Openvpn – VSFTP not working over VPN


I've had a FTP service running for some time using vsftp, working with passive mode with no problems.

I've recently set up a VPN using openvpn, as far as I know I've configured everything correctly. I'm able to connect to servers using local IP etc (including the FTP server), and browse the internet.

For some reason, I can't use the FTP over the VPN, I'm able to connect and log in but when the client (filezilla) issues the LIST, it gets stuck. I believe this is an issue around passive somewhere, although I'm able to connect to the FTP from other servers inside the network (using passive).

Has anyone had this before, or have any idea on something I may have missed?

FYI this is in an AWS VPC using cent os 6.5!


FTP Log, welcome message, user name, and external IP replaced with #;

Thu Feb 19 17:03:24 2015 [pid 29762] CONNECT: Client ""
Thu Feb 19 17:03:24 2015 [pid 29762] FTP response: Client "", "220 Welcome to #############."
Thu Feb 19 17:03:24 2015 [pid 29762] FTP command: Client "", "AUTH TLS"
Thu Feb 19 17:03:24 2015 [pid 29762] FTP response: Client "", "530 Please login with USER and PASS."
Thu Feb 19 17:03:24 2015 [pid 29762] FTP command: Client "", "AUTH SSL"
Thu Feb 19 17:03:24 2015 [pid 29762] FTP response: Client "", "530 Please login with USER and PASS."
Thu Feb 19 17:03:24 2015 [pid 29762] FTP command: Client "", "USER ##############"
Thu Feb 19 17:03:24 2015 [pid 29762] [##############] FTP response: Client "", "331 Please specify the password."
Thu Feb 19 17:03:25 2015 [pid 29762] [##############] FTP command: Client "", "PASS <password>"
Thu Feb 19 17:03:25 2015 [pid 29761] [##############] OK LOGIN: Client ""
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP response: Client "", "230 Login successful."
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP command: Client "", "SYST"
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP response: Client "", "215 UNIX Type: L8"
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP command: Client "", "FEAT"
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP response: Client "", "211-Features:"
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP response: Client "", " EPRT??"
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP response: Client "", " EPSV??"
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP response: Client "", " MDTM??"
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP response: Client "", " PASV??"
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP response: Client "", " REST STREAM??"
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP response: Client "", " SIZE??"
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP response: Client "", " TVFS??"
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP response: Client "", " UTF8??"
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP response: Client "", "211 End"
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP command: Client "", "OPTS UTF8 ON"
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP response: Client "", "200 Always in UTF8 mode."
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP command: Client "", "PWD"
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP response: Client "", "257 "/""
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP command: Client "", "TYPE I"
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP response: Client "", "200 Switching to Binary mode."
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP command: Client "", "PASV"
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP response: Client "", "227 Entering Passive Mode (#############)."
Thu Feb 19 17:03:25 2015 [pid 29766] [##############] FTP command: Client "", "LIST"
Thu Feb 19 17:04:25 2015 [pid 29766] [##############] FTP response: Client "", "425 Failed to establish connection."

Best Answer

In the passive FTP mode, the server sends back to the client an IP address and a port the client needs to connect to for opening data transfer connection (for file transfers and directory listings).

If that is a different IP address than the one you actually need use to connect to the server (due to NATing for example), the connection fails.

Were the NATing happening on server-side network, the FTP server should be configured with its external IP address.

As in your case NATing happens on a client-side network (if I understand it correctly), the change cannot be done on the server-side as that would break the FTP server for all other users.

Smart NATs would try to inspect an FTP traffic and translate the IP address in PASV response. But that won't work, if the FTP traffic is encrypted (TLS/SSL), what I hope is your case too!

The only alternative solution I know is to force your FTP client to ignore the IP address in PASV response and use the original IP address used to connect to the FTP server.

For example with WinSCP FTP/SFTP client, you do that by setting session option Force IP address for passive mode connections to On:

(I'm the author of WinSCP)

Yet another option to use an FTP client that supports more modern EPSV command (instead of the PASV) as that allows the server to provide port only (not IP address), so it does not have the problem. The vsftpd does support it.

See (my) article for details about FTP passive mode from network configuration perspective.