0
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
user_sub_token=$USER
local_root=/home/$USER/ftp
pasv_min_port=30000
pasv_max_port=31000
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO

i have port 20, 21, and the pasv ports all forwarded. i know my ISP isnt blocking them because before i used tls i was able to connect fine from an external IP and the port was open.

yet i still get Status: Server sent passive reply with unroutable address. Using server address instead when trying to connection

kuz
  • 1
  • 1
    The log message is likely unrelated to the problem you describe, i.e. I guess you'll got it before. If you did not get it before than there is some transparent FTP proxy in the path which tries to rewrite the dynamic IP and ports in the control connection. But this rewriting cannot be done with TLS. More client side debug messages would be helpful, including showing a successful connection w/o TLS for comparison. – Steffen Ullrich May 01 '21 at 09:06
  • what do you mean by that? – kuz May 02 '21 at 21:12

1 Answers1

0

From fragmentary description in OP's question I can surmise that:

  • question is about a server serving FTPS (or FTP with starttls) from a hidden/private address using IPv4 behind a router doing NAT.
  • server's listen_ipv6=YES listens to both IPv4 and IPv6 with the bind address defaulting to [::].
  • This NAT router is port forwarding port 21 and preallocated ports 30000-31000 to the server (note: port 20 is outgoing from source port 20, used only for active mode, and should not be forwarded).
  • as TLS is in use, classic ALG support (eg, on Linux that would be the kernel module nf_nat_ftp) is useless because it can't decipher control traffic to intercept and alter the PASV answer given back to the client. Client will fail or complain because of an unreachable address (or simply a different address from the address it connected to).

In this situation and this configuration, the server can work properly only in active mode. If the client (for about the same reason) can only do passive mode then no data transfer will work correctly.

The server must have some awareness of the network setup to work properly in passive mode.

For VSFTP, a specific setting exists: pasv_address

pasv_address

Use this option to override the IP address that vsftpd will advertise in response to the PASV command. Provide a numeric IP address, unless pasv_addr_resolve is enabled, in which case you can provide a hostname which will be DNS resolved for you at startup.

Default: (none - the address is taken from the incoming connected socket)

So you should add the public IP address of the gateway forwarding ports to the configuration with this additional entry (here example with a gateway having 192.0.2.2 as public IP address):

pasv_address=192.0.2.2

(or a hostname resolving to this address, but then this also requires pasv_addr_resolve=YES)

I guess then that the parameter listen_ipv6=YES might not be useful anymore for an actual IPv6 client because a PASV command won't receive a correct answer. In such case, there should probably be two separate instances of sftpd, one for IPv4 (listen=YES + listen_ipv6=NO) with settings above and if it's actually used, one for IPv6 (listen=NO + listen_ipv6=YES with listen_address6 different from [::] and probably no specific setting for passv_address).

A.B
  • 11,090
  • 2
  • 24
  • 45
  • i tried adding `pasv_address=mypublicip`, and then connecting (no tls) and got ```Status: Retrieving directory listing of "/etc"... Command: TYPE I Response: 200 Switching to Binary mode. Command: PASV Response: 227 Entering Passive Mode (0,0,0,0,39,122). Command: LIST -a Error: The data connection could not be established: WSAEADDRNOTAVAIL - Cannot assign requested address Command: PWD Response: 257 "/" is the current directory Command: TYPE I Response: 200 Switching to Binary mode. Command: PASV Response: 227 Entering Passive Mode (my, ip, here,197,81)``` – kuz May 03 '21 at 00:28
  • So doesn it mean it doesn't work without TLS and works with TLS now? Did the second one succeed? Can you but explain when TLS is used or not used? What client attempt triggered each case, etc? Does it work better if you change the FTP port to an other port than 21 (on the server, the router and the client)? Please [edit](https://serverfault.com/posts/1062234/edit) your question to add this information. – A.B May 03 '21 at 06:33