I have an Ubuntu server at home.
I access it from outside my network via NAT redirections. I use the port 3876 to connect to the FTP, and this port is redirected by the router to the IP of the server and the port 21.
I opened the Ubuntu firewall ufw
for these ports:
OpenSSH ALLOW Anywhere
20/tcp ALLOW Anywhere
21/tcp ALLOW Anywhere
40000:50000/tcp ALLOW Anywhere
990/tcp ALLOW Anywhere
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
20/tcp (v6) ALLOW Anywhere (v6)
21/tcp (v6) ALLOW Anywhere (v6)
40000:50000/tcp (v6) ALLOW Anywhere (v6)
990/tcp (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
Now I configure vsftpd
for a regular FTP connection adding this to my /etc/vsftpd.conf
:
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
pasv_enable=Yes
pasv_min_port=40000
pasv_max_port=50000
allow_writeable_chroot=YES
I can connect to my user and upload and download files.
Now I want to do the same thing via TLS, so I create the certificates as in https://linoxide.com/linux-how-to/configure-vsftpd-sftp-ubuntu/ and add this to /etc/vsftpd.conf
:
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
pasv_enable=Yes
pasv_min_port=40000
pasv_max_port=50000
allow_writeable_chroot=YES
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
Now regular FTP is disabled and I can connect via TLS. But I cant upload/download files. And I don't know why or how to configure.
Any help will be welcome!
Best Answer
But you need to redirect also the ports 50000–60000 for the data connections to allow the transfer.
It may work without TLS, even without the redirect, if the router is smart and automatically opens the ports as needed, by inspecting the FTP control connection. But this cannot work with TLS, as the control connection is encrypted and the router cannot inspect it.