval" negotiated by S2. The message contains the status of the currently connected Dongle devices, such as the number of online devices and the device type. After receiving the message, the server immediately sends back a "response message". The module can judge the link quality by statistically analyzing the "send-response" time: a time of less than 100ms is considered "good link", a time of 100ms ≤ time of less than 500ms is considered "average link" and triggers a signal enhancement mechanism (such as adjusting the LTE frequency band), and a time of ≥500ms or no response is considered "abnormal link".

[0126] Dongle Device Monitoring: The module detects the connection status of the external Dongle device via periodic heartbeat packets (every 10 seconds). If no heartbeat response is received from the Dongle three times consecutively, it determines that the "Dongle device is offline" and simultaneously indicates the fault through hardware indicator lights (such as the indicator light of the corresponding Dongle interface flashing) and AT commands (such as "AT+DONGLESTAT=USB,OFFLINE"). In addition, the module can collect the operating parameters of the Dongle device in real time, such as temperature and data transmission rate. When the temperature exceeds 60℃ or the data transmission rate remains below 10kbps for one minute, an early warning mechanism is triggered, such as reducing the Dongle's transmission power or restarting the Dongle.

[0127] S42: Automatic reconnection after disconnection and Dongle fault recovery.

[0128] Tunnel Disconnection Reconnection: When a "link anomaly" is detected, such as a weak LTE signal or a temporary server restart, the module automatically triggers the reconnection process: First, it re-executes network attachment to obtain a new public network connection; then, it reads the L2TP parameters and Dongle configuration information stored in the file system and re-initiates the dialing request; during the reconnection process, the module and Dongle device cache the key data of the sub-device, such as industrial control commands and security monitoring video frames, and prioritize their transmission after the tunnel is rebuilt to reduce the impact of service interruption, with the interruption duration controlled within 10 seconds; after successful reconnection, the module notifies the sub-device and Dongle device of "network restored" via AT commands or indicator lights.

[0129] Dongle Device Fault Recovery: If the "Dongle device is offline" error is detected, the module first attempts local recovery by resetting the dongle device via the interface, such as restarting the USB port or reloading the Wi-Fi driver. If local recovery fails, such as after three consecutive resets the dongle remains offline, the module automatically records the SN code and fault time of the faulty dongle and reports the fault information to the VPN server for remote maintenance. If the fault is a PoE power supply failure in the RJ45 dongle, the module can also detect the power supply voltage. If the voltage is below 48V, it triggers the PoE power supply module to restart and restore power.

[0130] S43: Data anomaly handling and log management.

[0131] Data anomaly handling: During data transmission, the module and the dongle device collaborate to perform data verification: the module verifies the integrity of data received from the dongle using a CRC32 checksum algorithm, while the dongle device verifies the data sent by the sub-device using a checksum algorithm. If a data packet is found to be lost or tampered with, the module immediately sends a "retransmission request" to the sending end (sub-device or server), while the dongle device temporarily stores subsequent data to prevent data sequence errors. Furthermore, the module has a built-in flow control mechanism. When it detects that the transmission rate of a sub-device (such as a sensor) exceeds the tunnel's capacity (e.g., instantaneous rate > 1Mbps), it automatically triggers flow limiting, allocating bandwidth according to "dongle device priority," prioritizing industrial dongles to avoid tunnel congestion.

[0132] Log Management: The system automatically records tunnel operation logs (such as establishment / disconnection time, link quality), Dongle device logs (such as access / offline time, fault type), and data transmission logs (such as packet loss rate, retransmission count). The logs are stored locally on the module (maximum capacity 64MB) and can be exported to a computer via AT commands (such as "AT+LOGEXPORT=20240520") or uploaded to a VPN server via an L2TP tunnel. This facilitates later troubleshooting and network optimization, such as analyzing the reasons for frequent offline Dongle devices in a certain area and adjusting signal coverage.

[0133] This embodiment completes the virtual private network based on the Cat.1 module through the above steps, which has the characteristics of low cost, strong adaptability and high security.

[0134] The above description is only a preferred embodiment of the present invention. It should be noted that for those skilled in the art, several improvements and modifications can be made without departing from the technical principles of the present invention, and these improvements and modifications should also be considered within the scope of protection of the present invention.

Claims

1. A virtual private network based on Cat. 1 module, characterized in that, This includes the VPN server, Cat.1 module, and client device that form the sequential data connection; VPN server: It is the control node of the virtual private network. It is a general L2TP server built on a public network server. It includes an identity authentication module, a tunnel parameter negotiation module, a data forwarding module, and a Dongle device compatibility module. The identity authentication module stores the username and password mapping table of legitimate access devices and the unique identifier of the devices, and supports PAP or CHAP dual authentication mechanism. The tunnel parameter negotiation module listens to a preset port and receives tunnel establishment requests from Cat.1 modules; the data forwarding module forwards data according to the set priority and the destination address of the data packet. The Dongle device compatibility module distinguishes different extended hardware and automatically matches forwarding strategies and protocol rules; the extended hardware includes USB interface hardware, WiFi interface hardware, and RJ45 interface hardware. Cat.1 module: It is the connection hub of virtual private network, integrating a complete VPN protocol stack and multi-interface expansion capabilities. It has a built-in 4G wireless communication chip, baseband processing unit and interface circuit, and reserved USB, SPI and GPIO expansion interfaces. It has a built-in LWIP protocol stack, DHCP service, L2TP client, and integrates data verification algorithm and flow control module, VPN tunnel management module, multi-interface network sharing module and Dongle device adapter module. Client devices are data generation and receiving terminals in a virtual private network, including direct access devices and Dongle extended access devices. The direct access devices are directly connected to the Cat.1 module through a hardware interface; the Dongle extended access devices are indirectly connected to the virtual network through a USB interface, a WiFi interface, or an RJ45 interface. The tunnel parameter negotiation module reads the pre-configured L2TP dialing parameters and actively initiates a dialing request to the VPN server to establish an end-to-end encrypted tunnel; the identity authentication module completes dual verification of device identification and user identity. The multi-interface network sharing module achieves virtual network expansion through the combination of native interfaces.

