File transfer with vsftpd does not work with TLS, but does work with unencrypted connection

Question

I have an Ubuntu server at home.

I access it from outside my network via NAT redirections. I use the port 3876 to connect to the FTP, and this port is redirected by the router to the IP of the server and the port 21.

I opened the Ubuntu firewall ufw for these ports:

OpenSSH                    ALLOW       Anywhere                  
20/tcp                     ALLOW       Anywhere                  
21/tcp                     ALLOW       Anywhere                  
40000:50000/tcp            ALLOW       Anywhere                  
990/tcp                    ALLOW       Anywhere                  
22/tcp                     ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
20/tcp (v6)                ALLOW       Anywhere (v6)             
21/tcp (v6)                ALLOW       Anywhere (v6)             
40000:50000/tcp (v6)       ALLOW       Anywhere (v6)             
990/tcp (v6)               ALLOW       Anywhere (v6)             
22/tcp (v6)                ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)             
443/tcp (v6)               ALLOW       Anywhere (v6)    

Now I configure vsftpd for a regular FTP connection adding this to my /etc/vsftpd.conf:

listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
pasv_enable=Yes
pasv_min_port=40000
pasv_max_port=50000
allow_writeable_chroot=YES

I can connect to my user and upload and download files.

Now I want to do the same thing via TLS, so I create the certificates as in https://linoxide.com/linux-how-to/configure-vsftpd-sftp-ubuntu/ and add this to /etc/vsftpd.conf:

listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
pasv_enable=Yes
pasv_min_port=40000
pasv_max_port=50000
allow_writeable_chroot=YES

rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

Now regular FTP is disabled and I can connect via TLS. But I cant upload/download files. And I don't know why or how to configure.

Any help will be welcome!

Answer 1

and this port is redirected by the router to the IP of the server and the port 21

But you need to redirect also the ports 50000–60000 for the data connections to allow the transfer.

It may work without TLS, even without the redirect, if the router is smart and automatically opens the ports as needed, by inspecting the FTP control connection. But this cannot work with TLS, as the control connection is encrypted and the router cannot inspect it.