If your ftp server is behind a NAT router, the regular ftps configuration steps you find in most tutorials in the Internet may not work for you. Hope these steps help.
1. Chroot (chain or jail) users to their home directory by adding the line below to proftpd.conf
DefaultRoot ~
2. Generate certificate keys, in this case, in the directory /etc/proftpd/ssl/
$openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/server.cert.pem -keyout /etc/proftpd/ssl/server.key.pem
3. Add this lines to proftpd.conf
TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv23 TLSOptions NoCertRequest TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem TLSVerifyClient off TLSRequired on
4. Allow a range of passive ports to be forwarded to your ftp server by the firewall and set those ports in your ftp config file – proftpd.conf in this case.
PassivePorts 60000 60100
5. Masquerade the ftp server’s address to the external IP of the NAT server/router.
MasqueradeAddress x.x.x.x