Configure vsftpd in lede

anon20279570 · November 12, 2017, 10:17am

I installed vsftpd package and configured it myself as i could. This is my config

background=YES
listen=YES
connect_from_port_20=NO
anonymous_enable=NO
#anon_root=/home/ftp_user/storage/
#anon_root=/mnt/sda/FTP/
chroot_local_user=YES
chroot_list_enable=NO
allow_writeable_chroot=YES
local_root=/mnt/sda/FTP/

local_enable=YES
write_enable=YES
local_umask=022
check_shell=NO
#dirmessage_enable=YES
ftpd_banner=Welcome to Mate's FTP service.
session_support=NO
syslog_enable=YES
#userlist_enable=YES
#userlist_deny=NO
#userlist_file=/etc/vsftpd/vsftpd.users
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
debug_ssl=YES
###
### TLS/SSL options
### example key generation: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd_privkey.pem -out /etc/vsftpd/vsftpd_cert.pem -subj /C="DE"/ST="Saxony"/L="Leipzig"/CN="OpenWrt"
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
pasv_min_port=1040
pasv_max_port=1050
rsa_cert_file=/etc/vsftpd/vsftpd_cert.pem
rsa_private_key_file=/etc/vsftpd/vsftpd_privkey.pem

I can login to ftp from my phone when i am in LAN with wifi. But wheError: Server returned unroutable private IP address in PASV replyn i am on mobile data, not in LAN i can still login but when auth ends it says connection refused, but if i try to create folder it does create, thing is i can't see anything on ftp. On the phone i see it returns pasv address of 10.0.0.1 which my routers lan address so it's not routable from the WAN. How to fix this issue?

on firewall side i did not change anything just added routung from xxxx port to 10.0.0.1:21 that's it.

i tested my ftp on https://ftptest.net/ and it says
Error: Server returned unroutable private IP address in PASV reply

If i set
pasv_address=xx.xx.xxx.xx <- my wan ip it still does not work from WAN and it stops working from LAN too because that address is not routable from within the LAN

hnyman · November 12, 2017, 10:42am

Not quite sure what is the correct combination of options, but based on the search results of https://www.google.com/search?q=vsftpd+ftp+passive+nat , it sounds like you can define the public IP as "listen" adress or alternatively set "pasv_address" option fro vsftpd.

I have not tested those, but sounds like you are not the first one to look into that challenge.

You may need to define a port forward in firewall.
And enabling NAT reflection / NAT loopback for the port forwarding rule, the outside IP should be reachable also from inside LAN.

background discission can be found e.g. in http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html

anon20279570 · November 12, 2017, 10:52am

Thank you for answer. I am not good when it comes to networking. I am gonna read things about how to make NAT reflection.
What ports do i have to forward? I already have forwarded xxxx port to 10.0.0.1:21 port. And pasv mode uses 1040-1050 port ranges from LAN to WAN right?

Per · November 12, 2017, 12:16pm

Passive mode on FTP means the client creates more connections to the server instead of the server creating connections to the client. When you set pasv_min/max_port you need to forward that port range from the router to the server like you did with port 21.

anon20279570 · November 12, 2017, 12:24pm

What is better for security active or pasive?

I had openvpn configured with tap device, so when i connect to openvpn first ftp does work because it can reach routers LAN address. I made openvpn as secure as i could, read many guides. But it's slow.

Per · November 12, 2017, 12:33pm

Probably passive, and active mode will frequently not work anyway because the ports will be blocked by a NAT or firewall on the client side. That's why passive mode was invented.