2. The Cat. 1 module based virtual private network of claim 1, wherein, The Dongle device adapter module extends the virtual network through an external module, including: (1) Virtual network expansion is achieved through the USB interface; (2) Virtual network expansion is achieved by converting the WIFI interface into a WIFI hotspot; (3) Virtual network expansion is achieved by connecting an external network card chip through the RJ45 interface.

3. A networking method based on the Cat. 1 module-based virtual private network, using the Cat. 1 module-based virtual private network according to claim 1 or 2, characterized in that, Includes the following steps: S1: System initialization, L2TP dialing parameter configuration; S2: L2TP VPN tunnel established; S3: Extend and share a virtual network with Dongle devices based on multiple interfaces; step S3 includes: S31: Native USB interface network sharing and USB Dongle network sharing; the native USB interface uses ECM or RNDIS technology to simulate a virtual USB network card; the USB Dongle network sharing uses a combination of Cat.1 module and USB Dongle, and the Dongle has a built-in signal amplification module and a multi-USB interface expansion chip and supports local data caching. S32: Native WIFI interface network sharing and WIFI Dongle network sharing; native WIFI interface can be converted into a hotspot; the WIFI Dongle network sharing dongle has a built-in high-gain antenna and Mesh networking function; S33: Native RJ45 interface network sharing and RJ45 Dongle network sharing; native RJ45 interface external network card chip to expand network ports; RJ45 Dongle expansion sharing Dongle has multiple built-in RJ45 network ports and PoE power supply module.

4. The Cat. 1 module based virtual private network networking method of claim 3, wherein, It also includes step S4: tunnel maintenance, anomaly handling, and Dongle equipment management; step S4 includes: S41: The Cat.1 module provides real-time monitoring of the activity of tunnel and Dongle equipment; S42: Automatic reconnection after tunnel disconnection, recovery from Dongle equipment failure; S43: When data is abnormal, send a retransmission request, perform flow control, and record the operation log.

5. The Cat. 1 module based virtual private network networking method of claim 3, wherein, Step S1 includes: S11: VPN server initialization. The VPN server initialization includes setting up a general L2TP server on a public network server, enabling the L2TP tunnel protocol and setting a customizable listening port, configuring PAP or CHAP authentication mechanism, enabling LAN data forwarding function, and reserving a Dongle device-specific identification field. S12: Basic initialization of Cat.1 module; The basic initialization of Cat.1 module includes automatically executing the network attach process, initializing the built-in LWIP protocol stack and DHCP service, starting the Dongle device identification module, and feeding back the status through hardware indicator lights or AT commands after completion; S13: L2TP dialing parameter configuration; the L2TP dialing parameter configuration includes: (1) Batch configuration of AT commands: send AT commands to the Cat.1 module via serial port; (2) Webpage visual configuration: connect to the local hotspot of the Cat.1 module, enter the configuration page in the browser, verify the parameters on the page and display the results.

6. The networking method for a virtual private network based on a Cat.1 module according to claim 3, characterized in that, Step S2 includes: S21: Tunnel connection request initiation; The tunnel connection request initiation includes parameters configured based on S1. The Cat.1 module actively initiates a dial-up request to the VPN server. If no external Dongle device is connected, the module's built-in L2TP client sends a request message containing the module's unique IMEI code and negotiated encryption algorithm. If an external Dongle device is connected, the module first hands-on with the Dongle to obtain its hardware identifier, and then sends a request message containing the module's IMEI code and the Dongle SN code. S22: Identity authentication and parameter negotiation; The identity authentication and parameter negotiation include verifying whether the device identifier is in the valid list and Dongle device compatibility, in which the Dongle device response message carries an additional encrypted certificate in the user identity authentication, and the parameter negotiation also includes data forwarding priority parameters for Dongle devices. S23: Tunnel establishment and status confirmation, which includes the server sending a confirmation message containing Dongle adaptation parameters, the Cat.1 module creating a tunnel and obtaining the VLAN IP address, synchronizing the adaptation parameters to the Dongle device, and querying the status of the tunnel and Dongle device through AT commands.

7. The networking method for a virtual private network based on a Cat.1 module according to claim 3, characterized in that, In step S3, the dongle devices include various application scenarios: USB dongles are adapted for networking multiple POS machines in shopping malls; WIFI dongles are adapted for smart agricultural greenhouses and large exhibition halls; and RJ45 dongles are adapted for industrial computer rooms and security monitoring scenarios. In the smart agricultural greenhouse scenario, one Cat.1 module is deployed at the edge of the greenhouse area, and 2-3 WIFI dongles cover the entire greenhouse area. Each dongle connects to multiple soil sensors and irrigation controllers. Data between dongles is exchanged through Mesh technology and then aggregated to the Cat.1 module for transmission to the server. In security monitoring scenarios, one Cat.1 module connects to multiple cameras via an RJ45 dongle. The camera data is aggregated by the dongle and transmitted to the Cat.1 module, and then uploaded to the monitoring server in real time via an L2TP tunnel. The dongle also supports port isolation.

8. The networking method for a virtual private network based on a Cat.1 module according to claim 3, characterized in that, The encryption algorithm negotiated in step S2 is AES-128 by default; the maximum transmission unit is 1400 bytes by default; and the link hold interval is 30 seconds by default.